Il coperchio di chiusura LXDE di Fedora 27 non blocca lo schermo (selinux acpid xscreensaver-command)


0

Ho installato acpid e impostato un evento per la chiusura del coperchio che funziona in modalità di debug, tuttavia non riesco a farlo funzionare quando acpid viene avviato da systemd.

Ho usato i suggerimenti qui per configurare acpid Linux sospende o dorme sulla chiusura del coperchio

gatto / etc / acpi / eventi / coperchio

event=button[ /]lid
action=/etc/acpi/actions/lid_down.sh %

cat /etc/acpi/actions/lid_down.sh

#!/bin/bash

[ "$1" = "button/lid" ] && [ "$2" = "LID" ] && [ "$3" = "close" ] && xscreensaver-command -lock

in esecuzione acpid -d -l funziona, ma systemctl avvia acpid produce il seguente errore quando chiudo il coperchio

# ausearch -m avc -ts recent -i
----
type=AVC msg=audit(19/07/18 04:14:19.214:452) : avc:  denied  { connectto } for  pid=16632 comm=xscreensaver-co path=/tmp/.X11-unix/X0 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 

Quale criterio di selinux richiedo per consentire a xscreensaver-command di accedere al mio display socket quando viene lanciato da acpid?

================================================

Così, ho modificato il mio script e posso farlo funzionare come segue:

cat /etc/acpi/actions/lid_down.sh

#!/bin/bash

[ "$1" = "button/lid" ] && [ "$2" = "LID" ] && [ "$3" = "close" ] && /usr/local/bin/xscreensaver-lock-all

cat / usr / local / bin / xscreensaver-lock-all

#!/bin/bash

logger "screen saver lock script started"
for user in $(ps -ef | awk '($0~/xscreensaver/&&$0!~/awk/){print $1}')
do
    su $user -c "/usr/bin/xscreensaver-command -lock"
done

Ho provato a inserire varie opzioni runcon in lid_down.sh, ma senza successo. Quindi la mia soluzione attuale è:

# semanage permissive -a apmd_t

Ma questo produce i seguenti errori:

# ausearch -m avc -ts recent -i
----
type=AVC msg=audit(19/07/18 10:24:19.266:287) : avc:  denied  { bind } for  pid=3372 comm=su scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=netlink_selinux_socket permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:19.266:286) : avc:  denied  { create } for  pid=3372 comm=su scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=netlink_selinux_socket permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:19.267:288) : avc:  denied  { compute_av } for  pid=3372 comm=su scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:19.268:292) : avc:  denied  { setgid } for  pid=3372 comm=su capability=setgid  scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=capability permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:19.271:294) : avc:  denied  { setsched } for  pid=3372 comm=su scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=process permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:19.284:298) : avc:  denied  { read write } for  pid=3372 comm=su name=lastlog dev="dm-0" ino=659972 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:19.285:299) : avc:  denied  { open } for  pid=3372 comm=su path=/var/log/lastlog dev="dm-0" ino=659972 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:19.342:301) : avc:  denied  { connectto } for  pid=3373 comm=xscreensaver-co path=/tmp/.X11-unix/X0 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:19.343:302) : avc:  denied  { read } for  pid=3373 comm=xscreensaver-co name=.Xauthority dev="dm-4" ino=15466502 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:19.343:303) : avc:  denied  { open } for  pid=3373 comm=xscreensaver-co path=/home/ken/.Xauthority dev="dm-4" ino=15466502 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:19.538:315) : avc:  denied  { read write } for  pid=3374 comm=su name=lastlog dev="dm-0" ino=659972 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:19.538:316) : avc:  denied  { open } for  pid=3374 comm=su path=/var/log/lastlog dev="dm-0" ino=659972 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:19.539:318) : avc:  denied  { setgid } for  pid=3382 comm=su capability=setgid  scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=capability permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:19.543:319) : avc:  denied  { connectto } for  pid=3382 comm=xscreensaver-co path=/tmp/.X11-unix/X0 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:22.153:336) : avc:  denied  { read write } for  pid=3386 comm=su name=lastlog dev="dm-0" ino=659972 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:22.153:337) : avc:  denied  { open } for  pid=3386 comm=su path=/var/log/lastlog dev="dm-0" ino=659972 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:22.153:339) : avc:  denied  { setgid } for  pid=3395 comm=su capability=setgid  scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=capability permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:22.157:340) : avc:  denied  { connectto } for  pid=3395 comm=xscreensaver-co path=/tmp/.X11-unix/X0 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:21.901:322) : avc:  denied  { create } for  pid=3386 comm=su scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=netlink_selinux_socket permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:21.901:323) : avc:  denied  { bind } for  pid=3386 comm=su scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=netlink_selinux_socket permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:21.901:324) : avc:  denied  { compute_av } for  pid=3386 comm=su scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:21.905:329) : avc:  denied  { setsched } for  pid=3386 comm=su scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=process permissive=1 

Ci deve essere un modo più ordinato per farlo senza disabilitare selinux per acpi

Risposte:


0

Se stai cercando un modo "più ordinato", fare un servizio è avviare programmi grafici proprio fuori È un design scadente, non solo per SELinux.

Cambia il comando a /usr/bin/loginctl lock-sessions. Questo trasmette un segnale di "blocco" a tutte le sessioni grafiche e ogni sessione può reagire internamente (ad es. Avviare un armadietto senza problemi SELinux). Probabilmente LXDE potrebbe già supportarlo.

Se LXDE non reagisce al segnale di blocco, esegui un helper che:

Utilizzando il nostro sito, riconosci di aver letto e compreso le nostre Informativa sui cookie e Informativa sulla privacy.
Licensed under cc by-sa 3.0 with attribution required.