Red Hat Bugzilla – Bug 237385
disable-ipv6 is denied by selinux
Last modified: 2007-11-30 17:12:02 EST
Description of problem: I get a bunch of dmesg warnings about disable-ipv6 being denied by selinux. Version-Release number of selected component (if applicable): rawhide snapshot from Friday April 20. How reproducible: Unknown Steps to Reproduce: 1. Install f7 and configure network devices with ipv6 disabled. 2. 3. Actual results: dmesg warnings Expected results: No warnings Additional info: I got some first boot warnings that may point to an underlying cause outside of selinux. When I used the graphical interface to sysconfig networking the device that was eth0 was named peth0 and my tdm400 was listed as eth0, but the network config scripts looked correct. The following avc message appeared a fair number of times in /var/log/dmesg: audit(1177171423.734:4): avc: denied { read } for pid=551 comm="modprobe" name="disable-ipv6" dev=md5 ino=4202319 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file These are the two firstboot traceback warnings I saw: [root@bruno root]# more firstboot.1177171489.41 Traceback (most recent call last): File "/usr/share/firstboot/firstbootWindow.py", line 497, in loadModules result = module.launch() File "/usr/share/firstboot/modules/securitylevel.py", line 647, in launch self.mainVBox.reparent(vbox) AttributeError: 'NoneType' object has no attribute 'reparent' [root@bruno root]# more firstboot.1177171518.89 Traceback (most recent call last): File "/usr/share/firstboot/firstbootWindow.py", line 497, in loadModules result = module.launch() File "/usr/share/firstboot/modules/firstboot_selinux.py", line 97, in launch self.selinuxPage = selinuxPage.selinuxPage(xml, doDebug, True) File "/usr/share/system-config-securitylevel/selinuxPage.py", line 75, in __init__ self.enabledOptionMenu.set_model(listStore) AttributeError: 'NoneType' object has no attribute 'set_model'
This looks like an anaconda problem. Two things jump out. first you are trying to read file_t, which means some part of the file system was never labeled during the install. This should not happen. Secondly the selinuxPage in firstboot is blowing up in the traceback.
(In reply to comment #0) > Description of problem: > I get a bunch of dmesg warnings about disable-ipv6 being denied by selinux. > > The following avc message appeared a fair number of times in /var/log/dmesg: > audit(1177171423.734:4): avc: denied { read } for pid=551 comm="modprobe" > name="disable-ipv6" dev=md5 ino=4202319 > scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:file_t:s0 tclass=file I just recently added this to anaconda as we need to be using a new method for disabling IPv6 if users want that (previously we were adding NETWORKING_IPV6=no to /etc/sysconfig/network and that's no longer valid). We need to be able to create and write to /etc/modprobe.d/disable-ipv6, so I'll do what we need to do there. > These are the two firstboot traceback warnings I saw: > [root@bruno root]# more firstboot.1177171489.41 > Traceback (most recent call last): > File "/usr/share/firstboot/firstbootWindow.py", line 497, in loadModules > result = module.launch() > File "/usr/share/firstboot/modules/securitylevel.py", line 647, in launch > self.mainVBox.reparent(vbox) > AttributeError: 'NoneType' object has no attribute 'reparent' > [root@bruno root]# more firstboot.1177171518.89 > Traceback (most recent call last): > File "/usr/share/firstboot/firstbootWindow.py", line 497, in loadModules > result = module.launch() > File "/usr/share/firstboot/modules/firstboot_selinux.py", line 97, in launch > self.selinuxPage = selinuxPage.selinuxPage(xml, doDebug, True) > File "/usr/share/system-config-securitylevel/selinuxPage.py", line 75, in __init__ > self.enabledOptionMenu.set_model(listStore) > AttributeError: 'NoneType' object has no attribute 'set_model' This is an unrelated bug and is discussed in bug #236999
(In reply to comment #2) > (In reply to comment #0) > > Description of problem: > > I get a bunch of dmesg warnings about disable-ipv6 being denied by selinux. > > > > The following avc message appeared a fair number of times in /var/log/dmesg: > > audit(1177171423.734:4): avc: denied { read } for pid=551 comm="modprobe" > > name="disable-ipv6" dev=md5 ino=4202319 > > scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 > > tcontext=system_u:object_r:file_t:s0 tclass=file > > I just recently added this to anaconda as we need to be using a new method for > disabling IPv6 if users want that (previously we were adding NETWORKING_IPV6=no > to /etc/sysconfig/network and that's no longer valid). > > We need to be able to create and write to /etc/modprobe.d/disable-ipv6, so I'll > do what we need to do there. I fixed this up on Friday actually :)
Durhh...if I read the ChangeLog more closely I would have seen that.