Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1999090

Summary:	firewalld reports having dropped capabilities even when failing to do so
Product:	Red Hat Enterprise Linux 9	Reporter:	Štěpán Němec <snemec>
Component:	firewalld	Assignee:	Eric Garver <egarver>
Status:	CLOSED ERRATA	QA Contact:	qe-baseos-daemons
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	todoleza
Target Milestone:	rc	Keywords:	Triaged, Upstream
Target Release:	---	Flags:	pm-rhel: mirror+
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	firewalld-1.0.0-4.el9	Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-05-17 15:59:15 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Štěpán Němec 2021-08-30 12:04:37 UTC

Description of problem:
Even when SELinux prevents firewalld from dropping capabilities,
the daemon still reports "Dropped Linux capabilities" in the log,
same as in case of dropping capabilities successfully.

Version-Release number of selected component (if applicable):
firewalld-1.0.0-2.el9

How reproducible:
Always.

Steps to Reproduce:
1. Deny 'setcap' and 'setpcap' capabilities of firewalld, e.g. by installing selinux-policy < 34.1.14
2. run firewalld with --debug
3. observe that /var/log/firewalld contains "Dropped Linux capabilities to NET_ADMIN, NET_RAW." despite firewalld still running with full capabilities

Actual results on 1MT-RHEL-9.0.0-20210825.0-Beta:
[root@ci-vm-10-0-139-97 ~]# rpm -q selinux-policy
selinux-policy-34.1.13-1.el9.noarch

[root@ci-vm-10-0-139-97 ~]# rpm -q firewalld
firewalld-1.0.0-2.el9.noarch

[root@ci-vm-10-0-139-97 ~]# pscap | grep firewalld
1     3950  root        firewalld           full +

[root@ci-vm-10-0-139-97 ~]# journalctl -b | grep libcap
Aug 30 07:43:18 ci-vm-10-0-139-97.hosted.upshift.rdu2.redhat.com firewalld[3950]: libcap-ng used by "/usr/bin/python3.9" failed dropping bounding set in capng_apply

[root@ci-vm-10-0-139-97 ~]# journalctl -b | grep -E 'setcap|setpcap'
Aug 30 07:43:18 ci-vm-10-0-139-97.hosted.upshift.rdu2.redhat.com audit[3950]: AVC avc:  denied  { setpcap } for  pid=3950 comm="firewalld" capability=8  scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=capability permissive=0
Aug 30 07:43:18 ci-vm-10-0-139-97.hosted.upshift.rdu2.redhat.com audit[3950]: AVC avc:  denied  { setcap } for  pid=3950 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=process permissive=0

[root@ci-vm-10-0-139-97 ~]# grep capabilities /var/log/firewalld
2021-08-30 07:43:18 Dropped Linux capabilities to NET_ADMIN, NET_RAW.

Expected results:
log messages match reality

Comment 1 Eric Garver 2021-08-30 13:24:01 UTC

Did you make sure to purge the log before restarting firewalld? i.e. are sure the log is not leftover from before downgrading selinux-policy?

Comment 2 Eric Garver 2021-08-30 17:15:49 UTC

(In reply to Eric Garver from comment #1)
> Did you make sure to purge the log before restarting firewalld? i.e. are
> sure the log is not leftover from before downgrading selinux-policy?

Ignore this. Timestamps show it's relevant.

libcap-ng-python doesn't throw an exception in this case. We'll have to make changes to check the return code C-style. I _think_ libcap-ng-python will return a non-zero one in this case.

Comment 3 Eric Garver 2021-08-30 18:58:00 UTC

Upstream PR: https://github.com/firewalld/firewalld/pull/847

Comment 4 Eric Garver 2021-08-30 19:34:39 UTC

Upstream:

  36749f512bbc ("fix(firewalld): check capng_apply() return code")

Comment 6 Eric Garver 2021-11-22 14:27:05 UTC

https://gitlab.com/redhat/centos-stream/rpms/firewalld/-/merge_requests/7

Comment 7 Štěpán Němec 2021-11-22 17:15:22 UTC

Tested firewalld-1.0.0-4.el9.noarch from
https://centos.softwarefactory-project.io/logs/7/7/3b53f3916124e4fa948c85a9580f5e57e1e6ce6d/check/mock-build/60a21cf/repo/firewalld-1.0.0-4.el9/
[merge request link in comment 6]

firewalld log messages now reflect the actual success or failure in dropping capabilities:

[root@localhost ~]# rpm -qa selinux-policy\* firewalld\*
selinux-policy-34.1.13-1.el9.noarch
selinux-policy-targeted-34.1.13-1.el9.noarch
firewalld-filesystem-1.0.0-4.el9.noarch
firewalld-1.0.0-4.el9.noarch

[root@localhost ~]# sed -i -e 's/^\(FIREWALLD_ARGS=\).*$/\1--debug/' /etc/sysconfig/firewalld

[root@localhost ~]# systemctl start firewalld

[root@localhost ~]# pscap | grep firewalld
1     4511  root        firewalld           full +

[root@localhost ~]# journalctl -b | grep -E 'libcap|setcap|setpcap'
Nov 18 07:20:07 localhost.localdomain audit[4511]: AVC avc:  denied  { setpcap } for  pid=4511 comm="firewalld" capability=8  scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=capability permissive=0
Nov 18 07:20:07 localhost.localdomain firewalld[4511]: libcap-ng used by "/usr/bin/python3.9" failed dropping bounding set in capng_apply
Nov 18 07:20:07 localhost.localdomain audit[4511]: AVC avc:  denied  { setcap } for  pid=4511 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=process permissive=0

[root@localhost ~]# grep capabilities /var/log/firewalld
2021-11-18 07:22:18 libcap-ng failed to drop Linux capabilities.

[For comparison, after upgrading back to the current selinux-policy:]

[root@localhost ~]# rpm -qa selinux-policy\* firewalld\*
firewalld-filesystem-1.0.0-4.el9.noarch
firewalld-1.0.0-4.el9.noarch
selinux-policy-34.1.18-1.el9.noarch
selinux-policy-targeted-34.1.18-1.el9.noarch

[root@localhost ~]# systemctl restart firewalld

[root@localhost ~]# pscap | grep firewalld
1     5088  root        firewalld           net_admin, net_raw, sys_module +

[root@localhost ~]# grep capabilities /var/log/firewalld
2021-11-18 07:22:18 libcap-ng failed to drop Linux capabilities.
2021-11-22 11:58:16 Dropped Linux capabilities to NET_ADMIN, NET_RAW, SYS_MODULE.

Comment 13 errata-xmlrpc 2022-05-17 15:59:15 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: firewalld), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3993