The latest Network Manager does some useful things across a suspend/resume cycle, but it relies on a dbus-send signal from the /etc/acpi/actions/sleep script.
My script fails to deliver that signal when invoked from acpid in enforcing mode, but it works fine from the command line or in permissive mode.
Matthew Saltzman wrote:
The latest Network Manager does some useful things across a suspend/resume cycle, but it relies on a dbus-send signal from the /etc/acpi/actions/sleep script.
My script fails to deliver that signal when invoked from acpid in enforcing mode, but it works fine from the command line or in permissive mode.
What avc messages are you seeing?
Dan
On Fri, 14 Oct 2005, Daniel J Walsh wrote:
Matthew Saltzman wrote:
The latest Network Manager does some useful things across a suspend/resume cycle, but it relies on a dbus-send signal from the /etc/acpi/actions/sleep script.
My script fails to deliver that signal when invoked from acpid in enforcing mode, but it works fine from the command line or in permissive mode.
What avc messages are you seeing?
Now that you mention it, it looks like ifdown (called from NetworkManager?) is the problem:
type=AVC msg=audit(1129317799.800:18): avc: denied { execute } for pid=3421 comm="ifdown" name="functions" dev=dm-0 ino=16571 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1129317799.800:18): arch=40000003 syscall=33 success=yes exit=0 a0=864dff8 a1=1 a2=864dff8 a3=864b098 items=1 pid=3421 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ifdown" exe="/bin/bash" type=CWD msg=audit(1129317799.800:18): cwd="/" type=PATH msg=audit(1129317799.800:18): item=0 name="/etc/init.d/functions" flags=401 inode=16571 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1129317799.804:19): avc: denied { execute } for pid=3424 comm="ifdown" name="consoletype" dev=dm-0 ino=622670 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:consoletype_exec_t:s0 tclass=file type=AVC msg=audit(1129317799.804:19): avc: denied { execute_no_trans } for pid=3424 comm="ifdown" name="consoletype" dev=dm-0 ino=622670 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:consoletype_exec_t:s0 tclass=file type=AVC msg=audit(1129317799.804:19): avc: denied { read } for pid=3424 comm="ifdown" name="consoletype" dev=dm-0 ino=622670 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:consoletype_exec_t:s0 tclass=file type=SYSCALL msg=audit(1129317799.804:19): arch=40000003 syscall=11 success=yes exit=0 a0=8651a18 a1=8651a60 a2=8651580 a3=0 items=2 pid=3424 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="consoletype" exe="/sbin/consoletype" type=AVC_PATH msg=audit(1129317799.804:19): path="/sbin/consoletype" type=AVC_PATH msg=audit(1129317799.804:19): path="/sbin/consoletype" type=CWD msg=audit(1129317799.804:19): cwd="/" type=PATH msg=audit(1129317799.804:19): item=0 name="/sbin/consoletype" flags=101 inode=622670 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1129317799.804:19): item=1 flags=101 inode=819233 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1129317799.844:20): avc: denied { execute_no_trans } for pid=3421 comm="ifdown" name="ifdown-ppp" dev=dm-0 ino=20434 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1129317799.844:20): arch=40000003 syscall=11 success=yes exit=0 a0=864ece0 a1=864e660 a2=864e2c0 a3=0 items=3 pid=3421 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ifdown-ppp" exe="/bin/bash" type=AVC_PATH msg=audit(1129317799.844:20): path="/etc/sysconfig/network-scripts/ifdown-ppp" type=CWD msg=audit(1129317799.844:20): cwd="/etc/sysconfig/network-scripts" type=PATH msg=audit(1129317799.844:20): item=0 name="/etc/sysconfig/network-scripts/ifdown-ppp" flags=101 inode=20434 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1129317799.844:20): item=1 flags=101 inode=753755 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1129317799.844:20): item=2 flags=101 inode=819233 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1129317799.888:21): avc: denied { ioctl } for pid=3421 comm="ifdown-ppp" name="ifdown-ppp" dev=dm-0 ino=20434 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1129317799.888:21): arch=40000003 syscall=54 success=no exit=-25 a0=3 a1=5401 a2=bf97d068 a3=bf97d0a8 items=0 pid=3421 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ifdown-ppp" exe="/bin/bash" type=AVC_PATH msg=audit(1129317799.888:21): path="/etc/sysconfig/network-scripts/ifdown-ppp"
The relevant section of the script is:
/usr/bin/dbus-send --system --dest=org.freedesktop.NetworkManager --type=method_call /org/freedesktop/NetworkManager org.freedesktop.NetworkManager.sleep
sync echo -n "mem" > /sys/power/state
/usr/bin/dbus-send --system --dest=org.freedesktop.NetworkManager --type=method_call /org/freedesktop/NetworkManager org.freedesktop.NetworkManager.wake
Dan
On Fri, 14 Oct 2005, Matthew Saltzman wrote:
On Fri, 14 Oct 2005, Daniel J Walsh wrote:
Matthew Saltzman wrote:
The latest Network Manager does some useful things across a suspend/resume cycle, but it relies on a dbus-send signal from the /etc/acpi/actions/sleep script.
My script fails to deliver that signal when invoked from acpid in enforcing mode, but it works fine from the command line or in permissive mode.
What avc messages are you seeing?
Now that you mention it, it looks like ifdown (called from NetworkManager?) is the problem:
Is this fix in the latest update or Rawhide yet? I'm currently using selinux-policy-targeted-1.27.1-13 from devel. The 1.27.1-17 version in Rawhide requires a new policycoreutils, which seems to require a bunch of other things.
Thanks.
Matthew Saltzman wrote:
On Fri, 14 Oct 2005, Matthew Saltzman wrote:
On Fri, 14 Oct 2005, Daniel J Walsh wrote:
Matthew Saltzman wrote:
The latest Network Manager does some useful things across a suspend/resume cycle, but it relies on a dbus-send signal from the /etc/acpi/actions/sleep script.
My script fails to deliver that signal when invoked from acpid in enforcing mode, but it works fine from the command line or in permissive mode.
What avc messages are you seeing?
Now that you mention it, it looks like ifdown (called from NetworkManager?) is the problem:
Is this fix in the latest update or Rawhide yet? I'm currently using selinux-policy-targeted-1.27.1-13 from devel. The 1.27.1-17 version in Rawhide requires a new policycoreutils, which seems to require a bunch of other things.
Thanks.
On FC4 you should be using 1.27.1-2.7 which pretty much matches 1.27.2-17
Dan
On Tue, 18 Oct 2005, Daniel J Walsh wrote:
Matthew Saltzman wrote:
On Fri, 14 Oct 2005, Matthew Saltzman wrote:
On Fri, 14 Oct 2005, Daniel J Walsh wrote:
Matthew Saltzman wrote:
The latest Network Manager does some useful things across a suspend/resume cycle, but it relies on a dbus-send signal from the /etc/acpi/actions/sleep script.
My script fails to deliver that signal when invoked from acpid in enforcing mode, but it works fine from the command line or in permissive mode.
What avc messages are you seeing?
Now that you mention it, it looks like ifdown (called from NetworkManager?) is the problem:
Is this fix in the latest update or Rawhide yet? I'm currently using selinux-policy-targeted-1.27.1-13 from devel. The 1.27.1-17 version in Rawhide requires a new policycoreutils, which seems to require a bunch of other things.
Thanks.
On FC4 you should be using 1.27.1-2.7 which pretty much matches 1.27.2-17
Thanks. I presume that will be in updates-testing shortly? The latest I can find is 1.27.1-2.6.
Dan
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Matthew Saltzman