acpid, killing processes or accessing ttys with selinux on fc4

Vincenzo Ciancia vincenzo_yahoo_addressguard-gmane at yahoo.it
Thu Jun 30 13:17:38 UTC 2005 

Hi all, I was addressed here from the fedora-general list.

When I try to kill kwin (workaround I am trying for a bug) which is not
owned by root, from an acpid event handler, I see

==============
type=PATH msg=audit(1120137170.131:15862051): item=0 name="/home/vincenzo"
inode=2 dev=03:03 mode=040755 ouid=0 ogid=0 rdev=00:00
type=SYSCALL msg=audit(1120137170.131:15862051): arch=40000003 syscall=195
success=no exit=-13 a0=8608218 a1=bfaec42c a2=236ff4 a3=bfaec42c items=1
pid=2381 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="sh" exe="/bin/bash"
type=AVC msg=audit(1120137170.131:15862051): avc:  denied  { search } for 
pid=2381 comm="sh" name=/ dev=hda3 ino=2 scontext=root:system_r:apmd_t
tcontext=system_u:object_r:home_root_t tclass=dir
type=SYSCALL msg=audit(1120137170.138:15862566): arch=40000003 syscall=37
success=no exit=-1 a0=b97 a1=9 a2=0 a3=b97 items=0 pid=2381 auid=500 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="killall"
exe="/usr/bin/killall"
type=AVC msg=audit(1120137170.138:15862566): avc:  denied  { kill } for 
pid=2381 comm="killall" capability=5 scontext=root:system_r:apmd_t
tcontext=root:system_r:apmd_t tclass=capability
===============

in audit.log

Also, if I try to use 

 action=chvt 1 < /dev/tty10

(because chvt needs a tty to operate)

I find

========
type=PATH msg=audit(1120137360.814:62404): item=0 name="/home/vincenzo"
inode=2 dev=03:03 mode=040755 ouid=0 ogid=0 rdev=00:00
type=SYSCALL msg=audit(1120137360.814:62404): arch=40000003 syscall=195
success=no exit=-13 a0=957e218 a1=bfb7578c a2=987ff4 a3=bfb7578c items=1
pid=2450 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="sh" exe="/bin/bash"
type=AVC msg=audit(1120137360.814:62404): avc:  denied  { search } for 
pid=2450 comm="sh" name=/ dev=hda3 ino=2 scontext=root:system_r:apmd_t
tcontext=system_u:object_r:home_root_t tclass=dir
========

even if /dev/tty10 is owned by root.

How do I allow both operations? I can't find any reference to acpid in the
selinux configuration tool.

Bye and thanks

Vincenzo Ciancia

-- 
Please note that I do not read the e-mail address used in the from field but
I read vincenzo_ml at yahoo dot it
Attenzione: non leggo l'indirizzo di posta usato nel campo from, ma leggo
vincenzo_ml at yahoo dot it

More information about the selinux mailing list