How do i give permission to firewalld's "ifcfg-eth0" ? [SOLVED]

Hi there, i've got a little issue: when i start firewalld while selinux is enabled i get the following error:

ERROR: Failed to load '/etc/sysconfig/network-scripts/ifcfg-eth0': [Errno 13] Permission denied: '/etc/sysconfig/network-scripts/ifcfg-eth0'

which also generates this other error:

ERROR: Calling post func <function 0x7fc8c0de7aa0="" at="" ifcfg_set_zone_of_interface="">(('', 'eth0')) failed: [Errno 13] Permission denied: '/etc/sysconfig/network-scripts/ifcfg-eth0'</function>

I've tried to look up on google for similar errors but it didn't help me much (if i restart FirewallID while SeLinux is "Permissive" -setenforce 0- the error disappears, after that i can reenable SeLinux and than everything looks smooth, but i'd like to fix it properly to avoid possible issues).

Any help will be much appreciated ^^

4 Replies

All good.. a little update fixed the problem ^^"

So what was the little update @frogzilla ? I'm presently faced with the same problem

@thesmerdo, I think I found the answer, but there is a caveat.

The quick answer

To resolve…

Temporarily:

# chcon -t net_conf_t /etc/sysconfig/network-scripts/ifcfg-eth0
# systemctl restart firewalld.service

Permanently (See caveat below)

# yum install policycoreutils-python
# semanage fcontext -a -t net_conf_t /etc/sysconfig/network-scripts/ifcfg-eth0
# restorecon -R /etc/sysconfig/network-scripts/ifcfg-eth0
# systemctl restart firewalld.service

The full answer

I'll start off saying that the Gentoo wiki was a big help in this.

Gentoo Wiki - SELinux Labels

I'm seeing the same issue on a fresh boot of CentOS 7. For those that come after, this is what the systemctl status will look like.

# systemctl status -l firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2018-07-29 13:27:56 UTC; 1min 26s ago
     Docs: man:firewalld(1)
 Main PID: 502 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─502 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Jul 29 13:27:55 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Jul 29 13:27:56 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
Jul 29 13:27:56 localhost.localdomain firewalld[502]: ERROR: Failed to load '/etc/sysconfig/network-scripts/ifcfg-eth0': [Errno 13] Permission denied: '/etc/sysconfig/network-scripts/ifcfg-eth0'
Jul 29 13:27:56 localhost.localdomain firewalld[502]: ERROR: Calling post func <function ifcfg_set_zone_of_interface at 0x7fc93885aaa0>(('', 'eth0')) failed: [Errno 13] Permission denied: '/etc/sysconfig/network-scripts/ifcfg-eth0'

When digging deeper, it was in fact, SELinux. These are the lines pertaining to ifcfg in the audit logs.

# grep ifcfg /var/log/audit/audit.log
type=AVC msg=audit(1532870876.881:83): avc:  denied  { getattr } for  pid=502 comm="firewalld" path="/etc/sysconfig/network-scripts/ifcfg-eth0" dev="sda" ino=13 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
type=AVC msg=audit(1532870876.881:84): avc:  denied  { read } for  pid=502 comm="firewalld" name="ifcfg-eth0" dev="sda" ino=13 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file

Apply the changes above.

Once you have identified this, the changes can be applied. Everything should now be working as expected.

You can confirm this worked with the following:

Before running commands above:

# ls -lZd /etc/sysconfig/network-scripts
drwxr-xr-x. root root system_u:object_r:net_conf_t:s0  /etc/sysconfig/network-scripts
# ls -lZd /etc/sysconfig/network-scripts/ifcfg-eth0
-rw-r--r--. root root system_u:object_r:unlabeled_t:s0 /etc/sysconfig/network-scripts/ifcfg-eth0

After:

# ls -lZd /etc/sysconfig/network-scripts/
drwxr-xr-x. root root system_u:object_r:net_conf_t:s0  /etc/sysconfig/network-scripts/
# ls -lZd /etc/sysconfig/network-scripts/ifcfg-eth0
-rw-r--r--. root root system_u:object_r:net_conf_t:s0  /etc/sysconfig/network-scripts/ifcfg-eth0

The main point is the change from unlabeled_t to net_conf_t.

Reboot preparation (The caveat)

If you have Network Helper enabled in the Linode's configuration profile, this will not survive a reboot. You will need to disable Auto-configure networking in the Linode's Configuration Profile and save.

Linode Docs - Network Helper

Network Helper, when enabled in the Linode's configuration profile, will backup and then overwrite /etc/sysconfig/network-scripts/ifcfg-eth0. At this time, it is not setting context labels properly, and causing the firwewalld issues with SELinux above.

Sorry i should have shared more info,
@thesmerdo an update (on CentOS 7) did literally fix my problem.

On an other system "ifcfg-eth0" was simply owned by the wrong user and giving the right ownership to the file also solved the issue, again.

If you run in

ERROR: Failed to load '/etc/sysconfig/network-scripts/ifcfg-eth0': [Errno 13] Permission denied: '/etc/sysconfig/network-scripts/ifcfg-eth0'

after a fresh install of your OS with a LEMP or LAMP stack, you may want to check your selinux error log. If selinux is denying the use of ifcfg-eth0, you should give it access:

ausearch -m avc --start recent

the above command will print the most recent denials, copy the denial AVC message and use audit2allow to give permissions:

audit2allow -M local-policy-example-name << _EOF_
/** paste here the audit msg, for example: */

msg=audit(1535735404.693:54497): avc: denied { open } for pid=32160 comm="firewalld" path="/etc/sysconfig/network-scripts/ifcfg-eth0" dev="sda" ino=18281 scontext=systemu:systemr:firewalldt:s0 tcontext=systemu:objectr:unlabeledt:s0 tclass=file

_EOF_

You may also want to check if the file actually exist and if it does also check if the current permissions are not too restrictive.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct