View Issue Details

IDProjectCategoryView StatusLast Update
0017746CentOS-8selinux-policypublic2020-09-21 23:15
ReporterTheo0101 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
PlatformLinuxOSCentos LinuxOS Version8
Product Version8.2.2004 
Target VersionFixed in Version 
Summary0017746: SELinux is preventing firewalld from read access on the file firewalld.conf.
DescriptionIt seems SELinux is stopping the firewalld service from reading firewalld.conf.

Output from running sudo sealert -a /var/log/audit/audit.log

100% done
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing firewalld from read access on the file firewalld.conf.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that firewalld should be allowed read access on the firewalld.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'firewalld' --raw | audit2allow -M my-firewalld
# semodule -X 300 -i my-firewalld.pp


Additional Information:
Source Context system_u:system_r:firewalld_t:s0
Target Context unconfined_u:object_r:user_home_t:s0
Target Objects firewalld.conf [ file ]
Source firewalld
Source Path firewalld
Port <Unknown>
Host <Unknown>
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.3-41.el8_2.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name centos8
Platform Linux centos8 4.18.0-193.19.1.el8_2.x86_64 #1 SMP
                              Mon Sep 14 14:37:00 UTC 2020 x86_64 x86_64
Alert Count 8
First Seen 2020-09-21 17:13:45 EDT
Last Seen 2020-09-21 17:36:17 EDT
Local ID 7f3c9f71-02f2-4dc2-b02e-f3f39cd794bc

Raw Audit Messages
type=AVC msg=audit(1600724177.787:592): avc: denied { read } for pid=7931 comm="firewalld" name="firewalld.conf" dev="dm-0" ino=8863381 scontext=system_u:system_r:firewalld_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0


Hash: firewalld,firewalld_t,user_home_t,file,read
Steps To ReproduceThe error seems to indicate that SELinux isn't letting the firewalld service have read access to the firewalld.conf file.

I save the content of the script in "Additional Information" below to a file I call fwmatch.sh and make it executable. I run with ./fwmatch.sh and enter sudo credentials when prompted.

I get the following errors:

Sep 21 17:36:17 centos8 systemd[1]: Stopped firewalld - dynamic firewall daemon.
Sep 21 17:36:17 centos8 systemd[1]: Starting firewalld - dynamic firewall daemon...
Sep 21 17:36:17 centos8 systemd[1]: Started firewalld - dynamic firewall daemon.
Sep 21 17:36:17 centos8 firewalld[7931]: ERROR: Failed to load '/etc/firewalld/firewalld.conf': [Errno 13] Permission>
Sep 21 17:36:17 centos8 firewalld[7931]: WARNING: [Errno 13] Permission denied: '/etc/firewalld/firewalld.conf'
Sep 21 17:36:17 centos8 firewalld[7931]: WARNING: Using fallback firewalld configuration settings.

I really hope it's not an issue with how I've written the script and sincerely apologize if it is!
Additional InformationHere's the content of a bash script I'm using to check and set some firewall settings in case it is causing issues:

#!/bin/bash

echo "Configuring firewalld to disallow Zone Drifting"
sudo sed -i 's/#\?\(AllowZoneDrifting\s*\).*$/\1 no/' /etc/firewalld/firewalld.conf

OUTPUT=$(sudo firewall-cmd --permanent --list-all | grep services)
if echo "$OUTPUT" | grep -q "ssh"; then
    echo "firewalld is already configured to allow SSH"
    echo "Ensuring firewalld is running"
    sudo systemctl start firewalld
else
    echo "Adding SSH to allowed protocols in firewalld"
    sudo firewall-cmd --permanent --add-service=ssh
    echo "Restarting firewalld"
    sudo systemctl restart firewalld
    echo "Done configuring firewalld"
fi
Tagsfirewalld, selinux

Activities

Theo0101

Theo0101

2020-09-21 22:36

reporter   ~0037716

Error still occurs after implementing fix recommended by running the following commands:

ausearch -c 'firewalld' --raw | audit2allow -M my-firewalld
semodule -X 300 -i my-firewalld.pp

Output of systemctl status firewalld.service:

● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2020-09-21 17:36:17 EDT; 56min ago
     Docs: man:firewalld(1)
 Main PID: 7931 (firewalld)
    Tasks: 2 (limit: 5032)
   Memory: 23.3M
   CGroup: /system.slice/firewalld.service
           └─7931 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid

Sep 21 17:36:17 centos8 systemd[1]: Stopped firewalld - dynamic firewall daemon.
Sep 21 17:36:17 centos8 systemd[1]: Starting firewalld - dynamic firewall daemon...
Sep 21 17:36:17 centos8 systemd[1]: Started firewalld - dynamic firewall daemon.
Sep 21 17:36:17 centos8 firewalld[7931]: ERROR: Failed to load '/etc/firewalld/firewalld.conf': [Errno 13] Permission>
Sep 21 17:36:17 centos8 firewalld[7931]: WARNING: [Errno 13] Permission denied: '/etc/firewalld/firewalld.conf'
Sep 21 17:36:17 centos8 firewalld[7931]: WARNING: Using fallback firewalld configuration settings.
Sep 21 18:32:06 centos8 firewalld[7931]: ERROR: Failed to load '/etc/firewalld/firewalld.conf': [Errno 13] Permission>
Sep 21 18:32:06 centos8 firewalld[7931]: ERROR: Failed to load firewalld.conf file '/etc/firewalld/firewalld.conf': [>q
Theo0101

Theo0101

2020-09-21 22:37

reporter   ~0037717

To clarify, the fix was recommended in the output of sealert.
Theo0101

Theo0101

2020-09-21 22:39

reporter   ~0037718

I'm not sure it's relevant as SELinux is doing the blocking, but permissions on /var/log/audit/audit.log are:

-rw-------. 1 root root 530K Sep 21 18:38 /var/log/audit/audit.log
Theo0101

Theo0101

2020-09-21 22:53

reporter   ~0037719

Issue does appear to be related to my script.

My apologies for reporting it as a bug!

If I run the fixes:

sudo ausearch -c 'firewalld' --raw | audit2allow -M my-firewalld
sudo semodule -X 300 -i my-firewalld.pp

then restart firewalld:

sudo systemctl restart firewalld.service

then check the status of firewalld:

sudo systemctl status firewalld.service

I get the following error:

Sep 21 18:48:29 centos8 firewalld[8944]: ERROR: Invalid option definition: 'AllowZoneDrifting no'
Sep 21 18:48:29 centos8 firewalld[8944]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure config>
Theo0101

Theo0101

2020-09-21 23:13

reporter   ~0037720

Damn syntax error in my script.

Changed this line:
sudo sed -i 's/#\?\(AllowZoneDrifting\s*\).*$/\1 no/' /etc/firewalld/firewalld.conf

to this:
sudo sed -i 's/#\?\(AllowZoneDrifting\s*\).*$/\1=no/' /etc/firewalld/firewalld.conf

and it works fine now.

So sorry to waste your valuable time!
Theo0101

Theo0101

2020-09-21 23:15

reporter   ~0037721

I'm not seeing a way to close the issue.

If anyone's able to direct me to this or close on my behalf, it will be most appreciated.

Thanks!

Issue History

Date Modified Username Field Change
2020-09-21 22:28 Theo0101 New Issue
2020-09-21 22:28 Theo0101 Tag Attached: firewalld
2020-09-21 22:28 Theo0101 Tag Attached: selinux
2020-09-21 22:36 Theo0101 Note Added: 0037716
2020-09-21 22:37 Theo0101 Note Added: 0037717
2020-09-21 22:39 Theo0101 Note Added: 0037718
2020-09-21 22:53 Theo0101 Note Added: 0037719
2020-09-21 23:13 Theo0101 Note Added: 0037720
2020-09-21 23:15 Theo0101 Note Added: 0037721