Bug 735183
| Summary: | Integration Problems (Service & SELinux) | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Daniel Bergløv <webgeek.eu> | ||||||||||||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||||||||||
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||||||||
| Severity: | unspecified | Docs Contact: | |||||||||||||||
| Priority: | unspecified | ||||||||||||||||
| Version: | 15 | CC: | dominick.grift, dwalsh, mgrepl | ||||||||||||||
| Target Milestone: | --- | ||||||||||||||||
| Target Release: | --- | ||||||||||||||||
| Hardware: | i686 | ||||||||||||||||
| OS: | Linux | ||||||||||||||||
| Whiteboard: | |||||||||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||||||||
| Doc Text: | Story Points: | --- | |||||||||||||||
| Clone Of: | Environment: | ||||||||||||||||
| Last Closed: | 2012-02-15 13:07:47 UTC | Type: | --- | ||||||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||||||
| Documentation: | --- | CRM: | |||||||||||||||
| Verified Versions: | Category: | --- | |||||||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||||
| Embargoed: | |||||||||||||||||
| Attachments: |
|
||||||||||||||||
|
Description
Daniel Bergløv
2011-09-01 17:47:14 UTC
Do you have any specific error messages or Python tracebacks you can provide? Also, with F-15, you have to use the systemd commands for services: systemctl stop wicd.service systemctl start wicd.service systemctl try-restart wicd.service If you have any SELinux errors, those would be useful as well. service [service] start works to. It redirects to systemctl. Here is what happends when I try to start the service. - [root@laptop /]# systemctl start wicd.service - Job failed. See system logs and 'systemctl status' for details. Then i get an alert from SELinux because python tries to open wicd.log for writing. (See Attachment #1 [details]) I then open the console and type. - [root@laptop /]# grep wicd /var/log/audit/audit.log | audit2allow -M mypol - [root@laptop /]# semodule -i mypol.pp - [root@laptop /]# systemctl start wicd.service Now I get a new alert from SELinux (See Attachment #2 [details]). Also now python had permission to write to wicd.log (See Attachment #3 [details]). Now I'm stuck. I know I have to execute "semanage fcontext -a -t FILE_TYPE '/etc/dhcp/manager-settings.conf'" But which FILE_TYPE I'm not sure. Ignorer the links above. I did not know that this bugzilla system automated attachment links like that. I just used it as reference to the attachments at the top of the page. But lets add them here as well so that I am sure that the correct once are read. Attachment #521075 [details] (1) Attachment #521076 [details] (2) Attachment #521077 [details] (3) One other question... is the NetworkManager service enabled? And is NetworkManager running? I guess that's two questions. NetworkManager has been removed. Don't like having things installed that I don't use. Ok. Now I tried to run - [root@laptop /]# semanage fcontext -a -t net_conf_t '/etc/dhcp/manager-settings.conf' - [root@laptop /]# restorecon -v '/etc/dhcp/manager-settings.conf' as described in (Attachment #521076 [details]). This fixed that issue, but now I got the same alert for the file /etc/dhcp/wireless-settings.conf. I then executed - [root@laptop /]# semanage fcontext -a -t net_conf_t '/etc/dhcp/wireless-settings.conf' - [root@laptop /]# restorecon -v '/etc/dhcp/wireless-settings.conf' Now I got the same alert once more, this time for /etc/dhcp/wired-settings.conf. So I executed - [root@laptop /]# semanage fcontext -a -t net_conf_t '/etc/dhcp/wired-settings.conf' - [root@laptop /]# restorecon -v '/etc/dhcp/wired-settings.conf' Now things changed. SELinux now blocks ifconfig, and it blocks python from duing unlink on wicd.pid See (Attachment #521089 [details]) & (Attachment #521090 [details]) I executed - [root@laptop /]# grep ifconfig /var/log/audit/audit.log | audit2allow -M mypol - [root@laptop /]# semodule -i mypol.pp To fix the ifconfig issue and I executed - [root@laptop /]# grep wicd /var/log/audit/audit.log | audit2allow -M mypol - [root@laptop /]# semodule -i mypol.pp To fix the unlink issue. Now I don't get any more alerts from SELinux, but in the wicd.log i now have this: (Attachment #521093 [details]) The problem is if you run wicd directly as unconfined_t it will create the content with the wrong label. If you later run it via the service it will transition to the correct label of the process and then blow up because the previous run of the process labeled files incorrectly. Daniel are you still running on F15 or have you upgraded? I think we can make this integration better in F16 and F17 No I switched to Ubuntu for now. I experienced this problems on to many packages, and not just Wicd. Will properly have a look at Fedora again at some point, have been using it since the very first version came out. But I need a working machine and do not have the patient to run debugging on almost every single package I install. This is a general problem if you start services by hand. It means there is not a proper transition and a daemon ends up with unconfined_t domain. Then all objects (like pid, sock, log files) are created with bad labels. If you need to run a service by hande because you want to debug it, there is a way using runcon tool. For example # runcon -u system_u -r system_r -t initrc_t -- runcon -t sshd_t -- /usr/sbin/sshd -d -d -d If you see an issue with starting service and you use either service script on F15 or systemctl on F16+, then we need to see AVC msgs to fix them. |