Bug 1278840
Summary: | SELinux is preventing firewalld from 'relabelfrom' accesses on the file FedoraWorkstation.xml.old. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | antonio montagnani <antonio.montagnani> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 23 | CC: | abc.mikey, alexey.brodkin, anass.1430, antonio.montagnani, dominick.grift, dwalsh, iozkaymak, jkonecny, joshua.rich, lvrabec, mgrepl, mike, plautrba, selover, sheepdestroyer |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:0ba5e51f3d2ef6a03e5e0329f83bc56ca01350916811750aa73dd614e79c089a;VARIANT_ID=workstation; | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-12-11 10:02:20 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
antonio montagnani
2015-11-06 14:16:39 UTC
Description of problem: I was adjusting firewall rules and tried to issue the runtime-to-permanent option in the GUI. Got this denial instead. Version-Release number of selected component: selinux-policy-3.13.1-152.fc23.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.5-300.fc23.x86_64 type: libreport Could you please execute restorecon -vF PATHO/FedoraWorkstation.xml.old to see if you can reproduce it? it s(In reply to Miroslav Grepl from comment #2) > Could you please execute > > restorecon -vF PATHO/FedoraWorkstation.xml.old > > to see if you can reproduce it? on both boxes, issue seems to be gone Please reopen it if you get it again. Thank you. Description of problem: I tried to save the "Runtime" configuration to "Permanent". Version-Release number of selected component: selinux-policy-3.13.1-158.fc23.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.8-300.fc23.x86_64 type: libreport Description of problem: When I would like to enable a service, selinux doesn't allow to create the backup file or write to /etc/firewalld directory via firewall-config tool. Version-Release number of selected component: selinux-policy-3.13.1-158.2.fc23.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.3.4-300.fc23.x86_64 type: libreport Description of problem: I runned this command which failed ``sudo firewall-cmd --runtime-to-permanent``. Seems to me that there is some issue in the selinux policy but I can be wrong I have little knowlage in this. Version-Release number of selected component: selinux-policy-3.13.1-158.6.fc23.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.3.5-300.fc23.x86_64 type: libreport I'm getting the same issue after adding some ports via the GUI in `firewall-config` and trying to do `Runtime to permanent`. Also: sudo firewall-cmd --runtime-to-permanent Error: RT_TO_PERM_FAILED: zone 'FedoraWorkstation' : org.fedoraproject.FirewallD1.Exception: Backup of '/etc/firewalld/zones/FedoraWorkstation.xml' failed: [Errno 13] Permission denied: '/etc/firewalld/zones/FedoraWorkstation.xml.old' I get the following from SELinux: SELinux is preventing firewalld from relabelfrom access on the file FedoraWorkstation.xml.old. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that firewalld should be allowed relabelfrom access on the FedoraWorkstation.xml.old file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep firewalld /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:firewalld_t:s0 Target Context unconfined_u:object_r:firewalld_etc_rw_t:s0 Target Objects FedoraWorkstation.xml.old [ file ] Source firewalld Source Path firewalld Port <Unknown> Host nixon Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-158.7.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name nixon Platform Linux nixon 4.4.2-301.fc23.x86_64 #1 SMP Tue Feb 23 19:00:38 UTC 2016 x86_64 x86_64 Alert Count 3 First Seen 2016-03-05 18:37:15 GMT Last Seen 2016-03-05 18:38:52 GMT Local ID c5f22f74-22bf-4416-a499-43fb814d1b44 Raw Audit Messages type=AVC msg=audit(1457203132.217:417): avc: denied { relabelfrom } for pid=912 comm="firewalld" name="FedoraWorkstation.xml.old" dev="sdb5" ino=69317375 scontext=system_u:system_r:firewalld_t:s0 tcontext=unconfined_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0 Hash: firewalld,firewalld_t,firewalld_etc_rw_t,file,relabelfrom ls -lZ total 16 -rw-r--r--. 1 root root system_u:object_r:firewalld_etc_rw_t:s0 315 Mar 5 18:53 FedoraServer.xml -rw-r--r--. 1 root root system_u:object_r:firewalld_etc_rw_t:s0 315 Mar 5 18:50 FedoraServer.xml.old -rw-rw-r--. 1 root root system_u:object_r:firewalld_etc_rw_t:s0 550 Jul 12 2015 FedoraWorkstation.xml -rw-rw-r--. 1 root root unconfined_u:object_r:firewalld_etc_rw_t:s0 550 Jul 12 2015 FedoraWorkstation.xml.old I have just moved `FedoraWorkstation.xml.old` to `FedoraWorkstation.xml.old.bak` and it started working again. Description of problem: tried to add samba in firewall-config Version-Release number of selected component: selinux-policy-3.13.1-158.11.fc23.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.4.6-301.fc23.x86_64 type: libreport Description of problem: Setting runtime to permanent in firewall-config Version-Release number of selected component: selinux-policy-3.13.1-158.11.fc23.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.4.6-300.fc23.x86_64 type: libreport Some additional information: This appears to be an issue with the user context: # semanage fcontext -l | grep /etc/firewall /etc/firewalld(/.*)? all files system_u:object_r:firewalld_etc_rw_t:s0 Where `ls -lZ /etc/firewalld` shows us the following: ls -lZ /etc/firewalld/ total 40 -rw-------. 1 root root system_u:object_r:firewalld_etc_rw_t:s0 1525 Apr 6 01:50 firewalld.conf -rw-------. 1 root root system_u:object_r:firewalld_etc_rw_t:s0 1523 Apr 6 00:11 firewalld.conf.old -rw-r--r--. 1 root root unconfined_u:object_r:firewalld_etc_rw_t:s0 1531 Feb 8 08:22 firewalld-server.conf -rw-r--r--. 1 root root unconfined_u:object_r:firewalld_etc_rw_t:s0 1525 Feb 8 08:22 firewalld-standard.conf -rw-r--r--. 1 root root unconfined_u:object_r:firewalld_etc_rw_t:s0 1536 Feb 8 08:22 firewalld-workstation.conf drwxr-x---. 2 root root unconfined_u:object_r:firewalld_etc_rw_t:s0 4096 Feb 8 08:22 icmptypes -rw-r--r--. 1 root root unconfined_u:object_r:firewalld_etc_rw_t:s0 272 Apr 6 01:55 lockdown-whitelist.xml -rw-r--r--. 1 root root unconfined_u:object_r:firewalld_etc_rw_t:s0 272 Apr 6 01:51 lockdown-whitelist.xml.old drwxr-x---. 2 root root unconfined_u:object_r:firewalld_etc_rw_t:s0 4096 Feb 8 08:22 services drwxr-x---. 2 root root unconfined_u:object_r:firewalld_etc_rw_t:s0 4096 Mar 26 04:40 zones `restorecon -Rv /etc/firewalld` is not adequate here either, needs -F as well Description of problem: I was trying to open a port using firewall-cmd but it had no access to /etc/firewalld/zones/FedoraWorkstation.xml.old which is really wierd. This is the first time I see this issue! Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.4.6-300.fc23.x86_64 type: libreport |