Bug 565323
| Summary: | SELinux is preventing /usr/bin/python "write" access on sysctl.conf. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | ctsm63 <ctsm63> | ||||
| Component: | firstboot | Assignee: | Martin Gracik <mgracik> | ||||
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 14 | CC: | abhijit4daksh, adrian1h, alreaud, awilliam, carlositlamar, collura, dmach, dwalsh, elpiratademarina, fkooman, jfrieben, johnyesterpe, martin.nad89, mcmonster, mgrepl, mrichytech, mtczerwinski, obducta, phyrefyter, poelstra, redwolfe, r_stevenz, schaiba, SnakyChic, sweigand, szoke.karcsi | ||||
| Target Milestone: | --- | Keywords: | Reopened | ||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | setroubleshoot_trace_hash:0ab36ef283d617526e8b3b16984df172736944dc3dce94c94e752d52cb40f17b | ||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2012-04-12 08:20:28 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 538278 | ||||||
| Attachments: |
|
||||||
|
Description
ctsm63
2010-02-14 18:45:50 UTC
Created attachment 394216 [details]
firewall configuration screencopy
first reboot after adding translation of addresses between eth0 and eth1
cf. Capture-Configuration du pare-feu.png
cf. Bug 565324 - SELinux is preventing /usr/bin/python "setattr" access on sysctl.conf. *** Bug 565324 has been marked as a duplicate of this bug. *** "sysctl.conf" is mislabeled. Execute: restorecon -R -v /etc/sysctl.conf Should fix. Please reopen if this happens again. Seeing this bug with fresh install of Fedora 14 Alpha running latest packages as of 2010-09-01. Tried to add a new network printer. $ rpm -qa | grep selinux | sort libselinux-2.0.96-3.fc14.i686 libselinux-2.0.96-3.fc14.x86_64 libselinux-python-2.0.96-3.fc14.x86_64 libselinux-utils-2.0.96-3.fc14.x86_64 selinux-policy-3.9.0-2.fc14.noarch selinux-policy-targeted-3.9.0-2.fc14.noarch Summary: SELinux is preventing /usr/bin/python "write" access on iptables.old. Detailed Description: SELinux denied access requested by system-config-f. It is not expected that this access is required by system-config-f and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:firewallgui_t:s0 Target Context unconfined_u:object_r:etc_t:s0 Target Objects iptables.old [ file ] Source system-config-f Source Path /usr/bin/python Port <Unknown> Host (removed) Source RPM Packages python-2.7-7.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.0-2.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux kvm 2.6.35.4-12.fc14.x86_64 #1 SMP Fri Aug 27 07:45:05 UTC 2010 x86_64 x86_64 Alert Count 2 First Seen Wed 01 Sep 2010 08:02:17 PM PDT Last Seen Wed 01 Sep 2010 08:02:17 PM PDT Local ID 0c0d12f3-ef5e-4746-a06c-3821670acb0c Line Numbers Raw Audit Messages node=kvm type=AVC msg=audit(1283396537.926:218): avc: denied { write } for pid=2524 comm="system-config-f" name="iptables.old" dev=dm-1 ino=145251 scontext=system_u:system_r:firewallgui_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file node=kvm type=SYSCALL msg=audit(1283396537.926:218): arch=c000003e syscall=2 success=no exit=-13 a0=1a82850 a1=241 a2=1b6 a3=0 items=0 ppid=1 pid=2524 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="system-config-f" exe="/usr/bin/python" subj=system_u:system_r:firewallgui_t:s0 key=(null) iptables.old was created with the wrong context. Should be created with the right context (system_conf_t) by s-c-firewall. Did you just use s-c-firewall? I am trying it and # ls -Z /etc/sysconfig/iptables.old -rw-------. root root system_u:object_r:system_conf_t:s0 /etc/sysconfig/iptables.old # restorecon -v /etc/sysconfig/iptables.old will fix. To be clear, I did not do ANYTHING except install the Fedora 14 alpha, update to the latest packages, and add a new printer. Miroslav, could it be being created by firstboot, with the wrong context. Well, it is a good idea. firstboot could be culprit. I can't see anything that makes this bug a beta blocker; John, can you point up the criterion you consider it to be infringing? (Also note that a workaround should be presented by the SELinux exception viewer - it usually offers a button to relabel the file). Discussed at 2010/09/03 blocker review meeting. Agreed that this does not qualify as a beta or final blocker under any existing criterion. We discussed possible criterion extensions to make this a blocker, but it's a tricky area to cover, no decision on that yet. This bug is still present with the release version of F14. You have to start s-c-f as root to be able to change the firewall rules. As mentioned in comment #6, iptables.old is created with the wrong context. -rw-------. root root system_u:object_r:system_conf_t:s0 iptables -rw-------. root root system_u:object_r:system_conf_t:s0 iptables-config -rw-------. root root unconfined_u:object_r:etc_t:s0 iptables.old This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. What command is firstboot using to create these files? This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. SELinux is preventing NetworkManager from read access on the file /etc/sysctl.conf.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that NetworkManager should be allowed read access on the sysctl.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep NetworkManager /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:NetworkManager_t:s0
Target Context system_u:object_r:system_conf_t:s0
Target Objects /etc/sysctl.conf [ file ]
Source NetworkManager
Source Path NetworkManager
Port <Unknown>
Host <removed>.<removed>
Source RPM Packages
Target RPM Packages initscripts-9.34.2-1.fc16.x86_64
Policy RPM selinux-policy-3.10.0-80.fc16.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name <removed>.<removed>
Platform Linux <removed>.<removed> 3.3.1-3.fc16.x86_64
#1 SMP Wed Apr 4 18:08:51 UTC 2012 x86_64 x86_64
Alert Count 1
First Seen Wed 11 Apr 2012 03:57:09 PM EDT
Last Seen Wed 11 Apr 2012 03:57:09 PM EDT
Local ID a750bf33-4c0a-4d58-a649-7eef35fc2324
Raw Audit Messages
type=AVC msg=audit(1334174229.831:76): avc: denied { read } for pid=982 comm="NetworkManager" name="sysctl.conf" dev="sda5" ino=156908 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:system_conf_t:s0 tclass=file
Hash: NetworkManager,NetworkManager_t,system_conf_t,file,read
audit2allow
#============= NetworkManager_t ==============
allow NetworkManager_t system_conf_t:file read;
audit2allow -R
#============= NetworkManager_t ==============
allow NetworkManager_t system_conf_t:file read;
This is fixed in -81.fc16 release. http://koji.fedoraproject.org/koji/buildinfo?buildID=307648 |