Description of problem: Eight comm="firewalld" avcs appear in the syslog for Bug 1001425, Attachment 791262 [details]: 16:29:53,501 NOTICE kernel:[ 192.202504] type=1400 audit(1377620993.485:6): avc: denied { write } for pid=639 comm="firewalld" name="python2.7" dev="dm-0" ino=66860 scontext=system_u:system_r:firewalld_t:s0 tcontext=unconfined_u:object_r:lib_t:s0 tclass=dir Version-Release number of selected component (if applicable): Bug 1001425: (This is for the F20 Alpha TC1 DVD.) selinux-policy-3.12.1-72.fc20.noarch (per attached packaging.log) How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
After those eight avcs, firewalld exits: 16:29:59,857 ERR firewalld: 2013-08-27 16:29:59 ERROR: ebtables not usable, disabling ethernet bridge firewall. 16:29:59,875 CRIT firewalld: 2013-08-27 16:29:59 FATAL ERROR: No IPv4 and IPv6 firewall. 16:29:59,876 ERR firewalld: 2013-08-27 16:29:59 ERROR: Raising SystemExit in run_server
Created attachment 791434 [details] syslog Steps to Reproduce: 1. Start installer from DVD: $ qemu-kvm -m 4096 -hda f20-test-3.img -cdrom ~/xfr/fedora/F20/Alpha/Fedora-20-Alpha-TC1-x86_64-DVD.iso -vga std -boot menu=on 2. Boot to Welcome dialog. 3. Switch to installer console (ctrl-alt-f2). 4. Examine /tmp/syslog.
See also: Bug 1002195 - FATAL ERROR: No IPv4 and IPv6 firewall. during installer DVD boot
Looks like firewalld is trying to complile some python py files into pyc files?
Since this is on the installer DVD, couldn't that all be done when the DVD is composed?
Thomas: Is firewalld trying to compile site.py into site.pyc when the installer DVD boots? (Comment 4) The attached syslog has the details.
Firewalld is not trying to compile site.py, but python might try to do this. According to the AVC, this is about /usr/lib64/python2.7/site.py. There is also /usr/lib64/python2.7/site.pyc in the python-libs package. /usr/lib64/python2.7/site.pyc seems to be missing or older than /usr/lib64/python2.7/site.py.
Thanks for pointing that out. This avc[1] has the full path: /usr/lib64/python2.7/site.pyc After loop-mounting Fedora-20-Alpha-TC2-x86_64-DVD.iso, ls shows:[2] $ ls -lF /mnt/spare3/usr/lib64/python2.7/site.* -rw-r--r--. 1 root root 20078 Aug 21 11:15 /mnt/spare3/usr/lib64/python2.7/site.py lrwxrwxrwx. 1 root root 9 Aug 28 16:00 /mnt/spare3/usr/lib64/python2.7/site.pyc -> /dev/null The selinux labels are: $ ls -Z /mnt/spare3/usr/lib64/python2.7/site.* -rw-r--r--. root root unconfined_u:object_r:lib_t:s0 /mnt/spare3/usr/lib64/python2.7/site.py lrwxrwxrwx. root root unconfined_u:object_r:lib_t:s0 /mnt/spare3/usr/lib64/python2.7/site.pyc -> /dev/null [1] 15:11:49,817 NOTICE kernel:[ 16.515653] type=1400 audit(1377702709.795:11): avc: denied { write } for pid=630 comm="firewalld" path="/usr/lib64/python2.7/site.pyc" dev="dm-0" ino=68215 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file [2] All of the ".pyc" files are linked to /dev/null: $ readlink -ev /mnt/spare3/usr/lib64/python2.7/*.pyc | sort -u /dev/null
Looks like this was a problem with the install media that was fixed before release