Bug 1278840
| Summary: | SELinux is preventing firewalld from 'relabelfrom' accesses on the file FedoraWorkstation.xml.old. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | antonio montagnani <antonio.montagnani> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 23 | CC: | abc.mikey, alexey.brodkin, anass.1430, antonio.montagnani, dominick.grift, dwalsh, iozkaymak, jkonecny, joshua.rich, lvrabec, mgrepl, mike, plautrba, selover, sheepdestroyer |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:0ba5e51f3d2ef6a03e5e0329f83bc56ca01350916811750aa73dd614e79c089a;VARIANT_ID=workstation; | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-12-11 10:02:20 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Description of problem: I was adjusting firewall rules and tried to issue the runtime-to-permanent option in the GUI. Got this denial instead. Version-Release number of selected component: selinux-policy-3.13.1-152.fc23.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.5-300.fc23.x86_64 type: libreport Could you please execute restorecon -vF PATHO/FedoraWorkstation.xml.old to see if you can reproduce it? it s(In reply to Miroslav Grepl from comment #2) > Could you please execute > > restorecon -vF PATHO/FedoraWorkstation.xml.old > > to see if you can reproduce it? on both boxes, issue seems to be gone Please reopen it if you get it again. Thank you. Description of problem: I tried to save the "Runtime" configuration to "Permanent". Version-Release number of selected component: selinux-policy-3.13.1-158.fc23.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.8-300.fc23.x86_64 type: libreport Description of problem: When I would like to enable a service, selinux doesn't allow to create the backup file or write to /etc/firewalld directory via firewall-config tool. Version-Release number of selected component: selinux-policy-3.13.1-158.2.fc23.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.3.4-300.fc23.x86_64 type: libreport Description of problem: I runned this command which failed ``sudo firewall-cmd --runtime-to-permanent``. Seems to me that there is some issue in the selinux policy but I can be wrong I have little knowlage in this. Version-Release number of selected component: selinux-policy-3.13.1-158.6.fc23.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.3.5-300.fc23.x86_64 type: libreport I'm getting the same issue after adding some ports via the GUI in `firewall-config` and trying to do `Runtime to permanent`.
Also:
sudo firewall-cmd --runtime-to-permanent
Error: RT_TO_PERM_FAILED: zone 'FedoraWorkstation' : org.fedoraproject.FirewallD1.Exception: Backup of '/etc/firewalld/zones/FedoraWorkstation.xml' failed: [Errno 13] Permission denied: '/etc/firewalld/zones/FedoraWorkstation.xml.old'
I get the following from SELinux:
SELinux is preventing firewalld from relabelfrom access on the file FedoraWorkstation.xml.old.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that firewalld should be allowed relabelfrom access on the FedoraWorkstation.xml.old file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep firewalld /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:firewalld_t:s0
Target Context unconfined_u:object_r:firewalld_etc_rw_t:s0
Target Objects FedoraWorkstation.xml.old [ file ]
Source firewalld
Source Path firewalld
Port <Unknown>
Host nixon
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-158.7.fc23.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name nixon
Platform Linux nixon 4.4.2-301.fc23.x86_64 #1 SMP Tue Feb
23 19:00:38 UTC 2016 x86_64 x86_64
Alert Count 3
First Seen 2016-03-05 18:37:15 GMT
Last Seen 2016-03-05 18:38:52 GMT
Local ID c5f22f74-22bf-4416-a499-43fb814d1b44
Raw Audit Messages
type=AVC msg=audit(1457203132.217:417): avc: denied { relabelfrom } for pid=912 comm="firewalld" name="FedoraWorkstation.xml.old" dev="sdb5" ino=69317375 scontext=system_u:system_r:firewalld_t:s0 tcontext=unconfined_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0
Hash: firewalld,firewalld_t,firewalld_etc_rw_t,file,relabelfrom
ls -lZ total 16 -rw-r--r--. 1 root root system_u:object_r:firewalld_etc_rw_t:s0 315 Mar 5 18:53 FedoraServer.xml -rw-r--r--. 1 root root system_u:object_r:firewalld_etc_rw_t:s0 315 Mar 5 18:50 FedoraServer.xml.old -rw-rw-r--. 1 root root system_u:object_r:firewalld_etc_rw_t:s0 550 Jul 12 2015 FedoraWorkstation.xml -rw-rw-r--. 1 root root unconfined_u:object_r:firewalld_etc_rw_t:s0 550 Jul 12 2015 FedoraWorkstation.xml.old I have just moved `FedoraWorkstation.xml.old` to `FedoraWorkstation.xml.old.bak` and it started working again. Description of problem: tried to add samba in firewall-config Version-Release number of selected component: selinux-policy-3.13.1-158.11.fc23.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.4.6-301.fc23.x86_64 type: libreport Description of problem: Setting runtime to permanent in firewall-config Version-Release number of selected component: selinux-policy-3.13.1-158.11.fc23.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.4.6-300.fc23.x86_64 type: libreport Some additional information: This appears to be an issue with the user context: # semanage fcontext -l | grep /etc/firewall /etc/firewalld(/.*)? all files system_u:object_r:firewalld_etc_rw_t:s0 Where `ls -lZ /etc/firewalld` shows us the following: ls -lZ /etc/firewalld/ total 40 -rw-------. 1 root root system_u:object_r:firewalld_etc_rw_t:s0 1525 Apr 6 01:50 firewalld.conf -rw-------. 1 root root system_u:object_r:firewalld_etc_rw_t:s0 1523 Apr 6 00:11 firewalld.conf.old -rw-r--r--. 1 root root unconfined_u:object_r:firewalld_etc_rw_t:s0 1531 Feb 8 08:22 firewalld-server.conf -rw-r--r--. 1 root root unconfined_u:object_r:firewalld_etc_rw_t:s0 1525 Feb 8 08:22 firewalld-standard.conf -rw-r--r--. 1 root root unconfined_u:object_r:firewalld_etc_rw_t:s0 1536 Feb 8 08:22 firewalld-workstation.conf drwxr-x---. 2 root root unconfined_u:object_r:firewalld_etc_rw_t:s0 4096 Feb 8 08:22 icmptypes -rw-r--r--. 1 root root unconfined_u:object_r:firewalld_etc_rw_t:s0 272 Apr 6 01:55 lockdown-whitelist.xml -rw-r--r--. 1 root root unconfined_u:object_r:firewalld_etc_rw_t:s0 272 Apr 6 01:51 lockdown-whitelist.xml.old drwxr-x---. 2 root root unconfined_u:object_r:firewalld_etc_rw_t:s0 4096 Feb 8 08:22 services drwxr-x---. 2 root root unconfined_u:object_r:firewalld_etc_rw_t:s0 4096 Mar 26 04:40 zones `restorecon -Rv /etc/firewalld` is not adequate here either, needs -F as well Description of problem: I was trying to open a port using firewall-cmd but it had no access to /etc/firewalld/zones/FedoraWorkstation.xml.old which is really wierd. This is the first time I see this issue! Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.4.6-300.fc23.x86_64 type: libreport |
Description of problem: trying to add a service to a zone I get: RT_TO_PERM_FAILED: zone 'FedoraWorkstation' : org.fedoraproject.FirewallD1.Exception: Backup of '/etc/firewalld/zones/FedoraWorkstation.xml' failed: [Errno 13] Permesso negato: '/etc/firewalld/zones/FedoraWorkstation.xml.old' '/etc/firewalld/zones/FedoraWorkstation.xml and '/etc/firewalld/zones/FedoraWorkstation.xml.old have different labels SELinux is preventing firewalld from 'relabelfrom' accesses on the file FedoraWorkstation.xml.old. ***** Plugin catchall (100. confidence) suggests ************************** If si crede che firewalld dovrebbe avere possibilità di accesso relabelfrom sui FedoraWorkstation.xml.old file in modo predefinito. Then si dovrebbe riportare il problema come bug. E' possibile generare un modulo di politica locale per consentire questo accesso. Do consentire questo accesso per il momento eseguendo: # grep firewalld /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:firewalld_t:s0 Target Context unconfined_u:object_r:firewalld_etc_rw_t:s0 Target Objects FedoraWorkstation.xml.old [ file ] Source firewalld Source Path firewalld Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-152.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.2.5-300.fc23.x86_64 #1 SMP Tue Oct 27 04:29:56 UTC 2015 x86_64 x86_64 Alert Count 3 First Seen 2015-11-06 14:54:19 CET Last Seen 2015-11-06 15:12:43 CET Local ID 7e640dae-9f6e-4b0d-9fc0-82b296015501 Raw Audit Messages type=AVC msg=audit(1446819163.988:636): avc: denied { relabelfrom } for pid=824 comm="firewalld" name="FedoraWorkstation.xml.old" dev="dm-1" ino=2100783 scontext=system_u:system_r:firewalld_t:s0 tcontext=unconfined_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0 Hash: firewalld,firewalld_t,firewalld_etc_rw_t,file,relabelfrom Version-Release number of selected component: selinux-policy-3.13.1-152.fc23.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.5-300.fc23.x86_64 type: libreport Potential duplicate: bug 1195327