Please go easy on me, this is my first post...
I'm using Centos7 minimal. I've installed acpid and the daemon is running.
When I hit the power button, I get the following in /var/log/messages
Quote:
May 2 18:52:53 localhost systemd-logind: Power key pressed.
May 2 18:52:53 localhost systemd: SELinux policy denies access.
|
and in /var/log/audit/audit.log:
Code:
type=USER_AVC msg=audit(1430589539.562:468): pid=815 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=Get dest=org.freedesktop.systemd1 spid=4177 tpid=1 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1430589539.571:469): pid=815 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=Get dest=org.freedesktop.systemd1 spid=4182 tpid=1 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1430589539.586:470): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=-1 uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Piping that through audit2why gives the following output:
Code:
type=USER_AVC msg=audit(1430589539.562:468): pid=815 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=Get dest=org.freedesktop.systemd1 spid=4177 tpid=1 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=USER_AVC msg=audit(1430589539.571:469): pid=815 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=Get dest=org.freedesktop.systemd1 spid=4182 tpid=1 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=USER_AVC msg=audit(1430589539.586:470): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=-1 uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
And finally, piping the audit to audit2allow -lar gives me:
Code:
require {
type power_unit_file_t;
type init_t;
type apmd_t;
class dbus send_msg;
class service start;
}
#============= apmd_t ==============
allow apmd_t init_t:dbus send_msg;
allow apmd_t power_unit_file_t:service start;
I'm not sure what to do next. How can I get from the output above to an active selinux policy?