Bug 1002038
| Summary: | avc: denied { write } for pid=639 comm="firewalld" name="python2.7" dev="dm-0" ino=66860 scontext=system_u:system_r:firewalld_t:s0 tcontext=unconfined_u:object_r:lib_t:s0 tclass=dir | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Steve Tyler <stephent98> | ||||
| Component: | anaconda | Assignee: | Anaconda Maintenance Team <anaconda-maint-list> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 20 | CC: | anaconda-maint-list, dominick.grift, dshea, dwalsh, g.kaviyarasu, jonathan, jpopelka, lvrabec, mgrepl, mkolman, sbueno, stephent98, twoerner, vanmeeuwen+fedora | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-01-27 21:07:21 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Steve Tyler
2013-08-28 11:26:39 UTC
After those eight avcs, firewalld exits: 16:29:59,857 ERR firewalld: 2013-08-27 16:29:59 ERROR: ebtables not usable, disabling ethernet bridge firewall. 16:29:59,875 CRIT firewalld: 2013-08-27 16:29:59 FATAL ERROR: No IPv4 and IPv6 firewall. 16:29:59,876 ERR firewalld: 2013-08-27 16:29:59 ERROR: Raising SystemExit in run_server Created attachment 791434 [details]
syslog
Steps to Reproduce:
1. Start installer from DVD:
$ qemu-kvm -m 4096 -hda f20-test-3.img -cdrom ~/xfr/fedora/F20/Alpha/Fedora-20-Alpha-TC1-x86_64-DVD.iso -vga std -boot menu=on
2. Boot to Welcome dialog.
3. Switch to installer console (ctrl-alt-f2).
4. Examine /tmp/syslog.
See also: Bug 1002195 - FATAL ERROR: No IPv4 and IPv6 firewall. during installer DVD boot Looks like firewalld is trying to complile some python py files into pyc files? Since this is on the installer DVD, couldn't that all be done when the DVD is composed? Thomas: Is firewalld trying to compile site.py into site.pyc when the installer DVD boots? (Comment 4) The attached syslog has the details. Firewalld is not trying to compile site.py, but python might try to do this. According to the AVC, this is about /usr/lib64/python2.7/site.py. There is also /usr/lib64/python2.7/site.pyc in the python-libs package. /usr/lib64/python2.7/site.pyc seems to be missing or older than /usr/lib64/python2.7/site.py. Thanks for pointing that out. This avc[1] has the full path:
/usr/lib64/python2.7/site.pyc
After loop-mounting Fedora-20-Alpha-TC2-x86_64-DVD.iso, ls shows:[2]
$ ls -lF /mnt/spare3/usr/lib64/python2.7/site.*
-rw-r--r--. 1 root root 20078 Aug 21 11:15 /mnt/spare3/usr/lib64/python2.7/site.py
lrwxrwxrwx. 1 root root 9 Aug 28 16:00 /mnt/spare3/usr/lib64/python2.7/site.pyc -> /dev/null
The selinux labels are:
$ ls -Z /mnt/spare3/usr/lib64/python2.7/site.*
-rw-r--r--. root root unconfined_u:object_r:lib_t:s0 /mnt/spare3/usr/lib64/python2.7/site.py
lrwxrwxrwx. root root unconfined_u:object_r:lib_t:s0 /mnt/spare3/usr/lib64/python2.7/site.pyc -> /dev/null
[1] 15:11:49,817 NOTICE kernel:[ 16.515653] type=1400 audit(1377702709.795:11): avc: denied { write } for pid=630 comm="firewalld" path="/usr/lib64/python2.7/site.pyc" dev="dm-0" ino=68215 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
[2] All of the ".pyc" files are linked to /dev/null:
$ readlink -ev /mnt/spare3/usr/lib64/python2.7/*.pyc | sort -u
/dev/null
Looks like this was a problem with the install media that was fixed before release |