Bug 946857 - SELinux is preventing firewalld from 'open' accesses on the file /proc/sys/net/ipv4/ip_forward.
Summary: SELinux is preventing firewalld from 'open' accesses on the file /proc/sys/ne...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 19
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:84ec801d72ce32a97088511759d...
: 929440 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-03-31 12:30 UTC by Alexei Panov
Modified: 2013-04-19 05:55 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-19 05:55:53 UTC
Type: ---


Attachments (Terms of Use)

Description Alexei Panov 2013-03-31 12:30:09 UTC
Description of problem:
SELinux is preventing firewalld from 'open' accesses on the file /proc/sys/net/ipv4/ip_forward.

*****  Plugin catchall (100. confidence) suggests  ***************************

If вы считаете, что firewalld следует разрешить доступ open к ip_forward file по умолчанию.
Then рекомендуется создать отчет об ошибке.
Чтобы разрешить доступ, можно создать локальный модуль политики.
Do
чтобы разрешить доступ, выполните:
# grep firewalld /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:firewalld_t:s0
Target Context                system_u:object_r:sysctl_net_t:s0
Target Objects                /proc/sys/net/ipv4/ip_forward [ file ]
Source                        firewalld
Source Path                   firewalld
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-24.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.9.0-0.rc3.git1.5.fc19.x86_64 #1
                              SMP Sun Mar 24 12:32:21 MSK 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-03-31 19:35:19 MSK
Last Seen                     2013-03-31 19:35:19 MSK
Local ID                      64e21153-672a-43a2-aaf3-7e3e7f7429a2

Raw Audit Messages
type=AVC msg=audit(1364744119.184:241): avc:  denied  { open } for  pid=467 comm="firewalld" path="/proc/sys/net/ipv4/ip_forward" dev="proc" ino=8176 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file


Hash: firewalld,firewalld_t,sysctl_net_t,file,open

audit2allow

#============= firewalld_t ==============
allow firewalld_t sysctl_net_t:file open;

audit2allow -R
require {
	type sysctl_net_t;
	type firewalld_t;
	class file open;
}

#============= firewalld_t ==============
allow firewalld_t sysctl_net_t:file open;


Additional info:
hashmarkername: setroubleshoot
kernel:         3.9.0-0.rc3.git1.5.fc19.x86_64
type:           libreport

Comment 1 Daniel Walsh 2013-04-01 14:46:46 UTC
Fixed in selinux-policy-3.12.1-25.fc19.noarch

Comment 2 Daniel Walsh 2013-04-01 14:47:18 UTC
*** Bug 929440 has been marked as a duplicate of this bug. ***

Comment 3 Petr Sklenar 2013-04-04 11:57:22 UTC
Description of problem:
1, system-config-printer
2, View > uncheck discover_printer
3, View > check discover_printer

Additional info:
hashmarkername: setroubleshoot
kernel:         3.9.0-0.rc4.git0.1.fc19.i686
type:           libreport

Comment 4 Victor Costan 2013-04-05 07:47:38 UTC
Description of problem:
I got this warning as I was surfing the Web.

firewalld got firewalled? :)

Additional info:
hashmarkername: setroubleshoot
kernel:         3.9.0-0.rc5.git2.2.fc20.x86_64
type:           libreport

Comment 5 Miroslav Hradílek 2013-04-05 13:14:36 UTC
Description of problem:
I guess this was caused while addying network printers using system-config-printer.

Investigation:
[root@localhost ~]# find / -mount -inum 17979
/usr/share/help/hi/gnome-help/figures/network-cellular-3g-symbolic.svg

Additional info:
hashmarkername: setroubleshoot
kernel:         3.9.0-0.rc4.git0.1.fc19.x86_64
type:           libreport

Comment 6 Adam Williamson 2013-04-05 20:09:57 UTC
Description of problem:
AVC is visible after install / reboot of F19 Alpha TC5 KDE live, no user interaction needed.

Additional info:
hashmarkername: setroubleshoot
kernel:         3.9.0-0.rc4.git0.1.fc19.x86_64
type:           libreport

Comment 7 Fedora Update System 2013-04-08 11:43:38 UTC
selinux-policy-3.12.1-28.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/FEDORA-2013-5045/selinux-policy-3.12.1-28.fc19

Comment 8 Kamil Páral 2013-04-08 12:54:16 UTC
Description of problem:
Just booted up Fedora 19 Alpha TC5 Live Desktop x86_64.

Additional info:
hashmarkername: setroubleshoot
kernel:         3.9.0-0.rc4.git0.1.fc19.x86_64
type:           libreport

Comment 9 Fedora Update System 2013-04-08 15:55:48 UTC
Package selinux-policy-3.12.1-28.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-28.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-5045/selinux-policy-3.12.1-28.fc19
then log in and leave karma (feedback).

Comment 10 Fedora Update System 2013-04-19 05:55:55 UTC
selinux-policy-3.12.1-28.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.