| Summary: | Error applying modifications | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Eric Tanguy <eric.tanguy> |
| Component: | system-config-firewall | Assignee: | Thomas Woerner <twoerner> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 15 | CC: | twoerner |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-07-03 06:47:22 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Description of problem: when i try to apply the modifications an error window open with this message : org.freedesktop.DBus.Python.OSError: Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/slip/dbus/service.py", line 121, in reply_handler result = method(self, *p, **k) File "/usr/share/system-config-firewall/fw_dbus.py", line 113, in write ip6t_status, log) = fw_lokkit.updateFirewall(config, old_config) File "/usr/share/system-config-firewall/fw_lokkit.py", line 169, in updateFirewall ip6tables_conf.write() File "/usr/share/system-config-firewall/fw_iptables.py", line 152, in write shutil.copy2(self.filename, "%s.old" % self.filename) File "/usr/lib64/python2.7/shutil.py", line 128, in copy2 copystat(src, dst) File "/usr/lib64/python2.7/shutil.py", line 97, in copystat os.utime(dst, (st.st_atime, st.st_mtime)) OSError: [Errno 13] Permission denied: '/etc/sysconfig/ip6tables-config.old' At the same time i receive a selinux alert : SELinux is preventing /usr/bin/python from setattr access on the fichier /etc/sysconfig/ip6tables-config.old. ***** Plugin restorecon (94.8 confiance) suggéré***************************** Siyou want to fix the label. /etc/sysconfig/ip6tables-config.old default label should be system_conf_t. Alorsyou can run restorecon. Faire # /sbin/restorecon -v /etc/sysconfig/ip6tables-config.old ***** Plugin catchall_labels (5.21 confiance) suggéré************************ Sivous souhaitez autoriser python à accéder à setattr sur ip6tables-config.old file Alorsyou need to change the label on /etc/sysconfig/ip6tables-config.old Faire # semanage fcontext -a -t FILE_TYPE '/etc/sysconfig/ip6tables-config.old' where FILE_TYPE is one of the following: system_conf_t, firewallgui_tmp_t. Then execute: restorecon -v '/etc/sysconfig/ip6tables-config.old' ***** Plugin catchall (1.44 confiance) suggéré******************************* Siyou believe that python should be allowed setattr access on the ip6tables-config.old file by default. Alorsyou should report this as a bug. You can generate a local policy module to allow this access. Faire allow this access for now by executing: # grep system-config-f /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Contexte source system_u:system_r:firewallgui_t:s0-s0:c0.c1023 Contexte cible unconfined_u:object_r:etc_t:s0 Objets du contexte /etc/sysconfig/ip6tables-config.old [ file ] Source system-config-f Chemin de la source /usr/bin/python Port <Inconnu> Hôte bureau Paquetages RPM source python-2.7.1-7.fc15 Paquetages RPM cible RPM de la statégie selinux-policy-3.9.16-26.fc15 Selinux activé True Type de stratégie targeted Mode strict Enforcing Nom de l'hôte bureau Plateforme Linux bureau 2.6.38.6-27.fc15.x86_64 #1 SMP Sun May 15 17:23:28 UTC 2011 x86_64 x86_64 Compteur d'alertes 3 Première alerte mar. 07 juin 2011 20:38:38 CEST Dernière alerte mar. 07 juin 2011 22:45:46 CEST ID local 49cb6def-59a8-4310-b944-054c9399f380 Messages d'audit bruts type=AVC msg=audit(1307479546.672:206): avc: denied { setattr } for pid=4010 comm="system-config-f" name="ip6tables-config.old" dev=dm-1 ino=151286 scontext=system_u:system_r:firewallgui_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1307479546.672:206): arch=x86_64 syscall=utimes success=no exit=EACCES a0=11d5e70 a1=7fffca0d66c0 a2=30ea1b7028 a3=6e6f632d items=0 ppid=1 pid=4010 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=system-config-f exe=/usr/bin/python subj=system_u:system_r:firewallgui_t:s0-s0:c0.c1023 key=(null) Hash: system-config-f,firewallgui_t,etc_t,file,setattr audit2allow #============= firewallgui_t ============== allow firewallgui_t etc_t:file setattr; audit2allow -R #============= firewallgui_t ============== allow firewallgui_t etc_t:file setattr; and the modifications are not applied when i try to verify by running iptables -L -n Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: