On Wed, 2005-06-29 at 09:43 -0400, Matthew Saltzman wrote: > On Tue, 28 Jun 2005, Matthew Saltzman wrote: > > > The ACPI scripts for my Thinkpad don't work as they used to. For example, > > the script I use to turn off the backlight touches or removes a file to > > indicate whether the backlight is on or off. In FC4, the script is > > apparently not allowed to touch the file in either /etc/acpi/actions (where > > it used to) or even in /var/tmp (where I changed it to). > > > > Also, radeontool appears to fail to detect the Radeon in lspci when run form > > the script, but it works fine when run from the command line as root. > > The error is different from the one that usually occurs when running > > radeontool as non-root, which is "can't open /dev/mem Are you root?" > > This error is "Radeon hardware not found in lspci output." > > > > This issue also affects my suspend script, which is not permitted to write to > > /proc/acpi/sleep. > > > > Any ideas what's going on here? > > To follow myself up: > > As I kind of suspected, this is an SELinux issue--turn off enforcing mode > and everything works as expected. So how can I give these scripts access > to the files they need to touch/write to? Collect the relevant audit messages from /var/log/audit/audit.log (if running auditd) or /var/log/messages (if not) and report them to fedora-selinux-list. In audit.log, they should have the type=AVC prefix, although it would also help to have the adjacent audit messages as well that sometimes include supplementary information (like AVC_PATH, PATH, SYSCALL, etc). -- Stephen Smalley National Security Agency
