237385 – disable-ipv6 is denied by selinux

Bug 237385 - disable-ipv6 is denied by selinux

Summary: disable-ipv6 is denied by selinux

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	anaconda
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	David Cantrell
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-04-21 17:51 UTC by Bruno Wolff III
Modified:	2007-11-30 22:12 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2007-04-23 15:05:29 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Bruno Wolff III 2007-04-21 17:51:55 UTC

Description of problem:
I get a bunch of dmesg warnings about disable-ipv6 being denied by selinux.

Version-Release number of selected component (if applicable):
rawhide snapshot from Friday April 20.

How reproducible:
Unknown


Steps to Reproduce:
1. Install f7 and configure network devices with ipv6 disabled.
2.
3.
  
Actual results:
dmesg warnings

Expected results:
No warnings

Additional info:
I got some first boot warnings that may point to an underlying cause outside of
selinux. When I used the graphical interface to sysconfig networking the device
that was eth0 was named peth0 and my tdm400 was listed as eth0, but the network
config scripts looked correct.

The following avc message appeared a fair number of times in /var/log/dmesg:
audit(1177171423.734:4): avc:  denied  { read } for  pid=551 comm="modprobe"
name="disable-ipv6" dev=md5 ino=4202319
scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=system_u:object_r:file_t:s0 tclass=file

These are the two firstboot traceback warnings I saw:
[root@bruno root]# more firstboot.1177171489.41
Traceback (most recent call last):
  File "/usr/share/firstboot/firstbootWindow.py", line 497, in loadModules
    result = module.launch()
  File "/usr/share/firstboot/modules/securitylevel.py", line 647, in launch
    self.mainVBox.reparent(vbox)
AttributeError: 'NoneType' object has no attribute 'reparent'
[root@bruno root]# more firstboot.1177171518.89
Traceback (most recent call last):
  File "/usr/share/firstboot/firstbootWindow.py", line 497, in loadModules
    result = module.launch()
  File "/usr/share/firstboot/modules/firstboot_selinux.py", line 97, in launch
    self.selinuxPage = selinuxPage.selinuxPage(xml, doDebug, True)
  File "/usr/share/system-config-securitylevel/selinuxPage.py", line 75, in __init__
    self.enabledOptionMenu.set_model(listStore)
AttributeError: 'NoneType' object has no attribute 'set_model'

Comment 1 Daniel Walsh 2007-04-23 14:02:53 UTC

This looks like an anaconda problem.  Two things jump out.  first you are trying
to read file_t, which means some part of the file system was never labeled
during the install.  This should not happen.  Secondly the selinuxPage in
firstboot is blowing up in the traceback.

Comment 2 David Cantrell 2007-04-23 14:33:29 UTC

(In reply to comment #0)
> Description of problem:
> I get a bunch of dmesg warnings about disable-ipv6 being denied by selinux.
> 
> The following avc message appeared a fair number of times in /var/log/dmesg:
> audit(1177171423.734:4): avc:  denied  { read } for  pid=551 comm="modprobe"
> name="disable-ipv6" dev=md5 ino=4202319
> scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:file_t:s0 tclass=file

I just recently added this to anaconda as we need to be using a new method for
disabling IPv6 if users want that (previously we were adding NETWORKING_IPV6=no
to /etc/sysconfig/network and that's no longer valid).

We need to be able to create and write to /etc/modprobe.d/disable-ipv6, so I'll
do what we need to do there.

> These are the two firstboot traceback warnings I saw:
> [root@bruno root]# more firstboot.1177171489.41
> Traceback (most recent call last):
>   File "/usr/share/firstboot/firstbootWindow.py", line 497, in loadModules
>     result = module.launch()
>   File "/usr/share/firstboot/modules/securitylevel.py", line 647, in launch
>     self.mainVBox.reparent(vbox)
> AttributeError: 'NoneType' object has no attribute 'reparent'
> [root@bruno root]# more firstboot.1177171518.89
> Traceback (most recent call last):
>   File "/usr/share/firstboot/firstbootWindow.py", line 497, in loadModules
>     result = module.launch()
>   File "/usr/share/firstboot/modules/firstboot_selinux.py", line 97, in launch
>     self.selinuxPage = selinuxPage.selinuxPage(xml, doDebug, True)
>   File "/usr/share/system-config-securitylevel/selinuxPage.py", line 75, in
__init__
>     self.enabledOptionMenu.set_model(listStore)
> AttributeError: 'NoneType' object has no attribute 'set_model'

This is an unrelated bug and is discussed in bug #236999

Comment 3 Jeremy Katz 2007-04-23 15:05:29 UTC

(In reply to comment #2)
> (In reply to comment #0)
> > Description of problem:
> > I get a bunch of dmesg warnings about disable-ipv6 being denied by selinux.
> > 
> > The following avc message appeared a fair number of times in /var/log/dmesg:
> > audit(1177171423.734:4): avc:  denied  { read } for  pid=551 comm="modprobe"
> > name="disable-ipv6" dev=md5 ino=4202319
> > scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023
> > tcontext=system_u:object_r:file_t:s0 tclass=file
> 
> I just recently added this to anaconda as we need to be using a new method for
> disabling IPv6 if users want that (previously we were adding NETWORKING_IPV6=no
> to /etc/sysconfig/network and that's no longer valid).
> 
> We need to be able to create and write to /etc/modprobe.d/disable-ipv6, so I'll
> do what we need to do there.

I fixed this up on Friday actually :)

Comment 4 David Cantrell 2007-04-23 15:22:24 UTC

Durhh...if I read the ChangeLog more closely I would have seen that.

Note You need to log in before you can comment on or make changes to this bug.