Bug 384351 (Synefonk)
| Summary: | SELinux problem! | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Syne Fonk <stersf> | ||||
| Component: | firstboot | Assignee: | Chris Lumens <clumens> | ||||
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 7 | CC: | dcantrell | ||||
| Target Milestone: | --- | Keywords: | SELinux | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2007-11-19 18:10:54 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 259711 [details]
SELinux
it's really difficult to understand and notify bug information! To difficult, English and a lot off not normal used words for me. This does not make sense, that iptables would be trying to read path="/usr/share/firstboot/modules/date.py" So I think this is a leaked file descriptor from firstboot. All open filedescriptors should be closed on exec fcntl(fd, F_SETFD, FD_CLOEXEC) This will be fixed in the next build of firstboot. |
SELinux is preventing /sbin/ip6tables (iptables_t) "read" to /usr/share/firstboot/modules/date.py (usr_t).Detailed DescriptionSELinux denied access requested by /sbin/ip6tables. It is not expected that this access is required by /sbin/ip6tables and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.Allowing AccessSometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /usr/share/firstboot/modules/date.py, restorecon -v /usr/share/firstboot/modules/date.py If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package.Additional InformationSource Context: system_u:system_r:iptables_tTarget Context: system_u:object_r:usr_tTarget Objects: /usr/share/firstboot/modules/date.py [ file ]Affected RPM Packages: iptables-ipv6-1.3.7-2 [application]firstboot-1.4.35-1.fc7 [target]Policy RPM: selinux-policy-2.6.4-8.fc7Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: EnforcingPlugin Name: plugins.catchall_fileHost Name: localhost.localdomainPlatform: Linux localhost.localdomain 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 i686Alert Count: 14First Seen: Fri 02 Nov 2007 08:51:11 PM CETLast Seen: Fri 02 Nov 2007 08:51:12 PM CETLocal ID: f17de94b-b80b-4678-adad-d760c59c6477Line Numbers: Raw Audit Messages :avc: denied { read } for comm="ip6tables" dev=dm-0 egid=0 euid=0 exe="/sbin/ip6tables" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="date.py" path="/usr/share/firstboot/modules/date.py" pid=2141 scontext=system_u:system_r:iptables_t:s0 sgid=0 subj=system_u:system_r:iptables_t:s0 suid=0 tclass=file tcontext=system_u:object_r:usr_t:s0 tty=(none) uid=0