Bug 565323 - SELinux is preventing /usr/bin/python "write" access on sysctl.conf.
Summary: SELinux is preventing /usr/bin/python "write" access on sysctl.conf.
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: firstboot
Version: 14
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Martin Gracik
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:0ab36ef283d...
: 565324 (view as bug list)
Depends On:
Blocks: F14Target
TreeView+ depends on / blocked
 
Reported: 2010-02-14 18:45 UTC by ctsm63
Modified: 2013-07-04 12:48 UTC (History)
26 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2012-04-12 08:20:28 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
firewall configuration screencopy (72.77 KB, image/png)
2010-02-14 19:04 UTC, ctsm63 		no flags Details
View All

Description ctsm63 2010-02-14 18:45:50 UTC 
Résumé:

SELinux is preventing /usr/bin/python "write" access on sysctl.conf.

Description détaillée:

[system-config-f a un type permissif (firewallgui_t). Cet accès n'a pas été
refusé.]

SELinux denied access requested by system-config-f. It is not expected that this
access is required by system-config-f and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Autoriser l'accès:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Informations complémentaires:

Contexte source               system_u:system_r:firewallgui_t:s0-s0:c0.c1023
Contexte cible                system_u:object_r:etc_t:s0
Objets du contexte            sysctl.conf [ file ]
source                        system-config-f
Chemin de la source           /usr/bin/python
Port                          <Inconnu>
Hôte                         (removed)
Paquetages RPM source         python-2.6.2-2.fc12
Paquetages RPM cible          
Politique RPM                 selinux-policy-3.6.32-84.fc12
Selinux activé               True
Type de politique             targeted
Mode strict                   Enforcing
Nom du plugin                 catchall
Nom de l'hôte                (removed)
Plateforme                    Linux FED12.MYHOME 2.6.31.12-174.2.3.fc12.x86_64
                              #1 SMP Mon Jan 18 19:52:07 UTC 2010 x86_64 x86_64
Compteur d'alertes            1
Première alerte              dim. 14 févr. 2010 19:36:49 CET
Dernière alerte              dim. 14 févr. 2010 19:36:49 CET
ID local                      53cd7d85-642f-407d-bb4f-2eddc163cb0a
Numéros des lignes           

Messages d'audit bruts        

node=FED12.MYHOME type=AVC msg=audit(1266172609.350:17): avc:  denied  { write } for  pid=2032 comm="system-config-f" name="sysctl.conf" dev=sda7 ino=686335 scontext=system_u:system_r:firewallgui_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file

node=FED12.MYHOME type=SYSCALL msg=audit(1266172609.350:17): arch=c000003e syscall=2 success=yes exit=6 a0=9a54a0 a1=241 a2=1b6 a3=0 items=0 ppid=1 pid=2032 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="system-config-f" exe="/usr/bin/python" subj=system_u:system_r:firewallgui_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,system-config-f,firewallgui_t,etc_t,file,write
audit2allow suggests:

#============= firewallgui_t ==============
allow firewallgui_t etc_t:file write;
Comment 1 ctsm63 2010-02-14 19:04:53 UTC 
Created attachment 394216 [details]
firewall configuration screencopy

first reboot after adding translation of addresses between eth0 and eth1
cf. Capture-Configuration du pare-feu.png
Comment 2 ctsm63 2010-02-14 19:10:31 UTC 
cf.  Bug 565324 -  SELinux is preventing /usr/bin/python "setattr" access on sysctl.conf.
Comment 3 Miroslav Grepl 2010-02-15 09:55:07 UTC 
*** Bug 565324 has been marked as a duplicate of this bug. ***
Comment 4 Miroslav Grepl 2010-02-15 10:00:11 UTC 
"sysctl.conf" is mislabeled. Execute:

restorecon -R -v /etc/sysctl.conf


Should fix.

Please reopen if this happens again.
Comment 5 John Poelstra 2010-09-02 03:05:57 UTC 
Seeing this bug with fresh install of Fedora 14 Alpha running latest packages as of 2010-09-01.  Tried to add a new network printer.

$ rpm -qa | grep selinux | sort
libselinux-2.0.96-3.fc14.i686
libselinux-2.0.96-3.fc14.x86_64
libselinux-python-2.0.96-3.fc14.x86_64
libselinux-utils-2.0.96-3.fc14.x86_64
selinux-policy-3.9.0-2.fc14.noarch
selinux-policy-targeted-3.9.0-2.fc14.noarch



Summary:

SELinux is preventing /usr/bin/python "write" access on iptables.old.

Detailed Description:

SELinux denied access requested by system-config-f. It is not expected that this
access is required by system-config-f and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:firewallgui_t:s0
Target Context                unconfined_u:object_r:etc_t:s0
Target Objects                iptables.old [ file ]
Source                        system-config-f
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           python-2.7-7.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.0-2.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux kvm 2.6.35.4-12.fc14.x86_64 #1 SMP Fri Aug
                              27 07:45:05 UTC 2010 x86_64 x86_64
Alert Count                   2
First Seen                    Wed 01 Sep 2010 08:02:17 PM PDT
Last Seen                     Wed 01 Sep 2010 08:02:17 PM PDT
Local ID                      0c0d12f3-ef5e-4746-a06c-3821670acb0c
Line Numbers                  

Raw Audit Messages            

node=kvm type=AVC msg=audit(1283396537.926:218): avc:  denied  { write } for  pid=2524 comm="system-config-f" name="iptables.old" dev=dm-1 ino=145251 scontext=system_u:system_r:firewallgui_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file

node=kvm type=SYSCALL msg=audit(1283396537.926:218): arch=c000003e syscall=2 success=no exit=-13 a0=1a82850 a1=241 a2=1b6 a3=0 items=0 ppid=1 pid=2524 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="system-config-f" exe="/usr/bin/python" subj=system_u:system_r:firewallgui_t:s0 key=(null)
Comment 6 Miroslav Grepl 2010-09-02 13:06:14 UTC 
iptables.old was created with the wrong context.

Should be created with the right context (system_conf_t) by s-c-firewall. Did you just use s-c-firewall?

I am trying it and 

# ls -Z /etc/sysconfig/iptables.old 
-rw-------. root root system_u:object_r:system_conf_t:s0 /etc/sysconfig/iptables.old


# restorecon -v /etc/sysconfig/iptables.old 

will fix.
Comment 7 John Poelstra 2010-09-02 14:15:15 UTC 
To be clear, I did not do ANYTHING except install the Fedora 14 alpha, update to the latest packages, and add a new printer.
Comment 8 Daniel Walsh 2010-09-03 13:13:06 UTC 
Miroslav, could it be being created by firstboot, with the wrong context.
Comment 9 Miroslav Grepl 2010-09-03 13:37:49 UTC 
Well, it is a good idea. firstboot could be culprit.
Comment 10 Adam Williamson 2010-09-03 15:49:26 UTC 
I can't see anything that makes this bug a beta blocker; John, can you point up the criterion you consider it to be infringing? (Also note that a workaround should be presented by the SELinux exception viewer - it usually offers a button to relabel the file).
Comment 11 Adam Williamson 2010-09-03 16:17:18 UTC 
Discussed at 2010/09/03 blocker review meeting. Agreed that this does not qualify as a beta or final blocker under any existing criterion. We discussed possible criterion extensions to make this a blocker, but it's a tricky area to cover, no decision on that yet.
Comment 12 Jurgen Kramer 2010-11-07 13:30:36 UTC 
This bug is still present with the release version of F14. You have to start s-c-f as root to be able to change the firewall rules. As mentioned in comment #6, iptables.old is created with the wrong context.

-rw-------. root root system_u:object_r:system_conf_t:s0 iptables
-rw-------. root root system_u:object_r:system_conf_t:s0 iptables-config
-rw-------. root root unconfined_u:object_r:etc_t:s0   iptables.old
Comment 13 Fedora Admin XMLRPC Client 2010-11-08 21:53:35 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 14 Fedora Admin XMLRPC Client 2010-11-08 21:55:46 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 15 Fedora Admin XMLRPC Client 2010-11-08 21:56:50 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 16 Daniel Walsh 2010-11-09 13:49:22 UTC 
What command is firstboot using to create these files?
Comment 17 Fedora Admin XMLRPC Client 2011-02-16 16:09:18 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 18 collura 2012-04-11 20:09:58 UTC 
SELinux is preventing NetworkManager from read access on the file /etc/sysctl.conf.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that NetworkManager should be allowed read access on the sysctl.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep NetworkManager /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:system_conf_t:s0
Target Objects                /etc/sysctl.conf [ file ]
Source                        NetworkManager
Source Path                   NetworkManager
Port                          <Unknown>
Host                          <removed>.<removed>
Source RPM Packages           
Target RPM Packages           initscripts-9.34.2-1.fc16.x86_64
Policy RPM                    selinux-policy-3.10.0-80.fc16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     <removed>.<removed>
Platform                      Linux <removed>.<removed> 3.3.1-3.fc16.x86_64
                              #1 SMP Wed Apr 4 18:08:51 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 11 Apr 2012 03:57:09 PM EDT
Last Seen                     Wed 11 Apr 2012 03:57:09 PM EDT
Local ID                      a750bf33-4c0a-4d58-a649-7eef35fc2324

Raw Audit Messages
type=AVC msg=audit(1334174229.831:76): avc:  denied  { read } for  pid=982 comm="NetworkManager" name="sysctl.conf" dev="sda5" ino=156908 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:system_conf_t:s0 tclass=file


Hash: NetworkManager,NetworkManager_t,system_conf_t,file,read

audit2allow

#============= NetworkManager_t ==============
allow NetworkManager_t system_conf_t:file read;

audit2allow -R

#============= NetworkManager_t ==============
allow NetworkManager_t system_conf_t:file read;
Comment 19 Miroslav Grepl 2012-04-12 08:20:28 UTC 
This is fixed in -81.fc16 release.


http://koji.fedoraproject.org/koji/buildinfo?buildID=307648
Note You need to log in before you can comment on or make changes to this bug.