Bug 810508 - network service can't talk to firewalld
network service can't talk to firewalld
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
x86_64 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-06 09:30 EDT by Jiri Popelka
Modified: 2012-04-18 18:50 EDT (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.10.0-114.fc17
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-04-18 18:50:37 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jiri Popelka 2012-04-06 09:30:39 EDT
Hi,
I have a problem, which I see only with enforcing SELinux, so I'm filling this against selinux-policy.

I use initscripts instead of NetworkManager and during boot or when I run 'service network stop/start/restart' it stucks for couple of minutes. In a list of processes I see firewall-cmd. firewall-cmd is command line to firewalld
and ifup-post/ifdown-post call it due to bug #802415. In /var/log/messages I see:
Apr  5 15:17:48 localhost network[7555]: ERROR:dbus.proxies:Introspect error on :1.159:/org/fedoraproject/FirewallD1: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
Apr  5 15:17:48 localhost firewalld[6541]: 2012-04-05 15:17:48 DEBUG1: zone.changeZone('', 'em1')
Apr  5 15:17:48 localhost firewalld[6541]: 2012-04-05 15:17:48 DEBUG1: zone.ZoneChanged('public', 'em1')

It seems (to me) that network service can't (the first line) talk to firewalld, but on the other hand it seems that firewall did (the next two lines) what it had been asked for. Strange.

When firewalld or initscripts don't run as a service, i.e. if I call ifup/ifdown directly or run firewalld from command line, everything is ok.
I don't see any AVC in /var/log/messages or in /var/log/audit/audit.log so it took me quite a lot of time to narrow this down to SELinux.

Note: This could be similar to a change in selinux-policy-3.10.0-93.fc17, i.e. "- Allow firewalld to dbus chat with networkmanager".

Thanks.
Comment 1 Daniel Walsh 2012-04-09 15:32:17 EDT
Jiri what label do these processes run with dhcpc_t?

IE Does the init script run firewall
Comment 2 Daniel Walsh 2012-04-09 15:35:37 EDT
I have just checked in a fix to allow dhclient to dbus chat with the firewall daemon 
selinux-policy-3.10.0-112.fc17
Comment 3 Jiri Popelka 2012-04-10 04:54:32 EDT
(In reply to comment #1)
> IE Does the init script run firewall

It runs firewall-cmd (command line interface to firewalld)
In ifup-post:
/usr/bin/firewall-cmd --zone="${ZONE}" --change --interface="${DEVICE}"
In ifdown-post:
/usr/bin/firewall-cmd --remove --interface="${DEVICE}"

(In reply to comment #2)
> I have just checked in a fix to allow dhclient to dbus chat with the firewall
> daemon 
> selinux-policy-3.10.0-112.fc17

I don't understand. I hadn't mentioned dhclient anywhere, had I ?
Comment 4 Daniel Walsh 2012-04-10 15:01:06 EDT
I believe ifup and ifdown run dhclient and dhclient is not allowed to talk to firewalld.

What AVC messages are you seeing when you execute this?

ausearch -m avc
Comment 5 Thomas Woerner 2012-04-10 15:11:38 EDT
dhclient is not talking to firewalld, but /etc/sysconfig/network-scripts/ifdown-post and /etc/sysconfig/network-scripts/ifup-post are using firewall-cmd to talk to firewalld.
Comment 6 Daniel Walsh 2012-04-10 15:49:44 EDT
Well what context to they run as they should be running as unconfined_t which should be able to send dbus messages to firewalld, I guess we need to allow firewalld to send messages to unconfined_t?
Comment 7 Daniel Walsh 2012-04-10 15:53:22 EDT
I now allow unconfined_t, sysadm_t and networkmanager to dbus chat with firewalld.
Comment 8 Jiri Popelka 2012-04-11 03:26:22 EDT
(In reply to comment #4)
> What AVC messages are you seeing when you execute this?
> ausearch -m avc

'ausearch -m avc' doesn't show any new entry after restarting network service.
Comment 9 Miroslav Grepl 2012-04-11 03:32:27 EDT
and

ausearch -m user_avc
Comment 10 Jiri Popelka 2012-04-11 04:02:30 EDT
(In reply to comment #9)
> ausearch -m user_avc

time->Wed Apr 11 09:13:11 2012
type=USER_AVC msg=audit(1334128391.889:9368): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.330 spid=5506 tpid=5913 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Wed Apr 11 09:13:36 2012
type=USER_AVC msg=audit(1334128416.926:9373): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=org.freedesktop.DBus.Python.dbus.exceptions.DBusException dest=:1.330 spid=5506 tpid=5913 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Comment 11 Miroslav Grepl 2012-04-11 06:10:07 EDT
Which means they run with initrc_t context.

$ ausearch -m user_avc |audit2allow -M mypolicy
$ semodule -i mypol.pp

then it should work.
Comment 12 Daniel Walsh 2012-04-11 15:49:35 EDT
Yes we should allow this.
Comment 13 Fedora Update System 2012-04-13 04:40:58 EDT
selinux-policy-3.10.0-114.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-114.fc17
Comment 14 Fedora Update System 2012-04-13 21:45:46 EDT
Package selinux-policy-3.10.0-114.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-114.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-5870/selinux-policy-3.10.0-114.fc17
then log in and leave karma (feedback).
Comment 15 Fedora Update System 2012-04-18 18:50:37 EDT
selinux-policy-3.10.0-114.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.