Bug 384351 - (Synefonk) SELinux problem!
SELinux problem!
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: firstboot (Show other bugs)
7
All Linux
low Severity medium
: ---
: ---
Assigned To: Chris Lumens
Fedora Extras Quality Assurance
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-15 06:07 EST by Syne Fonk
Modified: 2013-01-09 23:30 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-19 13:10:54 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
SELinux (2.83 KB, text/x-python)
2007-11-15 06:07 EST, Syne Fonk
no flags Details

  None (edit)
Description Syne Fonk 2007-11-15 06:07:52 EST
SELinux is preventing /sbin/ip6tables (iptables_t) "read" to
/usr/share/firstboot/modules/date.py (usr_t).Detailed DescriptionSELinux denied
access requested by /sbin/ip6tables. It is not expected that this access is
required by /sbin/ip6tables and this access may signal an intrusion attempt. It
is also possible that the specific version or configuration of the application
is causing it to require additional access.Allowing AccessSometimes labeling
problems can cause SELinux denials. You could try to restore the default system
file context for /usr/share/firstboot/modules/date.py, restorecon -v
/usr/share/firstboot/modules/date.py If this does not work, there is currently
no automatic way to allow this access. Instead, you can generate a local policy
module to allow this access - see FAQ Or you can disable SELinux protection
altogether. Disabling SELinux protection is not recommended. Please file a bug
report against this package.Additional InformationSource
Context:  system_u:system_r:iptables_tTarget
Context:  system_u:object_r:usr_tTarget
Objects:  /usr/share/firstboot/modules/date.py [ file ]Affected RPM
Packages:  iptables-ipv6-1.3.7-2 [application]firstboot-1.4.35-1.fc7
[target]Policy RPM:  selinux-policy-2.6.4-8.fc7Selinux Enabled:  TruePolicy
Type:  targetedMLS Enabled:  TrueEnforcing Mode:  EnforcingPlugin
Name:  plugins.catchall_fileHost Name:  localhost.localdomainPlatform:  Linux
localhost.localdomain 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686
i686Alert Count:  14First Seen:  Fri 02 Nov 2007 08:51:11 PM CETLast Seen:  Fri
02 Nov 2007 08:51:12 PM CETLocal ID:  f17de94b-b80b-4678-adad-d760c59c6477Line
Numbers:  Raw Audit Messages :avc: denied { read } for comm="ip6tables" dev=dm-0
egid=0 euid=0 exe="/sbin/ip6tables" exit=0 fsgid=0 fsuid=0 gid=0 items=0
name="date.py" path="/usr/share/firstboot/modules/date.py" pid=2141
scontext=system_u:system_r:iptables_t:s0 sgid=0
subj=system_u:system_r:iptables_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:usr_t:s0 tty=(none) uid=0
Comment 1 Syne Fonk 2007-11-15 06:07:52 EST
Created attachment 259711 [details]
SELinux
Comment 2 Syne Fonk 2007-11-15 06:10:28 EST
it's really difficult to understand and notify bug information!
To difficult, English and a lot off not normal used words for me.
Comment 3 Daniel Walsh 2007-11-19 10:44:26 EST
This does not make sense, that iptables would be trying to read
path="/usr/share/firstboot/modules/date.py"

So I think this is a leaked file descriptor from firstboot.

All open filedescriptors should be closed on exec

fcntl(fd, F_SETFD, FD_CLOEXEC)
Comment 4 Chris Lumens 2007-11-19 13:10:54 EST
This will be fixed in the next build of firstboot.

Note You need to log in before you can comment on or make changes to this bug.