Hi, I have a problem, which I see only with enforcing SELinux, so I'm filling this against selinux-policy. I use initscripts instead of NetworkManager and during boot or when I run 'service network stop/start/restart' it stucks for couple of minutes. In a list of processes I see firewall-cmd. firewall-cmd is command line to firewalld and ifup-post/ifdown-post call it due to bug #802415. In /var/log/messages I see: Apr 5 15:17:48 localhost network[7555]: ERROR:dbus.proxies:Introspect error on :1.159:/org/fedoraproject/FirewallD1: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. Apr 5 15:17:48 localhost firewalld[6541]: 2012-04-05 15:17:48 DEBUG1: zone.changeZone('', 'em1') Apr 5 15:17:48 localhost firewalld[6541]: 2012-04-05 15:17:48 DEBUG1: zone.ZoneChanged('public', 'em1') It seems (to me) that network service can't (the first line) talk to firewalld, but on the other hand it seems that firewall did (the next two lines) what it had been asked for. Strange. When firewalld or initscripts don't run as a service, i.e. if I call ifup/ifdown directly or run firewalld from command line, everything is ok. I don't see any AVC in /var/log/messages or in /var/log/audit/audit.log so it took me quite a lot of time to narrow this down to SELinux. Note: This could be similar to a change in selinux-policy-3.10.0-93.fc17, i.e. "- Allow firewalld to dbus chat with networkmanager". Thanks.
Jiri what label do these processes run with dhcpc_t? IE Does the init script run firewall
I have just checked in a fix to allow dhclient to dbus chat with the firewall daemon selinux-policy-3.10.0-112.fc17
(In reply to comment #1) > IE Does the init script run firewall It runs firewall-cmd (command line interface to firewalld) In ifup-post: /usr/bin/firewall-cmd --zone="${ZONE}" --change --interface="${DEVICE}" In ifdown-post: /usr/bin/firewall-cmd --remove --interface="${DEVICE}" (In reply to comment #2) > I have just checked in a fix to allow dhclient to dbus chat with the firewall > daemon > selinux-policy-3.10.0-112.fc17 I don't understand. I hadn't mentioned dhclient anywhere, had I ?
I believe ifup and ifdown run dhclient and dhclient is not allowed to talk to firewalld. What AVC messages are you seeing when you execute this? ausearch -m avc
dhclient is not talking to firewalld, but /etc/sysconfig/network-scripts/ifdown-post and /etc/sysconfig/network-scripts/ifup-post are using firewall-cmd to talk to firewalld.
Well what context to they run as they should be running as unconfined_t which should be able to send dbus messages to firewalld, I guess we need to allow firewalld to send messages to unconfined_t?
I now allow unconfined_t, sysadm_t and networkmanager to dbus chat with firewalld.
(In reply to comment #4) > What AVC messages are you seeing when you execute this? > ausearch -m avc 'ausearch -m avc' doesn't show any new entry after restarting network service.
and ausearch -m user_avc
(In reply to comment #9) > ausearch -m user_avc time->Wed Apr 11 09:13:11 2012 type=USER_AVC msg=audit(1334128391.889:9368): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.330 spid=5506 tpid=5913 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' ---- time->Wed Apr 11 09:13:36 2012 type=USER_AVC msg=audit(1334128416.926:9373): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.DBus.Python.dbus.exceptions.DBusException dest=:1.330 spid=5506 tpid=5913 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Which means they run with initrc_t context. $ ausearch -m user_avc |audit2allow -M mypolicy $ semodule -i mypol.pp then it should work.
Yes we should allow this.
selinux-policy-3.10.0-114.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-114.fc17
Package selinux-policy-3.10.0-114.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-114.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-5870/selinux-policy-3.10.0-114.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-114.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.