LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 05-02-2008, 12:37 AM   #1
cdhgee
Member
 
Registered: Oct 2003
Location: St Paul, MN
Distribution: Fedora 8, Fedora 9
Posts: 513

Rep: Reputation: 30
iptables-restore not working with SELinux


I'm trying to use iptables-restore to load an iptables firewall configuration. I have SELinux enabled in enforcing mode. Every time I try to do this, I get a denial from SELinux, and an entry like this in the SELinux troubleshooter:

Code:
Source Context                unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c102
                              3
Target Context                system_u:object_r:user_home_t:s0
Target Objects                /home/david/firewall-new.conf [ file ]
Source                        iptables-restor
Source Path                   /sbin/iptables-restore
Port                          <Unknown>
Host                          neptune.allpowerfuldave.com
Source RPM Packages           iptables-1.4.0-4.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-42.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     neptune.allpowerfuldave.com
Platform                      Linux neptune.allpowerfuldave.com
                              2.6.25-8.fc9.x86_64 #1 SMP Wed Apr 23 03:20:41 EDT
                              2008 x86_64 x86_64
Alert Count                   2
First Seen                    Thu 01 May 2008 11:28:21 PM CDT
Last Seen                     Thu 01 May 2008 11:31:12 PM CDT
Local ID                      24965c2c-e479-426b-8d7d-d3dcadd0bc26
Line Numbers                  

Raw Audit Messages            

host=neptune.allpowerfuldave.com type=AVC msg=audit(1209702672.35:90): avc:  denied  { read } for  pid=7722 comm="iptables-restor" path="/home/david/firewall-new.conf" dev=dm-1 ino=9339518 scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file

host=neptune.allpowerfuldave.com type=SYSCALL msg=audit(1209702672.35:90): arch=c000003e syscall=59 success=yes exit=0 a0=23a15b0 a1=23a1960 a2=23820f0 a3=7fff567bce60 items=0 ppid=7577 pid=7722 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="iptables-restor" exe="/sbin/iptables-restore" subj=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 key=(null)
I'm running Fedora 9 RC, but this happened in previous releases of Fedora too. It's a pain to have to drop back to permissive mode just to have to load or save a firewall config (the same problem occurs with iptables-save) - how can I resolve this? Is it just a problem with the file labelling?

Regards
David
 
Old 05-02-2008, 05:37 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,671
Blog Entries: 54

Rep: Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953
Quote:
Originally Posted by cdhgee View Post
host=neptune.allpowerfuldave.com type=AVC msg=audit(1209702672.35:90): avc: denied { read } for pid=7722 comm="iptables-restor" path="/home/david/firewall-new.conf" dev=dm-1 ino=9339518 scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tcontext=system_ubject_r:user_home_t:s0 tclass=file

Quote:
Originally Posted by cdhgee View Post
I'm running Fedora 9 RC, but this happened in previous releases of Fedora too. It's a pain to have to drop back to permissive mode just to have to load or save a firewall config (the same problem occurs with iptables-save) - how can I resolve this? Is it just a problem with the file labelling?
The problem is not SELinux and not Fedora. The problem is you changed defaults. In a default RH iptables initscript the file to restore iptables rules from is defined as "/etc/sysconfig/iptables". The location you wish to restore iptables rules from is not that location. Your choice of location should not be used to save iptables rules to or restore rules from because it is in a non-system area, meaning integrity cannot be verified: a user can change contents at will.

If you modified the iptables initscript then please change it back to defaults and use the default file location. If you need to change /etc/sysconfig/iptables for testing purposes you can use Sudo ('man sudoers') and say a script:

Code:
#!/bin/sh --
# ^ Script accepts no input from user.
fail() { echo FAILED; exit 1; }
# Expect the file to copy to have this name.
SOURCE="/home/david/iptables"
# Expect this executable script to live here.
[ "$0" = "/usr/local/bin/iptables-test" ] || fail
# If file to copy is empty, exit.
[ -s "${SOURCE}" ] || fail
# Copy file to sysconfig dir.
cp "${SOURCE}" -Z system_u:object_r:etc_t --backup=numbered --target-directory=/etc/sysconfig || fail
# Save last ruleset for restore.
LAST=`/bin/ls -1t /etc/sysconfig/iptables.~*|head -1`
# See what a manual test would yield.
/sbin/iptables-restore -v -t < /etc/sysconfig/iptables || fail
# Stop iptables, then start. If failed restore ruleset.
/etc/init.d/iptables stop && \
/etc/init.d/iptables start || { cat "${LAST}" > /etc/sysconfig/iptables && /etc/init.d/iptables start; }
exit 0
test script before using, and even then YMMV(VM), as usual.


If you do not care for any of that then you can run the AVC message through 'audit2allow' and add th result to your local SELinux policy. I hope that from what I explained that you understand why that is not a best practice and not a workaround anyone should be willing to support or use.
 
Old 05-02-2008, 08:40 AM   #3
cdhgee
Member
 
Registered: Oct 2003
Location: St Paul, MN
Distribution: Fedora 8, Fedora 9
Posts: 513

Original Poster
Rep: Reputation: 30
I haven't changed anything, especially not the iptables initscript. What I'm trying to do is load a firewall configuration from a file, which happens to reside in my home directory. Reading the man page, iptables-restore should allow me to do that - it always has in the past. It shouldn't matter where the file resides.

What is the correct "selinux-approved" way of running iptables-restore?
 
Old 05-02-2008, 01:01 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,671
Blog Entries: 54

Rep: Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953
Quote:
Originally Posted by cdhgee View Post
What is the correct "selinux-approved" way of running iptables-restore?
There is no "SELinux approved way" AFAIK, it's just the lines between admin and user domain. If you look at /etc/rc.d/init.d/iptables you see a start() and a save() function. When you start iptables the start() function loads rules from /etc/sysconfig/iptables, and when you stop iptables (when /etc/sysconfig/iptables-config has IPTABLES_SAVE_ON_STOP="yes") it uses save() to put rules in /etc/rc.d/init.d/iptables.save. So all the service needs resides in /etc. Being root, the safest way would be to make a backup first either manually copying /etc/rc.d/init.d/iptables to say /etc/rc.d/init.d/iptables.bak or by setting IPTABLES_SAVE_ON_STOP="yes", stopping iptables, catting /home/david/firewall-new.conf > /etc/rc.d/init.d/iptables, then starting iptables. If you don't care for backups you can just cat /home/david/firewall-new.conf > /etc/rc.d/init.d/iptables (if you copy you have to 'chcon' the destination) and restart iptables. Again, note that if you want to force your machine to accept your behaviour you can run the original AVC message through 'audit2allow' and build a local SELinux policy easily.
 
  


Reply

Tags
iptables, selinux


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables-save, iptables-restore, how to set up them in some script sarajevo Linux - Networking 1 03-25-2008 12:39 AM
Need to restore iptables config Jorophose Linux - Security 5 10-15-2007 02:22 AM
Restore iptables file RH AS 5 AQG Linux - Security 4 10-10-2007 02:49 PM
Iptables, avc, SElinux erika_Dec2004 Fedora 1 01-15-2007 05:27 AM
Securing server - SELinux or iptables or both? pingu Linux - Networking 2 11-10-2005 05:07 AM


All times are GMT -5. The time now is 09:35 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration