Bug 1002038 - avc: denied { write } for pid=639 comm="firewalld" name="python2.7" dev="dm-0" ino=66860 scontext=system_u:system_r:firewalld_t:s0 tcontext=unconfined_u:object_r:lib_t:s0 tclass=dir
avc: denied { write } for pid=639 comm="firewalld" name="python2.7" dev="d...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: anaconda (Show other bugs)
20
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Anaconda Maintenance Team
Fedora Extras Quality Assurance
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-28 07:26 EDT by Steve Tyler
Modified: 2014-01-27 16:07 EST (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-01-27 16:07:21 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
syslog (66.53 KB, text/plain)
2013-08-28 11:19 EDT, Steve Tyler
no flags Details

  None (edit)
Description Steve Tyler 2013-08-28 07:26:39 EDT
Description of problem:
Eight comm="firewalld" avcs appear in the syslog for Bug 1001425, Attachment 791262 [details]:

16:29:53,501 NOTICE kernel:[  192.202504] type=1400 audit(1377620993.485:6): avc:  denied  { write } for  pid=639 comm="firewalld" name="python2.7" dev="dm-0" ino=66860 scontext=system_u:system_r:firewalld_t:s0 tcontext=unconfined_u:object_r:lib_t:s0 tclass=dir

Version-Release number of selected component (if applicable):
Bug 1001425: (This is for the F20 Alpha TC1 DVD.)
selinux-policy-3.12.1-72.fc20.noarch (per attached packaging.log)

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Steve Tyler 2013-08-28 07:31:40 EDT
After those eight avcs, firewalld exits:

16:29:59,857 ERR firewalld: 2013-08-27 16:29:59 ERROR: ebtables not usable, disabling ethernet bridge firewall.
16:29:59,875 CRIT firewalld: 2013-08-27 16:29:59 FATAL ERROR: No IPv4 and IPv6 firewall.
16:29:59,876 ERR firewalld: 2013-08-27 16:29:59 ERROR: Raising SystemExit in run_server
Comment 2 Steve Tyler 2013-08-28 11:19:06 EDT
Created attachment 791434 [details]
syslog

Steps to Reproduce:
1. Start installer from DVD:
$ qemu-kvm -m 4096 -hda f20-test-3.img -cdrom ~/xfr/fedora/F20/Alpha/Fedora-20-Alpha-TC1-x86_64-DVD.iso -vga std -boot menu=on

2. Boot to Welcome dialog.
3. Switch to installer console (ctrl-alt-f2).
4. Examine /tmp/syslog.
Comment 3 Steve Tyler 2013-08-28 11:27:50 EDT
See also:
Bug 1002195 - FATAL ERROR: No IPv4 and IPv6 firewall. during installer DVD boot
Comment 4 Daniel Walsh 2013-08-28 15:52:46 EDT
Looks like firewalld is trying to complile some python py files into pyc files?
Comment 5 Steve Tyler 2013-08-28 16:00:52 EDT
Since this is on the installer DVD, couldn't that all be done when the DVD is composed?
Comment 6 Steve Tyler 2013-08-28 16:11:14 EDT
Thomas: Is firewalld trying to compile site.py into site.pyc when the installer DVD boots? (Comment 4)

The attached syslog has the details.
Comment 7 Thomas Woerner 2013-08-29 06:32:55 EDT
Firewalld is not trying to compile site.py, but python might try to do this. According to the AVC, this is about /usr/lib64/python2.7/site.py. There is also /usr/lib64/python2.7/site.pyc in the python-libs package. 

/usr/lib64/python2.7/site.pyc seems to be missing or older than /usr/lib64/python2.7/site.py.
Comment 8 Steve Tyler 2013-08-29 17:15:46 EDT
Thanks for pointing that out. This avc[1] has the full path:
/usr/lib64/python2.7/site.pyc

After loop-mounting Fedora-20-Alpha-TC2-x86_64-DVD.iso, ls shows:[2]

$ ls -lF /mnt/spare3/usr/lib64/python2.7/site.*
-rw-r--r--. 1 root root 20078 Aug 21 11:15 /mnt/spare3/usr/lib64/python2.7/site.py
lrwxrwxrwx. 1 root root     9 Aug 28 16:00 /mnt/spare3/usr/lib64/python2.7/site.pyc -> /dev/null

The selinux labels are:

$ ls -Z /mnt/spare3/usr/lib64/python2.7/site.*
-rw-r--r--. root root unconfined_u:object_r:lib_t:s0   /mnt/spare3/usr/lib64/python2.7/site.py
lrwxrwxrwx. root root unconfined_u:object_r:lib_t:s0   /mnt/spare3/usr/lib64/python2.7/site.pyc -> /dev/null


[1] 15:11:49,817 NOTICE kernel:[   16.515653] type=1400 audit(1377702709.795:11): avc:  denied  { write } for  pid=630 comm="firewalld" path="/usr/lib64/python2.7/site.pyc" dev="dm-0" ino=68215 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file

[2] All of the ".pyc" files are linked to /dev/null:
$ readlink -ev /mnt/spare3/usr/lib64/python2.7/*.pyc | sort -u
/dev/null
Comment 9 David Shea 2014-01-27 16:07:21 EST
Looks like this was a problem with the install media that was fixed before release

Note You need to log in before you can comment on or make changes to this bug.