Bug 1340611 - SELinux is preventing firewalld from 'write' accesses on the directory root.
Summary: SELinux is preventing firewalld from 'write' accesses on the directory root.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 25
Hardware: x86_64
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:e584e72970593ac9ee2a05fac83...
: 1329854 (view as bug list)
Depends On:
Blocks: F25FinalBlocker
TreeView+ depends on / blocked
 
Reported: 2016-05-28 19:32 UTC by Joachim Frieben
Modified: 2016-09-30 19:01 UTC (History)
19 users (show)

Fixed In Version: selinux-policy-3.13.1-211.fc25
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-09-13 18:12:42 UTC


Attachments (Terms of Use)

Description Joachim Frieben 2016-05-28 19:32:57 UTC
Description of problem:
SELinux is preventing firewalld from 'write' accesses on the directory root.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that firewalld should be allowed write access on the root directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'firewalld' --raw | audit2allow -M my-firewalld
# semodule -X 300 -i my-firewalld.pp

Additional Information:
Source Context                system_u:system_r:firewalld_t:s0
Target Context                system_u:object_r:admin_home_t:s0
Target Objects                root [ dir ]
Source                        firewalld
Source Path                   firewalld
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           filesystem-3.2-37.fc24.x86_64
Policy RPM                    selinux-policy-3.13.1-192.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.7.0-0.rc0.git10.1.fc25.x86_64 #1
                              SMP Fri May 27 14:56:48 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-05-28 19:11:10 CEST
Last Seen                     2016-05-28 19:11:10 CEST
Local ID                      8a3485b9-769f-48b6-8993-519e57e0d860

Raw Audit Messages
type=AVC msg=audit(1464455470.276:212): avc:  denied  { write } for  pid=832 comm="firewalld" name="root" dev="dm-0" ino=655362 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=0


Hash: firewalld,firewalld_t,admin_home_t,dir,write

Version-Release number of selected component:
selinux-policy-3.13.1-192.fc25.noarch

Additional info:
reporter:       libreport-2.7.1
hashmarkername: setroubleshoot
kernel:         4.7.0-0.rc0.git10.1.fc25.x86_64
reproducible:   Not sure how to reproduce the problem
type:           libreport

Potential duplicate: bug 1329854

Comment 1 Lukas Vrabec 2016-06-02 12:31:14 UTC
*** Bug 1329854 has been marked as a duplicate of this bug. ***

Comment 2 Lukas Vrabec 2016-06-02 12:32:53 UTC
Thomas, 
Whats going on here?

Comment 3 Thomas Woerner 2016-06-02 13:37:58 UTC
(In reply to Lukas Vrabec from comment #2)
> Thomas, 
> Whats going on here?

Lukas,
this is very unexpected as there is no code in firewalld that touches /root.

Comment 4 Thomas Woerner 2016-06-02 13:38:43 UTC
Which firewalld version is installed on the system?

Do you have steps to reproduce this?

Comment 5 Joachim Frieben 2016-06-02 13:49:18 UTC
When I reported the bug it was firewalld-0.4.1.2-2.fc25.

Comment 6 Daniel Walsh 2016-06-02 21:19:56 UTC
Probably some library that writes content in /root

Comment 7 Lukas Vrabec 2016-06-07 11:18:21 UTC
We can dontaudit it. 

Thomas,
Agree?

Comment 8 Thomas Woerner 2016-06-07 11:24:54 UTC
Hi Lukas, 
yes this might be possible.
Regards,
Thomas

Comment 9 Joachim Frieben 2016-07-16 07:39:16 UTC
Issue still present for firewalld-0.4.3.2-1.fc25.

Comment 10 Jan Kurik 2016-07-26 04:44:46 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle.
Changing version to '25'.

Comment 11 Anthony Messina 2016-07-31 18:15:15 UTC
(In reply to Daniel Walsh from comment #6)
> Probably some library that writes content in /root

On my Fedora 24 system, it was attempting to create the /root/.cache directory. I only found out because in permissive mode, the empty /root/.cache directory was created.

Comment 12 Thomas Woerner 2016-08-01 13:45:40 UTC
firewalld is not using /root/.cache at all. This needs to be hunted down.

Comment 13 Thomas Woerner 2016-08-01 13:47:54 UTC
After removing /root/.cache I am able to reproduce this. But I have absolutely no clue, why this happens.

Comment 14 Anthony Messina 2016-08-01 21:01:27 UTC
Me either:

type=AVC msg=audit(1470084516.47:178): avc:  denied  { create } for  pid=953 comm="firewalld" name=".cache" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=1

Comment 15 Daniel Walsh 2016-08-07 16:57:09 UTC
It must be in one of the gnome libraries or gtk?

Comment 16 Kamil Páral 2016-08-16 06:22:11 UTC
Description of problem:
This popped up on me on first boot after a default Workstation Live install (Fedora-Workstation-Live-x86_64-25-20160815.n.2.iso). I just started terminal and ran dnf, nothing else. Not sure whether this occurred before or after.

Version-Release number of selected component:
selinux-policy-3.13.1-207.fc25.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc1.git0.1.fc25.x86_64
type:           libreport

Comment 17 Kamil Páral 2016-08-16 06:23:01 UTC
Proposing as a Final blocker:
"There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop. "
https://fedoraproject.org/wiki/Fedora_25_Final_Release_Criteria#SELinux_and_crash_notifications

Comment 18 Lukas Vrabec 2016-08-16 11:08:58 UTC
commit 48be02c9e486299e26df76a6698ed2ab4700c2e4
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Tue Aug 16 13:08:25 2016 +0200

    Dontaudit firewalld to create dirs in /root/ BZ(1340611)

Comment 19 Anthony Messina 2016-08-18 20:16:58 UTC
This is subjective information, I know, but I believe this is related to having firewall-config installed--the issue only happens on my GUI workstations, where firewall-config is installed, but not my headless servers, where firewall-config is not.

Comment 20 Geoffrey Marr 2016-08-22 22:20:18 UTC
Discussed during the 2016-08-22 blocker review meeting: [1]

The decision to classify this bug as an AcceptedBlocker was made as it is a clear violation of "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop."

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2016-08-22/f25-blocker-review.2016-08-22-16.00.txt

Comment 21 Fedora Update System 2016-08-23 23:21:08 UTC
selinux-policy-3.13.1-210.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-2d8defc177

Comment 22 Fedora Update System 2016-08-25 18:21:08 UTC
selinux-policy-3.13.1-211.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-cbdde50ec4

Comment 23 Fedora Update System 2016-09-13 18:12:02 UTC
selinux-policy-3.13.1-211.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.