Bug 712695
Summary: | SELinux is preventing /sbin/iptables-multi from read, write access on the file /tmp/ffiTNNqUA (deleted). | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Erik Squires <erik_squires> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 15 | CC: | dominick.grift, dwalsh, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:9b0e57debf1d2c0f960dc65e8ed99f385cd75cdfd56cfd1c26df34ef97b6c4d9 | ||
Fixed In Version: | selinux-policy-3.9.16-30.fc15 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-06-24 03:53:42 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Erik Squires
2011-06-12 14:43:59 UTC
Some fixes were added to the latest selinux-policy for Fedora 15. Some known issues were not yet back ported and are only in rawhide and i also see an issue in your report that has not yet been reported. You can help us by trying latest selinux-policy and selinux-policy-targeted which is available here: http://koji.fedoraproject.org/koji/buildinfo?buildID=247153 Make sure that this file is gone when you test: /tmp/ffiTNNqUA You will also hit an issue where fail2ban wants to run ldconfig. The fix for that issue is not in Fedora 15 but you could work around that by applying the following loadable module: mkdir ~/myf2b; cd ~/myf2b; echo "policy_module(mf2b, 1.0.0) optional_policy(\` gen_require(\` type fail2ban_t; ') libs_exec_ldconfig(fail2ban_t) ')" > myf2b.te; make -f /usr/share/selinux/devel/Makefile myf2b.pp sudo semodule -i myf2b.pp If you are able to, please test in permissive mode and enclose all the AVC denials that you are seeing so that we a complete view of the current status. There was a type in the above: mkdir ~/myf2b; cd ~/myf2b; echo "policy_module(myf2b, 1.0.0) optional_policy(\` gen_require(\` type fail2ban_t; ') libs_exec_ldconfig(fail2ban_t) ')" > myf2b.te; Hi Dominick, Two questions: 1. I had already munged the SE policies by adding something to allow python to write to /tmp. Do you want me to undo that before testing? If so, how? Sorry, I just followed the directions given by the AVC alerts. Are you sure you want me to test in permissive mode? setenforce 0? Thanks! Erik (In reply to comment #3) > Hi Dominick, > > Two questions: > > 1. I had already munged the SE policies by adding something to allow python to > write to /tmp. Do you want me to undo that before testing? If so, how? Sorry, > I just followed the directions given by the AVC alerts. Yes please the report suggested a solution that is not optimal. To undo: sudo semodule -r mypol > Are you sure you want me to test in permissive mode? setenforce 0? Only if you are comfortable with that. It might save us some time if you do. setenforce 0; do testing; setenforce 1 After testing do not forget to go back into enforcing mode. > Thanks! > > > Erik Can do. This box is still in development stage, so nothing secret or critical here. Will get back to you later today. Well, it seems I have broken my entire installation. I used yum to uninstall the previous selinux-policy. Then installed the one just downloaded. On reboot I'd see this message: Cannot find /etc/selinux/targeted/policy/policy.24 (number of the previous one). I then tried using default mode to use Yum to restore it, but I wasn't smart enough to get the networking fully operational, so after a few hours banging on this I'm restoring from CD. I've tried this with the .29 build from development-test. Changing setenforce 0 or 1 makes no diference to the tmp file alerts. getencorce returns "Permissive" There may have been an old fail2ban tmp file still in /tmp? Did you restart the fail2ban service? Dom: I have checked this multiple times. /tmp is clean. The error occurs 100% of the time when starting fail2ban, even in permissive mode. Sorry. Thought you would also like to see this: # rpm -qa | grep selinux libselinux-2.0.99-4.fc15.x86_64 selinux-policy-targeted-3.9.16-29.fc15.noarch libselinux-python-2.0.99-4.fc15.x86_64 selinux-policy-3.9.16-29.fc15.noarch libselinux-utils-2.0.99-4.fc15.x86_64 Ok its just that i seem to be having a rendezvous here: https://bugzilla.redhat.com/show_bug.cgi?id=706577 Deja vu ? :) Seems similar. Two other things. I seem to remember that this issue disapears if backend=gamin is set insetad of auto. I'll have to double check this when I get home. The second issue is that I have another bug that fail2ban doesn't ban everyone. It seems to sometimes skip users who should have been banned, even when fail2ban-regex will "see" those entries. Right, deja vu Would it be possible for you to stop by #fedora-selinux on irc.freenode.org irc network some time so that we can go over this together once more? My nickname there is dgrift or domg472 you can ping me any time and if i am awake at all i will respond. I took a quick look at its no longer tmp_t (now its fail2ban_tmp_t as expected): avc: denied { read write } for pid=5926 comm="iptables" path=2F746D702F666669717A72633269202864656C6574656429 dev=dm-1 ino=8608 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:fail2ban_tmp_t:s0 tclass=file Question would now be either this is a fail2ban leak or whether we need to allow this. We also need to put that libs_exec_ldconfig(fail2ban_t) into Fedora 15. I believe these are leaks which I will dontaudit. Fixed in selinux-policy-3.9.16-30.fc15 selinux-policy-3.9.16-30.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-30.fc15 Package selinux-policy-3.9.16-30.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-30.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-30.fc15 then log in and leave karma (feedback). selinux-policy-3.9.16-30.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. |