Getting SELinux avc's when apcupsd tries to trigger apccontrol events
Issue
- Getting SELinux avc's when
apcupsdtries to triggerapccontrolevents - The complete
sealertmessage is:
SELinux is preventing /bin/bash from getattr access on the filesystem /.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that bash should be allowed getattr access on the filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep apccontrol /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:apcupsd_t:s0
Target Context system_u:object_r:fs_t:s0
Target Objects / [ filesystem ]
Source apccontrol
Source Path /bin/bash
Port <Unknown>
Host ***
Source RPM Packages bash-4.1.2-15.el6_4.x86_64
Target RPM Packages filesystem-2.4.30-3.el6.x86_64
Policy RPM selinux-policy-3.7.19-231.el6_5.3.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name ***
Platform Linux ***
2.6.32-431.29.2.el6.x86_64 #1 SMP Sun Jul 27
15:55:46 EDT 2014 x86_64 x86_64
Alert Count 1
First Seen Tue Sep 16 18:17:49 2014
Last Seen Tue Sep 16 18:17:49 2014
Local ID 67028753-d231-4d6a-b1dc-d7e746d5996c
Raw Audit Messages
type=AVC msg=audit(1410884269.275:4101): avc: denied { getattr } for pid=10543 comm="apccontrol" name="/" dev=sda1 ino=2 scontext=system_u:system_r:apcupsd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1410884269.275:4101): arch=x86_64 syscall=statfs success=no exit=EACCES a0=4b96ff a1=7fffc6342b90 a2=fffffffffff5c010 a3=1001 items=0 ppid=10542 pid=10543 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=apccontrol exe=/bin/bash subj=system_u:system_r:apcupsd_t:s0 key=(null)
Hash: apccontrol,apcupsd_t,fs_t,filesystem,getattr
audit2allow
#============= apcupsd_t ==============
allow apcupsd_t fs_t:filesystem getattr;
audit2allow -R
#============= apcupsd_t ==============
allow apcupsd_t fs_t:filesystem getattr;
Environment
- Red Hat Enterprise Linux 6.5
- selinux-policy-3.7.19-231.el6_5.3.noarch
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
