Bug 384351 (Synefonk) - SELinux problem!
Summary: SELinux problem!
Alias: Synefonk
Product: Fedora
Classification: Fedora
Component: firstboot   
(Show other bugs)
Version: 7
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Chris Lumens
QA Contact: Fedora Extras Quality Assurance
Keywords: SELinux
Depends On:
TreeView+ depends on / blocked
Reported: 2007-11-15 11:07 UTC by Syne Fonk
Modified: 2013-01-10 04:30 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-11-19 18:10:54 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
SELinux (2.83 KB, text/x-python)
2007-11-15 11:07 UTC, Syne Fonk
no flags Details

Description Syne Fonk 2007-11-15 11:07:52 UTC
SELinux is preventing /sbin/ip6tables (iptables_t) "read" to
/usr/share/firstboot/modules/date.py (usr_t).Detailed DescriptionSELinux denied
access requested by /sbin/ip6tables. It is not expected that this access is
required by /sbin/ip6tables and this access may signal an intrusion attempt. It
is also possible that the specific version or configuration of the application
is causing it to require additional access.Allowing AccessSometimes labeling
problems can cause SELinux denials. You could try to restore the default system
file context for /usr/share/firstboot/modules/date.py, restorecon -v
/usr/share/firstboot/modules/date.py If this does not work, there is currently
no automatic way to allow this access. Instead, you can generate a local policy
module to allow this access - see FAQ Or you can disable SELinux protection
altogether. Disabling SELinux protection is not recommended. Please file a bug
report against this package.Additional InformationSource
Context:  system_u:system_r:iptables_tTarget
Context:  system_u:object_r:usr_tTarget
Objects:  /usr/share/firstboot/modules/date.py [ file ]Affected RPM
Packages:  iptables-ipv6-1.3.7-2 [application]firstboot-1.4.35-1.fc7
[target]Policy RPM:  selinux-policy-2.6.4-8.fc7Selinux Enabled:  TruePolicy
Type:  targetedMLS Enabled:  TrueEnforcing Mode:  EnforcingPlugin
Name:  plugins.catchall_fileHost Name:  localhost.localdomainPlatform:  Linux
localhost.localdomain 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686
i686Alert Count:  14First Seen:  Fri 02 Nov 2007 08:51:11 PM CETLast Seen:  Fri
02 Nov 2007 08:51:12 PM CETLocal ID:  f17de94b-b80b-4678-adad-d760c59c6477Line
Numbers:  Raw Audit Messages :avc: denied { read } for comm="ip6tables" dev=dm-0
egid=0 euid=0 exe="/sbin/ip6tables" exit=0 fsgid=0 fsuid=0 gid=0 items=0
name="date.py" path="/usr/share/firstboot/modules/date.py" pid=2141
scontext=system_u:system_r:iptables_t:s0 sgid=0
subj=system_u:system_r:iptables_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:usr_t:s0 tty=(none) uid=0

Comment 1 Syne Fonk 2007-11-15 11:07:52 UTC
Created attachment 259711 [details]

Comment 2 Syne Fonk 2007-11-15 11:10:28 UTC
it's really difficult to understand and notify bug information!
To difficult, English and a lot off not normal used words for me.

Comment 3 Daniel Walsh 2007-11-19 15:44:26 UTC
This does not make sense, that iptables would be trying to read

So I think this is a leaked file descriptor from firstboot.

All open filedescriptors should be closed on exec

fcntl(fd, F_SETFD, FD_CLOEXEC)

Comment 4 Chris Lumens 2007-11-19 18:10:54 UTC
This will be fixed in the next build of firstboot.

Note You need to log in before you can comment on or make changes to this bug.