Bug 544787

Summary: 'system-config-firewall' : firewallgui_t unconfined_t:dbus send_msg;
Product: [Fedora] Fedora Reporter: Patrick <kybernetikkollektiv>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: low    
Version: 12CC: andrig.t.miller, dwalsh, mgrepl, mishu, mvadkert, t.chrzczonowicz
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: 3.6.32-56.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-12-16 01:06:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Patrick 2009-12-06 14:55:04 UTC 
Description of problem:
When starting 'system-configfirewall' the gui hangs about 30 seconds before requesting root authentication. After given this the gui freezes completely and must be killed.

Version-Release number of selected component (if applicable):
Name       : selinux-policy
Arch       : noarch
Version    : 3.6.32
Release    : 55.fc12
Size       : 6.4 M
Repo       : installed
From repo  : updates-testing

How reproducible:
Always

Steps to Reproduce:
1. call system-config-firewall
2. wait until it asks for root password
3. type in root passwort
  
Actual results:
1. freeze for about 30 seconds until one is asked for password
2. complete freeze after authentication

Expected results:
1. No freezes

Additional info:
Obviously this issue is related to changes introduced into selinux-policy because of bug 544343.

'audit2allow -i /var/log/audit/audit.log' says:

#============= firewallgui_t ==============
allow firewallgui_t unconfined_t:dbus send_msg;

#============= fprintd_t ==============
allow fprintd_t policykit_auth_t:dbus send_msg;
allow fprintd_t unconfined_t:dbus send_msg;

#============= policykit_auth_t ==============
allow policykit_auth_t fprintd_t:dbus send_msg;


Calling the following commands fixed it for me:
# audit2allow -M firewalls -l -i /var/log/audit/audit.log
# semodule -i firewalls.pp
Comment 1 Daniel Walsh 2009-12-06 15:21:14 UTC 
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.32-56.fc12.noarch
Comment 2 Fedora Update System 2009-12-07 22:54:41 UTC 
selinux-policy-3.6.32-56.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-56.fc12
Comment 3 Fedora Update System 2009-12-10 04:20:08 UTC 
selinux-policy-3.6.32-56.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12990
Comment 4 Michael Cronenworth 2009-12-14 06:35:52 UTC 
*** Bug 546698 has been marked as a duplicate of this bug. ***
Comment 5 Michael Cronenworth 2009-12-14 06:36:10 UTC 
*** Bug 545680 has been marked as a duplicate of this bug. ***
Comment 6 Miroslav Vadkerti 2009-12-14 10:56:01 UTC 
VERIFIED as fixed in selinux-policy-3.6.32-58.fc12.noarch
Comment 7 Fedora Update System 2009-12-16 01:05:37 UTC 
selinux-policy-3.6.32-56.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.