How do i give permission to firewalld's "ifcfg-eth0" ? [SOLVED]
Hi there, i've got a little issue: when i start firewalld while selinux is enabled i get the following error:
ERROR: Failed to load '/etc/sysconfig/network-scripts/ifcfg-eth0': [Errno 13] Permission denied: '/etc/sysconfig/network-scripts/ifcfg-eth0'
which also generates this other error:
ERROR: Calling post func <function 0x7fc8c0de7aa0="" at="" ifcfg_set_zone_of_interface="">(('', 'eth0')) failed: [Errno 13] Permission denied: '/etc/sysconfig/network-scripts/ifcfg-eth0'</function>
I've tried to look up on google for similar errors but it didn't help me much (if i restart FirewallID while SeLinux is "Permissive" -setenforce 0- the error disappears, after that i can reenable SeLinux and than everything looks smooth, but i'd like to fix it properly to avoid possible issues).
Any help will be much appreciated ^^
4 Replies
@thesmerdo, I think I found the answer, but there is a caveat.
The quick answer
To resolve…
Temporarily:
# chcon -t net_conf_t /etc/sysconfig/network-scripts/ifcfg-eth0
# systemctl restart firewalld.service
Permanently (See caveat below)
# yum install policycoreutils-python
# semanage fcontext -a -t net_conf_t /etc/sysconfig/network-scripts/ifcfg-eth0
# restorecon -R /etc/sysconfig/network-scripts/ifcfg-eth0
# systemctl restart firewalld.service
The full answer
I'll start off saying that the Gentoo wiki was a big help in this.
I'm seeing the same issue on a fresh boot of CentOS 7. For those that come after, this is what the systemctl status will look like.
# systemctl status -l firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2018-07-29 13:27:56 UTC; 1min 26s ago
Docs: man:firewalld(1)
Main PID: 502 (firewalld)
CGroup: /system.slice/firewalld.service
└─502 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Jul 29 13:27:55 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Jul 29 13:27:56 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
Jul 29 13:27:56 localhost.localdomain firewalld[502]: ERROR: Failed to load '/etc/sysconfig/network-scripts/ifcfg-eth0': [Errno 13] Permission denied: '/etc/sysconfig/network-scripts/ifcfg-eth0'
Jul 29 13:27:56 localhost.localdomain firewalld[502]: ERROR: Calling post func <function ifcfg_set_zone_of_interface at 0x7fc93885aaa0>(('', 'eth0')) failed: [Errno 13] Permission denied: '/etc/sysconfig/network-scripts/ifcfg-eth0'
When digging deeper, it was in fact, SELinux. These are the lines pertaining to ifcfg
in the audit logs.
# grep ifcfg /var/log/audit/audit.log
type=AVC msg=audit(1532870876.881:83): avc: denied { getattr } for pid=502 comm="firewalld" path="/etc/sysconfig/network-scripts/ifcfg-eth0" dev="sda" ino=13 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
type=AVC msg=audit(1532870876.881:84): avc: denied { read } for pid=502 comm="firewalld" name="ifcfg-eth0" dev="sda" ino=13 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Apply the changes above.
Once you have identified this, the changes can be applied. Everything should now be working as expected.
You can confirm this worked with the following:
Before running commands above:
# ls -lZd /etc/sysconfig/network-scripts
drwxr-xr-x. root root system_u:object_r:net_conf_t:s0 /etc/sysconfig/network-scripts
# ls -lZd /etc/sysconfig/network-scripts/ifcfg-eth0
-rw-r--r--. root root system_u:object_r:unlabeled_t:s0 /etc/sysconfig/network-scripts/ifcfg-eth0
After:
# ls -lZd /etc/sysconfig/network-scripts/
drwxr-xr-x. root root system_u:object_r:net_conf_t:s0 /etc/sysconfig/network-scripts/
# ls -lZd /etc/sysconfig/network-scripts/ifcfg-eth0
-rw-r--r--. root root system_u:object_r:net_conf_t:s0 /etc/sysconfig/network-scripts/ifcfg-eth0
The main point is the change from unlabeled_t
to net_conf_t
.
Reboot preparation (The caveat)
If you have Network Helper enabled in the Linode's configuration profile, this will not survive a reboot. You will need to disable Auto-configure networking
in the Linode's Configuration Profile and save.
Network Helper, when enabled in the Linode's configuration profile, will backup and then overwrite /etc/sysconfig/network-scripts/ifcfg-eth0
. At this time, it is not setting context labels properly, and causing the firwewalld issues with SELinux above.
Sorry i should have shared more info,
@thesmerdo an update (on CentOS 7) did literally fix my problem.
On an other system "ifcfg-eth0" was simply owned by the wrong user and giving the right ownership to the file also solved the issue, again.
If you run in
ERROR: Failed to load '/etc/sysconfig/network-scripts/ifcfg-eth0': [Errno 13] Permission denied: '/etc/sysconfig/network-scripts/ifcfg-eth0'
after a fresh install of your OS with a LEMP or LAMP stack, you may want to check your selinux error log. If selinux is denying the use of ifcfg-eth0, you should give it access:
ausearch -m avc --start recent
the above command will print the most recent denials, copy the denial AVC message and use audit2allow to give permissions:
audit2allow -M local-policy-example-name << _EOF_
/** paste here the audit msg, for example: */msg=audit(1535735404.693:54497): avc: denied { open } for pid=32160 comm="firewalld" path="/etc/sysconfig/network-scripts/ifcfg-eth0" dev="sda" ino=18281 scontext=systemu:systemr:firewalldt:s0 tcontext=systemu:objectr:unlabeledt:s0 tclass=file
_EOF_
You may also want to check if the file actually exist and if it does also check if the current permissions are not too restrictive.