Bug 711601 - Error applying modifications
Summary: Error applying modifications
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: system-config-firewall
Version: 15
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-06-07 20:49 UTC by Eric Tanguy
Modified: 2011-07-03 06:47 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-07-03 06:47:22 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Eric Tanguy 2011-06-07 20:49:12 UTC 
Description of problem: when i try to apply the modifications an error window open with this message : 
org.freedesktop.DBus.Python.OSError: Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/slip/dbus/service.py", line 121, in reply_handler
    result = method(self, *p, **k)
  File "/usr/share/system-config-firewall/fw_dbus.py", line 113, in write
    ip6t_status, log) = fw_lokkit.updateFirewall(config, old_config)
  File "/usr/share/system-config-firewall/fw_lokkit.py", line 169, in updateFirewall
    ip6tables_conf.write()
  File "/usr/share/system-config-firewall/fw_iptables.py", line 152, in write
    shutil.copy2(self.filename, "%s.old" % self.filename)
  File "/usr/lib64/python2.7/shutil.py", line 128, in copy2
    copystat(src, dst)
  File "/usr/lib64/python2.7/shutil.py", line 97, in copystat
    os.utime(dst, (st.st_atime, st.st_mtime))
OSError: [Errno 13] Permission denied: '/etc/sysconfig/ip6tables-config.old'

At the same time i receive a selinux alert : 
SELinux is preventing /usr/bin/python from setattr access on the fichier /etc/sysconfig/ip6tables-config.old.

*****  Plugin restorecon (94.8 confiance) suggéré*****************************

Siyou want to fix the label. 
/etc/sysconfig/ip6tables-config.old default label should be system_conf_t.
Alorsyou can run restorecon.
Faire
# /sbin/restorecon -v /etc/sysconfig/ip6tables-config.old

*****  Plugin catchall_labels (5.21 confiance) suggéré************************

Sivous souhaitez autoriser python à accéder à setattr sur ip6tables-config.old file
Alorsyou need to change the label on /etc/sysconfig/ip6tables-config.old
Faire
# semanage fcontext -a -t FILE_TYPE '/etc/sysconfig/ip6tables-config.old'
where FILE_TYPE is one of the following: system_conf_t, firewallgui_tmp_t. 
Then execute: 
restorecon -v '/etc/sysconfig/ip6tables-config.old'


*****  Plugin catchall (1.44 confiance) suggéré*******************************

Siyou believe that python should be allowed setattr access on the ip6tables-config.old file by default.
Alorsyou should report this as a bug.
You can generate a local policy module to allow this access.
Faire
allow this access for now by executing:
# grep system-config-f /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Contexte source               system_u:system_r:firewallgui_t:s0-s0:c0.c1023
Contexte cible                unconfined_u:object_r:etc_t:s0
Objets du contexte            /etc/sysconfig/ip6tables-config.old [ file ]
Source                        system-config-f
Chemin de la source           /usr/bin/python
Port                          <Inconnu>
Hôte                          bureau
Paquetages RPM source         python-2.7.1-7.fc15
Paquetages RPM cible          
RPM de la statégie            selinux-policy-3.9.16-26.fc15
Selinux activé                True
Type de stratégie             targeted
Mode strict                   Enforcing
Nom de l'hôte                 bureau
Plateforme                    Linux bureau 2.6.38.6-27.fc15.x86_64 #1 SMP Sun
                              May 15 17:23:28 UTC 2011 x86_64 x86_64
Compteur d'alertes            3
Première alerte               mar. 07 juin 2011 20:38:38 CEST
Dernière alerte               mar. 07 juin 2011 22:45:46 CEST
ID local                      49cb6def-59a8-4310-b944-054c9399f380

Messages d'audit bruts 
type=AVC msg=audit(1307479546.672:206): avc:  denied  { setattr } for  pid=4010 comm="system-config-f" name="ip6tables-config.old" dev=dm-1 ino=151286 scontext=system_u:system_r:firewallgui_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file


type=SYSCALL msg=audit(1307479546.672:206): arch=x86_64 syscall=utimes success=no exit=EACCES a0=11d5e70 a1=7fffca0d66c0 a2=30ea1b7028 a3=6e6f632d items=0 ppid=1 pid=4010 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=system-config-f exe=/usr/bin/python subj=system_u:system_r:firewallgui_t:s0-s0:c0.c1023 key=(null)

Hash: system-config-f,firewallgui_t,etc_t,file,setattr

audit2allow

#============= firewallgui_t ==============
allow firewallgui_t etc_t:file setattr;

audit2allow -R

#============= firewallgui_t ==============
allow firewallgui_t etc_t:file setattr;

and the modifications are not applied when i try to verify by running 
iptables -L -n

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Note You need to log in before you can comment on or make changes to this bug.