3

On Fedora 23 I wanted to add custom action when laptop lid is opened. I have installed acpid and created three files:

/etc/acpi/events/lidconf 

event=button/lid
action=/etc/acpi/actions/lid.sh "%e"

/etc/acpi/actions/lid.sh

#!/bin/bash
/home/user/Utility/lid.sh "$1"

/home/user/Utility/lid.sh

#!/bin/bash
DISPLAY=:0.0 su user -c "echo $1 >> /home/user/lid.txt"

It works perfectly when I run # /usr/sbin/acpid -f, but not at all when I do # systemctl start acpid.

I have noticed that result of ps command is a bit different.

As root:

root      3796  0.0  0.0   4344  1704 ?        Ss   22:24   0:00 /usr/sbin/acpid -f

Using systemd:

root      3918  0.0  0.0   4344  1780 pts/0    S+   22:25   0:00 /usr/sbin/acpid -f

Why it does not work when started by systemd?

Edit: I have enabled log for acpid and this is what I get:

received input layer event "button/lid LID open"
rule from /etc/acpi/events/lidconf matched
executing action "/etc/acpi/actions/lid.sh "button/lid LID open""
action exited with status 126
1 total rule matched
completed input layer event "button/lid LID open"

Edit2: ps aux -Z

Systemd:

system_u:system_r:apmd_t:s0     root      5177  0.1  0.0   4348  1756 ?        Ss   22:52   0:00 /usr/sbin/acpid -f -l -d

Ran as root:

unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 5341 0.0  0.0 4344 1808 pts/0 S+ 22:56   0:00 /usr/sbin/acpid -f -l -d
Fenikso
  • 171
  • 4
  • Sounds like you have something in YOUR environment PATH that does not exist in the standard system. – mdpc Feb 09 '16 at 21:34
  • @mdpc can you elaborate? I do not understand how content of PATH variable can break this. – Fenikso Feb 09 '16 at 21:37
  • what about SELinux context (`-Z` switch to `ps`)? Are there any denials in audit? – Jakuje Feb 09 '16 at 21:47
  • @Jakuje I am not really skilled with SELinux. I have added result of `ps aux -Z` to the question. How can I list the denials? – Fenikso Feb 09 '16 at 22:09
  • @Jakuje So it is definitely SELinux. I have tried to switch it off and it worked. – Fenikso Feb 09 '16 at 22:28
  • You can see AVC denials using `ausearch -m AVC`. There is problem, that you have implemented without being aware of SELinux contexts. I am probably too tired to understand what is going under the hood of your scripts (can you try to described in the edited question) to help you now. But I might try tomorrow, if there will not be anyone faster. We have the root problem, workaround and now it is only needed to finish it. – Jakuje Feb 09 '16 at 22:35
  • @Jakuje Funny, it seems we are working in the same building :-D. So maybe if you have a bit of time tomorrow? – Fenikso Feb 09 '16 at 22:41
  • @Jakuje He did not set selinux up. Fedora 23 uses selinux by default. – Johnson Steward Feb 11 '16 at 04:13
  • @JohnsonSteward Yes, it is. Of course I meant to set up the labels and so on according to SELinux when stated putting different files around file-system. – Jakuje Feb 11 '16 at 08:31

1 Answers1

2

ok. SELinux issue. When creating some new stuff related to existing service, you need to make sure that the service will have appropriate access to your files. The log from your file proposes that it does not have (unless running as unconfined_t).

executing action "/etc/acpi/actions/lid.sh "button/lid LID open""
action exited with status 126

The execution of the above command fails (exit status 126), which means that the source type apmd_t does not have capability of executing your file (which does have unknown labels for me). Browsing through the policy such as:

$ sesearch -A -s apmd_t -p execute /etc/selinux/targeted/policy/policy.*

we can notice line

allow apmd_t apmd_exec_t : file { ioctl read getattr lock execute execute_no_trans entrypoint open }

allowing to execute apmd_exec_t types. Changing the labels of your executable to that type should move you forward:

# chcon -t apmd_exec_t /etc/acpi/actions/lid.sh

Further on, you will probably run into problems with writing into file /home/user/lid.txt, which is probably labelled as home_t or whatever. Your service can write for example apmd_tmp_t:

$ sesearch -A -s apmd_t -p write /etc/selinux/targeted/policy/policy.*
allow apmd_t apmd_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;

So if you change the context of your target file to apmd_tmp_t, it should work for you:

# chcon -t apmd_tmp_t /home/user/lid.txt

This solution is not permanent. More correct would be to define your own policy covering these files and contexts, or moving the files to places where the context is by default. You should be able to get some help from the audit (ausearch -m AVC and audit2allow utility). If something does not work, let me know.

Jakuje
  • 20,974
  • 7
  • 51
  • 70
  • So for whatever reason it was actually `abrtd` trying to report a `su` crash, which was denied by SELinux (right now there is a abrt SELinux policy bug). When disabling abrtd, then it was kind of working, requiring me to do other tweaking based on the real stuff I wanted the scripts to do in the end. But at that point SELInux troubleshooter worked as expected, so I was able to make it work as I wanted in the end, using `xrandr` and other commands. – Fenikso Feb 11 '16 at 12:27
  • This answer, however, got me on the right track, listing important commands and ideas. For that reason I am upvoting the answer, but not accepting it, so it is not misleading. Thanks! – Fenikso Feb 11 '16 at 12:30