Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1686660
Summary: | firewalld fails to start in current Rawhide after Server default install ("goto 'PRE_FedoraServer' is not a chain") | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | rawhide | CC: | dwalsh, egarver, jpopelka, lslebodn, lvrabec, mgrepl, plautrba, twoerner, zpytela |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | openqa | ||
Fixed In Version: | selinux-policy-3.14.4-8.fc31 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-04-05 17:58:47 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1644937 |
Description
Adam Williamson
2019-03-07 23:56:49 UTC
This is an selinux policy issue. I expect the same is true for bug 1686654. I think both bugs can be reassigned to selinux-policy. --->8--- [root@fedora ~]# setenforce 0 [root@fedora ~]# systemctl restart firewalld [root@fedora ~]# firewall-cmd --state running [root@fedora ~]# setenforce 1 [root@fedora ~]# systemctl restart firewalld [root@fedora ~]# firewall-cmd --state failed [root@fedora ~]# audit2allow -a #============= iptables_t ============== #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' allow iptables_t kmod_exec_t:file map; allow iptables_t kmod_exec_t:file { execute execute_no_trans open read }; #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' allow iptables_t modules_object_t:file map; allow iptables_t self:system module_load; Ah, good call, confirmed. 'ausearch -ts recent -m avc' after starting firewalld in permissive mode: time->Fri Mar 8 15:41:58 2019 type=AVC msg=audit(1552077718.976:265): avc: denied { execute } for pid=1233 comm="ip6tables" name="kmod" dev="dm-0" ino=140171 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:kmod_exec_t:s0 tclass=file permissive=1 ---- time->Fri Mar 8 15:41:58 2019 type=AVC msg=audit(1552077718.976:266): avc: denied { read open } for pid=1233 comm="ip6tables" path="/usr/bin/kmod" dev="dm-0" ino=140171 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:kmod_exec_t:s0 tclass=file permissive=1 ---- time->Fri Mar 8 15:41:58 2019 type=AVC msg=audit(1552077718.976:267): avc: denied { execute_no_trans } for pid=1233 comm="ip6tables" path="/usr/bin/kmod" dev="dm-0" ino=140171 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:kmod_exec_t:s0 tclass=file permissive=1 ---- time->Fri Mar 8 15:41:58 2019 type=AVC msg=audit(1552077718.976:268): avc: denied { map } for pid=1233 comm="modprobe" path="/usr/bin/kmod" dev="dm-0" ino=140171 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:kmod_exec_t:s0 tclass=file permissive=1 ---- time->Fri Mar 8 15:41:58 2019 type=AVC msg=audit(1552077718.978:269): avc: denied { read } for pid=1233 comm="modprobe" name="modules.softdep" dev="dm-0" ino=264448 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=1 ---- time->Fri Mar 8 15:41:58 2019 type=AVC msg=audit(1552077718.979:270): avc: denied { open } for pid=1233 comm="modprobe" path="/usr/lib/modules/5.1.0-0.rc0.git1.1.fc31.x86_64/modules.softdep" dev="dm-0" ino=264448 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=1 ---- time->Fri Mar 8 15:41:58 2019 type=AVC msg=audit(1552077718.979:271): avc: denied { getattr } for pid=1233 comm="modprobe" path="/usr/lib/modules/5.1.0-0.rc0.git1.1.fc31.x86_64/modules.softdep" dev="dm-0" ino=264448 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=1 ---- time->Fri Mar 8 15:41:58 2019 type=AVC msg=audit(1552077718.979:272): avc: denied { map } for pid=1233 comm="modprobe" path="/usr/lib/modules/5.1.0-0.rc0.git1.1.fc31.x86_64/modules.dep.bin" dev="dm-0" ino=266153 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=1 ---- time->Fri Mar 8 15:41:59 2019 type=AVC msg=audit(1552077719.017:273): avc: denied { module_load } for pid=1233 comm="modprobe" scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=system permissive=1 commit f36721500c5e2596fc4157cfab3b88e3b1bda7a8 Author: Lukas Vrabec <lvrabec> Date: Mon Mar 11 09:52:56 2019 +0100 Fix interface modutils_run_kmod() where was used old interface modutils_domtrans_insmod instead of new one modutils_domtrans_kmod() Resolves: rhbz#1686660 *** Bug 1688185 has been marked as a duplicate of this bug. *** |