我已经安装了 acpid 并设置了盖子关闭事件,该事件在调试模式下有效,但是当 systemd 启动 acpid 时,我无法使其工作。
我使用这里的建议来配置 acpid 合上盖子时 Linux 暂停或睡眠
猫/etc/acpi/events/lid
event=button[ /]lid
action=/etc/acpi/actions/lid_down.sh %
猫/etc/acpi/actions/lid_down.sh
#!/bin/bash
[ "$1" = "button/lid" ] && [ "$2" = "LID" ] && [ "$3" = "close" ] && xscreensaver-command -lock
跑步acpid-d-l有效,但是systemctl 启动 acpid当我关闭盖子时产生以下错误
# ausearch -m avc -ts recent -i
----
type=AVC msg=audit(19/07/18 04:14:19.214:452) : avc: denied { connectto } for pid=16632 comm=xscreensaver-co path=/tmp/.X11-unix/X0 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
当从 acpid 启动时,我需要什么 selinux 策略来允许 xscreensaver-command 访问我的显示套接字?
================================================
因此,我编辑了脚本并使其按如下方式工作:
猫/etc/acpi/actions/lid_down.sh
#!/bin/bash
[ "$1" = "button/lid" ] && [ "$2" = "LID" ] && [ "$3" = "close" ] && /usr/local/bin/xscreensaver-lock-all
猫/usr/local/bin/xscreensaver-lock-all
#!/bin/bash
logger "screen saver lock script started"
for user in $(ps -ef | awk '($0~/xscreensaver/&&$0!~/awk/){print $1}')
do
su $user -c "/usr/bin/xscreensaver-command -lock"
done
我确实尝试在 lid_down.sh 中插入各种 runcon 选项,但无济于事。所以我目前的解决方法是:
# semanage permissive -a apmd_t
但这会产生以下错误:
# ausearch -m avc -ts recent -i
----
type=AVC msg=audit(19/07/18 10:24:19.266:287) : avc: denied { bind } for pid=3372 comm=su scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=netlink_selinux_socket permissive=1
----
type=AVC msg=audit(19/07/18 10:24:19.266:286) : avc: denied { create } for pid=3372 comm=su scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=netlink_selinux_socket permissive=1
----
type=AVC msg=audit(19/07/18 10:24:19.267:288) : avc: denied { compute_av } for pid=3372 comm=su scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1
----
type=AVC msg=audit(19/07/18 10:24:19.268:292) : avc: denied { setgid } for pid=3372 comm=su capability=setgid scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=capability permissive=1
----
type=AVC msg=audit(19/07/18 10:24:19.271:294) : avc: denied { setsched } for pid=3372 comm=su scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=process permissive=1
----
type=AVC msg=audit(19/07/18 10:24:19.284:298) : avc: denied { read write } for pid=3372 comm=su name=lastlog dev="dm-0" ino=659972 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
----
type=AVC msg=audit(19/07/18 10:24:19.285:299) : avc: denied { open } for pid=3372 comm=su path=/var/log/lastlog dev="dm-0" ino=659972 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
----
type=AVC msg=audit(19/07/18 10:24:19.342:301) : avc: denied { connectto } for pid=3373 comm=xscreensaver-co path=/tmp/.X11-unix/X0 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
----
type=AVC msg=audit(19/07/18 10:24:19.343:302) : avc: denied { read } for pid=3373 comm=xscreensaver-co name=.Xauthority dev="dm-4" ino=15466502 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file permissive=1
----
type=AVC msg=audit(19/07/18 10:24:19.343:303) : avc: denied { open } for pid=3373 comm=xscreensaver-co path=/home/ken/.Xauthority dev="dm-4" ino=15466502 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file permissive=1
----
type=AVC msg=audit(19/07/18 10:24:19.538:315) : avc: denied { read write } for pid=3374 comm=su name=lastlog dev="dm-0" ino=659972 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
----
type=AVC msg=audit(19/07/18 10:24:19.538:316) : avc: denied { open } for pid=3374 comm=su path=/var/log/lastlog dev="dm-0" ino=659972 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
----
type=AVC msg=audit(19/07/18 10:24:19.539:318) : avc: denied { setgid } for pid=3382 comm=su capability=setgid scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=capability permissive=1
----
type=AVC msg=audit(19/07/18 10:24:19.543:319) : avc: denied { connectto } for pid=3382 comm=xscreensaver-co path=/tmp/.X11-unix/X0 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
----
type=AVC msg=audit(19/07/18 10:24:22.153:336) : avc: denied { read write } for pid=3386 comm=su name=lastlog dev="dm-0" ino=659972 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
----
type=AVC msg=audit(19/07/18 10:24:22.153:337) : avc: denied { open } for pid=3386 comm=su path=/var/log/lastlog dev="dm-0" ino=659972 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
----
type=AVC msg=audit(19/07/18 10:24:22.153:339) : avc: denied { setgid } for pid=3395 comm=su capability=setgid scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=capability permissive=1
----
type=AVC msg=audit(19/07/18 10:24:22.157:340) : avc: denied { connectto } for pid=3395 comm=xscreensaver-co path=/tmp/.X11-unix/X0 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
----
type=AVC msg=audit(19/07/18 10:24:21.901:322) : avc: denied { create } for pid=3386 comm=su scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=netlink_selinux_socket permissive=1
----
type=AVC msg=audit(19/07/18 10:24:21.901:323) : avc: denied { bind } for pid=3386 comm=su scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=netlink_selinux_socket permissive=1
----
type=AVC msg=audit(19/07/18 10:24:21.901:324) : avc: denied { compute_av } for pid=3386 comm=su scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1
----
type=AVC msg=audit(19/07/18 10:24:21.905:329) : avc: denied { setsched } for pid=3386 comm=su scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=process permissive=1
一定有一个更简洁的方法来做到这一点,而无需禁用 acpi 的 selinux
答案1
如果你正在寻找一种“更简洁”的方式,那么让服务启动图形程序是马上出去。这是糟糕的设计,不仅仅是因为 SELinux。
将命令更改为/usr/bin/loginctl lock-sessions
。这会向所有图形会话广播“锁定”信号,每个会话都可以在内部对其作出反应(例如,启动锁定器而不会出现任何 SELinux 问题)。LXDE 可能已经支持它。
如果 LXDE 对锁定信号没有反应,请运行以下辅助程序: