Fedora 27 LXDE 关闭盖子不会锁定屏幕(selinux acpid xscreensaver 命令)

tag-icon tag-icon sockets acpi selinux xscreensaver
Fedora 27 LXDE 关闭盖子不会锁定屏幕(selinux acpid xscreensaver 命令)

我已经安装了 acpid 并设置了盖子关闭事件,该事件在调试模式下有效,但是当 systemd 启动 acpid 时,我无法使其工作。

我使用这里的建议来配置 acpid 合上盖子时 Linux 暂停或睡眠

猫/etc/acpi/events/lid

event=button[ /]lid
action=/etc/acpi/actions/lid_down.sh %

猫/etc/acpi/actions/lid_down.sh

#!/bin/bash

[ "$1" = "button/lid" ] && [ "$2" = "LID" ] && [ "$3" = "close" ] && xscreensaver-command -lock

跑步acpid-d-l有效,但是systemctl 启动 acpid当我关闭盖子时产生以下错误

# ausearch -m avc -ts recent -i
----
type=AVC msg=audit(19/07/18 04:14:19.214:452) : avc:  denied  { connectto } for  pid=16632 comm=xscreensaver-co path=/tmp/.X11-unix/X0 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0

当从 acpid 启动时,我需要什么 selinux 策略来允许 xscreensaver-command 访问我的显示套接字?

================================================

因此,我编辑了脚本并使其按如下方式工作:

猫/etc/acpi/actions/lid_down.sh

#!/bin/bash

[ "$1" = "button/lid" ] && [ "$2" = "LID" ] && [ "$3" = "close" ] && /usr/local/bin/xscreensaver-lock-all

猫/usr/local/bin/xscreensaver-lock-all

#!/bin/bash

logger "screen saver lock script started"
for user in $(ps -ef | awk '($0~/xscreensaver/&&$0!~/awk/){print $1}')
do
    su $user -c "/usr/bin/xscreensaver-command -lock"
done

我确实尝试在 lid_down.sh 中插入各种 runco​​n 选项,但无济于事。所以我目前的解决方法是:

# semanage permissive -a apmd_t

但这会产生以下错误:

# ausearch -m avc -ts recent -i
----
type=AVC msg=audit(19/07/18 10:24:19.266:287) : avc:  denied  { bind } for  pid=3372 comm=su scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=netlink_selinux_socket permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:19.266:286) : avc:  denied  { create } for  pid=3372 comm=su scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=netlink_selinux_socket permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:19.267:288) : avc:  denied  { compute_av } for  pid=3372 comm=su scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:19.268:292) : avc:  denied  { setgid } for  pid=3372 comm=su capability=setgid  scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=capability permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:19.271:294) : avc:  denied  { setsched } for  pid=3372 comm=su scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=process permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:19.284:298) : avc:  denied  { read write } for  pid=3372 comm=su name=lastlog dev="dm-0" ino=659972 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:19.285:299) : avc:  denied  { open } for  pid=3372 comm=su path=/var/log/lastlog dev="dm-0" ino=659972 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:19.342:301) : avc:  denied  { connectto } for  pid=3373 comm=xscreensaver-co path=/tmp/.X11-unix/X0 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:19.343:302) : avc:  denied  { read } for  pid=3373 comm=xscreensaver-co name=.Xauthority dev="dm-4" ino=15466502 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:19.343:303) : avc:  denied  { open } for  pid=3373 comm=xscreensaver-co path=/home/ken/.Xauthority dev="dm-4" ino=15466502 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:19.538:315) : avc:  denied  { read write } for  pid=3374 comm=su name=lastlog dev="dm-0" ino=659972 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:19.538:316) : avc:  denied  { open } for  pid=3374 comm=su path=/var/log/lastlog dev="dm-0" ino=659972 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:19.539:318) : avc:  denied  { setgid } for  pid=3382 comm=su capability=setgid  scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=capability permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:19.543:319) : avc:  denied  { connectto } for  pid=3382 comm=xscreensaver-co path=/tmp/.X11-unix/X0 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:22.153:336) : avc:  denied  { read write } for  pid=3386 comm=su name=lastlog dev="dm-0" ino=659972 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:22.153:337) : avc:  denied  { open } for  pid=3386 comm=su path=/var/log/lastlog dev="dm-0" ino=659972 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:22.153:339) : avc:  denied  { setgid } for  pid=3395 comm=su capability=setgid  scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=capability permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:22.157:340) : avc:  denied  { connectto } for  pid=3395 comm=xscreensaver-co path=/tmp/.X11-unix/X0 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:21.901:322) : avc:  denied  { create } for  pid=3386 comm=su scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=netlink_selinux_socket permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:21.901:323) : avc:  denied  { bind } for  pid=3386 comm=su scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=netlink_selinux_socket permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:21.901:324) : avc:  denied  { compute_av } for  pid=3386 comm=su scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1 
----
type=AVC msg=audit(19/07/18 10:24:21.905:329) : avc:  denied  { setsched } for  pid=3386 comm=su scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=process permissive=1

一定有一个更简洁的方法来做到这一点,而无需禁用 acpi 的 selinux

答案1

如果你正在寻找一种“更简洁”的方式,那么让服务启动图形程序是马上出去。这是糟糕的设计,不仅仅是因为 SELinux。

将命令更改为/usr/bin/loginctl lock-sessions。这会向所有图形会话广播“锁定”信号,每个会话都可以在内部对其作出反应(例如,启动锁定器而不会出现任何 SELinux 问题)。LXDE 可能已经支持它。

如果 LXDE 对锁定信号没有反应,请运行以下辅助程序:

相关内容