Bug 812040

Summary: firewall-cmd --set-default-zone causes SELinux alert about preventing from execute access on bash
Product: [Fedora] Fedora Reporter: Jiri Popelka <jpopelka>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: low    
Version: 17CC: dwalsh, jpopelka, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.10.0-118.fc17 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-25 04:59:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
complete alert none

Description Jiri Popelka 2012-04-12 15:31:17 UTC 
There seems to be other (bug #804083) SELinux related problem with
'firewall-cmd --set-default-zone'.

SELinux is preventing /usr/bin/python from execute access on the file /usr/bin/bash.
Source Context                system_u:system_r:firewalld_t:s0
Target Context                system_u:object_r:shell_exec_t:s0
Target Objects                /usr/bin/bash [ file ]
Source                        firewalld
Source Path                   /usr/bin/python
Port                          <Unknown>
Source RPM Packages           python-2.7.2-18.fc17.x86_64
Target RPM Packages           bash-4.2.24-1.fc17.x86_64
Policy RPM                    selinux-policy-3.10.0-110.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing

Raw Audit Messages
type=AVC msg=audit(1334242647.786:10580): avc:  denied  { execute } for  pid=2571 comm="firewalld" name="bash" dev="dm-0" ino=44265 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

type=SYSCALL msg=audit(1334242647.786:10580): arch=x86_64 syscall=execve success=no exit=EACCES a0=3119975c66 a1=7fff66411730 a2=7fff664138c0 a3=8 items=0 ppid=2317 pid=2571 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=firewalld exe=/usr/bin/python subj=system_u:system_r:firewalld_t:s0 key=(null)


I've been looking at the code but can't find anything 'bash' related so I have no idea what could cause the warning.
Comment 1 Jiri Popelka 2012-04-12 15:35:55 UTC 
Created attachment 577112 [details]
complete alert
Comment 2 Jiri Popelka 2012-04-20 14:15:48 UTC 
I still see this with selinux-policy-3.10.0-116.fc17
and still have no idea what could cause it.
Comment 3 Daniel Walsh 2012-04-20 15:20:19 UTC 
We should just allow it.   Probably something to do with executing python with in a bash environment.
Fixed in selinux-policy-3.10.0-117.fc17
Comment 4 Fedora Update System 2012-04-23 06:43:39 UTC 
selinux-policy-3.10.0-117.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-117.fc17
Comment 5 Fedora Update System 2012-04-24 00:56:25 UTC 
selinux-policy-3.10.0-118.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-118.fc17
Comment 6 Fedora Update System 2012-04-24 03:15:10 UTC 
Package selinux-policy-3.10.0-118.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-118.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-6452/selinux-policy-3.10.0-118.fc17
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2012-04-25 04:59:21 UTC 
selinux-policy-3.10.0-118.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.