Bug 684624 - Source RPM Packages python-2.6.4-25.fc13 -unable to edit ip tables enforcing mode enforcing
Summary: Source RPM Packages python-2.6.4-25.fc13 -unable to edit ip tables ...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 13
Hardware: i686
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-13 22:58 UTC by mohammed umar sheriff
Modified: 2011-03-17 14:13 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-03-14 12:39:58 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description mohammed umar sheriff 2011-03-13 22:58:06 UTC 
Description of problem:


Version-Release number of selected component (if applicable):

Summary:

SELinux is preventing /usr/bin/python "write" access on iptables.old.

Detailed Description:

SELinux denied access requested by system-config-f. It is not expected that this
access is required by system-config-f and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:firewallgui_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:etc_t:s0
Target Objects                iptables.old [ file ]
Source                        system-config-f
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           python-2.6.4-25.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-10.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux localhost.localdomain 2.6.33.3-85.fc13.i686
                              #1 SMP Thu May 6 18:44:12 UTC 2010 i686 i686

Local ID                      83cfe9da-242b-4c32-b3e8-ae7a289017ae
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1300092399.280:18): avc:  denied  { write } for  pid=2139 comm="system-config-f" name="iptables.old" dev=dm-0 ino=130317 scontext=system_u:system_r:firewallgui_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1300092399.280:18): arch=40000003 syscall=5 success=no exit=-13 a0=90b7960 a1=8241 a2=1b6 a3=8e04c39 items=0 ppid=1 pid=2139 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="system-config-f" exe="/usr/bin/python" subj=system_u:system_r:firewallgui_t:s0-s0:c0.c1023 key=(null)




How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:
need to edit the firewall so as to prevent answer to echo request

also:unable to file a bug report as well


Expected results:
unable to edit the ip-tables
get frequent crash reports

Additional info:
Comment 1 Miroslav Grepl 2011-03-14 12:39:58 UTC 
Please update your selinux-policy, maybe you want to update your system

# yum update
Comment 2 mohammed umar sheriff 2011-03-15 15:59:19 UTC 
sir this is in regard to the firewall ,the bug appears when ever i try to remove the "trusted" .



AVC denial
org.freedesktop.DBus.Python.IOError: Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/slip/dbus/service.py", line 121, in reply_handler
    result = method(self, *p, **k)
  File "/usr/share/system-config-firewall/fw_dbus.py", line 113, in write
    ip6t_status, log) = fw_lokkit.updateFirewall(config, old_config)
  File "/usr/share/system-config-firewall/fw_lokkit.py", line 199, in updateFirewall
    ip4tables.write(config)
  File "/usr/share/system-config-firewall/fw_iptables.py", line 268, in write
    shutil.copy2(self.filename, "%s.old" % self.filename)
  File "/usr/lib/python2.6/shutil.py", line 99, in copy2
    copyfile(src, dst)
  File "/usr/lib/python2.6/shutil.py", line 53, in copyfile
    fdst = open(dst, 'wb')
IOError: [Errno 13] Permission denied: '/etc/sysconfig/iptables.old'
Comment 3 Daniel Walsh 2011-03-15 16:07:17 UTC 
If you run 
restorecon -R -v /etc/sysconfig/iptables.old 
Does it change anything?
Comment 4 mohammed umar sheriff 2011-03-15 16:13:35 UTC 
this is the result, 

restorecon -R -v /etc/sysconfig/iptables.old 

restorecon reset /etc/sysconfig/iptables.old context unconfined_u:object_r:etc_t:s0->system_u:object_r:system_conf_t:s0
restorecon set context /etc/sysconfig/iptables.old->system_u:object_r:system_conf_t:s0 failed:'Operation not permitted'


 i forgot i am running on live CD

other than that how do i manually update and install changes on a hard disk thanks
Comment 5 mohammed umar sheriff 2011-03-15 16:14:47 UTC 
kindly help me with the live media as well , thank you .
Comment 6 Daniel Walsh 2011-03-15 16:28:02 UTC 
Did you run the command as root?
Comment 7 mohammed umar sheriff 2011-03-16 06:41:15 UTC 
no is it possible to find out the password for the live cd thanks

the person who got me the CD is'nt aware of the password

it was bought from a registered LINUX showroom linuxpert at CHENNAI, INDIA.

kindly help
Comment 8 Daniel Walsh 2011-03-16 12:53:18 UTC 
Well if you can not run the command as root, you can not fix the label.

Other then the AVC being reported what do you need help with?
Comment 9 mohammed umar sheriff 2011-03-17 12:14:25 UTC 
how do i get the password , using grub i tried it and got the following errors thanks
http://www.keepandshare.com/userpics/u/m/a/r/10/2011-03/sb/100_0720-13998139.jpg?ts=1300363567


source:http://www.thinkdigit.com/forum/open-source/6029-tips-n-tricks-linux.html

in case if helping me on this is against the forum rules and regulations , then pardon me for the inconvenience caused


thank you
Comment 10 Daniel Walsh 2011-03-17 14:13:47 UTC 
Mohammmed please contact me in IRC, since I think we are failing to communicate here.  dwalsh on SELinux or freenode.
Note You need to log in before you can comment on or make changes to this bug.