Bug 895081
| Summary: | SELinux is preventing /usr/bin/python2.7 from 'write' accesses on the directory /usr/share/system-config-firewall. | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Zdenek Chmelar <chmelarz> | ||||||
| Component: | firewalld | Assignee: | Thomas Woerner <twoerner> | ||||||
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 17 | CC: | dominick.grift, dwalsh, jpopelka, mgrepl, twoerner | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | abrt_hash:d323d76c9e884e9b6e02a4af4f2b06b126be85ccd581079a2f1de4716cd8a8ee | ||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2013-01-15 11:25:24 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 678238 [details]
File: type
Created attachment 678239 [details]
File: hashmarkername
THis looks like python was trying to write compiled binaries. Did you edit files in /usr/share/system-config-firewall? I was just playing with Firewall that's modified with our company rules and when I try to apply changes, I get this error. I installed company package for network printer installation yesterday. I guess there was an attempt to write new rules into /usr/share/system-config-firewall/ and it failed. Herewith the problem is on my site and not on yours. I will fix it with creation of local rules on my system. If you have nothing against, I propose to close this ticket. Thanks for your time and effort! Zdenek |
Description of problem: Printing a pdf document from my Documents Additional info: libreport version: 2.0.18 kernel: 3.6.10-2.fc17.x86_64 description: :SELinux is preventing /usr/bin/python2.7 from 'write' accesses on the directory /usr/share/system-config-firewall. : :***** Plugin catchall_labels (83.8 confidence) suggests ******************** : :If you want to allow python2.7 to have write access on the system-config-firewall directory :Then you need to change the label on /usr/share/system-config-firewall :Do :# semanage fcontext -a -t FILE_TYPE '/usr/share/system-config-firewall' :where FILE_TYPE is one of the following: firewallgui_tmp_t, sysctl_vm_t, etc_t, tmp_t, system_conf_t, root_t. :Then execute: :restorecon -v '/usr/share/system-config-firewall' : : :***** Plugin catchall (17.1 confidence) suggests *************************** : :If you believe that python2.7 should be allowed write access on the system-config-firewall directory by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep system-config-f /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:firewallgui_t:s0-s0:c0.c1023 :Target Context system_u:object_r:usr_t:s0 :Target Objects /usr/share/system-config-firewall [ dir ] :Source system-config-f :Source Path /usr/bin/python2.7 :Port <Unknown> :Host (removed) :Source RPM Packages python-2.7.3-7.2.fc17.x86_64 :Target RPM Packages system-config-firewall-base-1.2.29-7.fc17.noarch :Policy RPM selinux-policy-3.10.0-166.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.6.10-2.fc17.x86_64 #1 SMP Tue : Dec 11 18:07:34 UTC 2012 x86_64 x86_64 :Alert Count 1 :First Seen 2013-01-14 15:13:03 CET :Last Seen 2013-01-14 15:13:03 CET :Local ID 686a498e-a915-44c1-8051-2a49d2933bf1 : :Raw Audit Messages :type=AVC msg=audit(1358172783.149:1510): avc: denied { write } for pid=13626 comm="system-config-f" name="system-config-firewall" dev="dm-0" ino=398383 scontext=system_u:system_r:firewallgui_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir : : :type=SYSCALL msg=audit(1358172783.149:1510): arch=x86_64 syscall=unlink success=no exit=EACCES a0=7fff18f6b420 a1=2fd58 a2=4fbd6b2f a3=3c665b9020 items=0 ppid=13625 pid=13626 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=system-config-f exe=/usr/bin/python2.7 subj=system_u:system_r:firewallgui_t:s0-s0:c0.c1023 key=(null) : :Hash: system-config-f,firewallgui_t,usr_t,dir,write : :audit2allow : :#============= firewallgui_t ============== :#!!!! The source type 'firewallgui_t' can write to a 'dir' of the following types: :# firewallgui_tmp_t, sysctl_vm_t, etc_t, tmp_t, system_conf_t, root_t : :allow firewallgui_t usr_t:dir write; : :audit2allow -R : :#============= firewallgui_t ============== :#!!!! The source type 'firewallgui_t' can write to a 'dir' of the following types: :# firewallgui_tmp_t, sysctl_vm_t, etc_t, tmp_t, system_conf_t, root_t : :allow firewallgui_t usr_t:dir write; :