Bug 237385 - disable-ipv6 is denied by selinux
disable-ipv6 is denied by selinux
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: anaconda (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: David Cantrell
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-04-21 13:51 EDT by Bruno Wolff III
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-04-23 11:05:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bruno Wolff III 2007-04-21 13:51:55 EDT
Description of problem:
I get a bunch of dmesg warnings about disable-ipv6 being denied by selinux.

Version-Release number of selected component (if applicable):
rawhide snapshot from Friday April 20.

How reproducible:
Unknown


Steps to Reproduce:
1. Install f7 and configure network devices with ipv6 disabled.
2.
3.
  
Actual results:
dmesg warnings

Expected results:
No warnings

Additional info:
I got some first boot warnings that may point to an underlying cause outside of
selinux. When I used the graphical interface to sysconfig networking the device
that was eth0 was named peth0 and my tdm400 was listed as eth0, but the network
config scripts looked correct.

The following avc message appeared a fair number of times in /var/log/dmesg:
audit(1177171423.734:4): avc:  denied  { read } for  pid=551 comm="modprobe"
name="disable-ipv6" dev=md5 ino=4202319
scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=system_u:object_r:file_t:s0 tclass=file

These are the two firstboot traceback warnings I saw:
[root@bruno root]# more firstboot.1177171489.41
Traceback (most recent call last):
  File "/usr/share/firstboot/firstbootWindow.py", line 497, in loadModules
    result = module.launch()
  File "/usr/share/firstboot/modules/securitylevel.py", line 647, in launch
    self.mainVBox.reparent(vbox)
AttributeError: 'NoneType' object has no attribute 'reparent'
[root@bruno root]# more firstboot.1177171518.89
Traceback (most recent call last):
  File "/usr/share/firstboot/firstbootWindow.py", line 497, in loadModules
    result = module.launch()
  File "/usr/share/firstboot/modules/firstboot_selinux.py", line 97, in launch
    self.selinuxPage = selinuxPage.selinuxPage(xml, doDebug, True)
  File "/usr/share/system-config-securitylevel/selinuxPage.py", line 75, in __init__
    self.enabledOptionMenu.set_model(listStore)
AttributeError: 'NoneType' object has no attribute 'set_model'
Comment 1 Daniel Walsh 2007-04-23 10:02:53 EDT
This looks like an anaconda problem.  Two things jump out.  first you are trying
to read file_t, which means some part of the file system was never labeled
during the install.  This should not happen.  Secondly the selinuxPage in
firstboot is blowing up in the traceback.
Comment 2 David Cantrell 2007-04-23 10:33:29 EDT
(In reply to comment #0)
> Description of problem:
> I get a bunch of dmesg warnings about disable-ipv6 being denied by selinux.
> 
> The following avc message appeared a fair number of times in /var/log/dmesg:
> audit(1177171423.734:4): avc:  denied  { read } for  pid=551 comm="modprobe"
> name="disable-ipv6" dev=md5 ino=4202319
> scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:file_t:s0 tclass=file

I just recently added this to anaconda as we need to be using a new method for
disabling IPv6 if users want that (previously we were adding NETWORKING_IPV6=no
to /etc/sysconfig/network and that's no longer valid).

We need to be able to create and write to /etc/modprobe.d/disable-ipv6, so I'll
do what we need to do there.

> These are the two firstboot traceback warnings I saw:
> [root@bruno root]# more firstboot.1177171489.41
> Traceback (most recent call last):
>   File "/usr/share/firstboot/firstbootWindow.py", line 497, in loadModules
>     result = module.launch()
>   File "/usr/share/firstboot/modules/securitylevel.py", line 647, in launch
>     self.mainVBox.reparent(vbox)
> AttributeError: 'NoneType' object has no attribute 'reparent'
> [root@bruno root]# more firstboot.1177171518.89
> Traceback (most recent call last):
>   File "/usr/share/firstboot/firstbootWindow.py", line 497, in loadModules
>     result = module.launch()
>   File "/usr/share/firstboot/modules/firstboot_selinux.py", line 97, in launch
>     self.selinuxPage = selinuxPage.selinuxPage(xml, doDebug, True)
>   File "/usr/share/system-config-securitylevel/selinuxPage.py", line 75, in
__init__
>     self.enabledOptionMenu.set_model(listStore)
> AttributeError: 'NoneType' object has no attribute 'set_model'

This is an unrelated bug and is discussed in bug #236999
Comment 3 Jeremy Katz 2007-04-23 11:05:29 EDT
(In reply to comment #2)
> (In reply to comment #0)
> > Description of problem:
> > I get a bunch of dmesg warnings about disable-ipv6 being denied by selinux.
> > 
> > The following avc message appeared a fair number of times in /var/log/dmesg:
> > audit(1177171423.734:4): avc:  denied  { read } for  pid=551 comm="modprobe"
> > name="disable-ipv6" dev=md5 ino=4202319
> > scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023
> > tcontext=system_u:object_r:file_t:s0 tclass=file
> 
> I just recently added this to anaconda as we need to be using a new method for
> disabling IPv6 if users want that (previously we were adding NETWORKING_IPV6=no
> to /etc/sysconfig/network and that's no longer valid).
> 
> We need to be able to create and write to /etc/modprobe.d/disable-ipv6, so I'll
> do what we need to do there.

I fixed this up on Friday actually :)
Comment 4 David Cantrell 2007-04-23 11:22:24 EDT
Durhh...if I read the ChangeLog more closely I would have seen that.

Note You need to log in before you can comment on or make changes to this bug.