iptables-restore not working with SELinux

cdhgee · 05-01-2008, 11:37 PM

I'm trying to use iptables-restore to load an iptables firewall configuration. I have SELinux enabled in enforcing mode. Every time I try to do this, I get a denial from SELinux, and an entry like this in the SELinux troubleshooter:

Code:

Source Context                unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c102
                              3
Target Context                system_u:object_r:user_home_t:s0
Target Objects                /home/david/firewall-new.conf [ file ]
Source                        iptables-restor
Source Path                   /sbin/iptables-restore
Port                          <Unknown>
Host                          neptune.allpowerfuldave.com
Source RPM Packages           iptables-1.4.0-4.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-42.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     neptune.allpowerfuldave.com
Platform                      Linux neptune.allpowerfuldave.com
                              2.6.25-8.fc9.x86_64 #1 SMP Wed Apr 23 03:20:41 EDT
                              2008 x86_64 x86_64
Alert Count                   2
First Seen                    Thu 01 May 2008 11:28:21 PM CDT
Last Seen                     Thu 01 May 2008 11:31:12 PM CDT
Local ID                      24965c2c-e479-426b-8d7d-d3dcadd0bc26
Line Numbers                  

Raw Audit Messages            

host=neptune.allpowerfuldave.com type=AVC msg=audit(1209702672.35:90): avc:  denied  { read } for  pid=7722 comm="iptables-restor" path="/home/david/firewall-new.conf" dev=dm-1 ino=9339518 scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file

host=neptune.allpowerfuldave.com type=SYSCALL msg=audit(1209702672.35:90): arch=c000003e syscall=59 success=yes exit=0 a0=23a15b0 a1=23a1960 a2=23820f0 a3=7fff567bce60 items=0 ppid=7577 pid=7722 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="iptables-restor" exe="/sbin/iptables-restore" subj=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 key=(null)

I'm running Fedora 9 RC, but this happened in previous releases of Fedora too. It's a pain to have to drop back to permissive mode just to have to load or save a firewall config (the same problem occurs with iptables-save) - how can I resolve this? Is it just a problem with the file labelling?

Regards
David

unSpawn · 05-02-2008, 04:37 AM

Quote:

Originally Posted by cdhgee

host=neptune.allpowerfuldave.com type=AVC msg=audit(1209702672.35:90): avc: denied { read } for pid=7722 comm="iptables-restor" path="/home/david/firewall-new.conf" dev=dm-1 ino=9339518 scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u

bject_r:user_home_t:s0 tclass=file

Quote:

Originally Posted by cdhgee

I'm running Fedora 9 RC, but this happened in previous releases of Fedora too. It's a pain to have to drop back to permissive mode just to have to load or save a firewall config (the same problem occurs with iptables-save) - how can I resolve this? Is it just a problem with the file labelling?

The problem is not SELinux and not Fedora. The problem is you changed defaults. In a default RH iptables initscript the file to restore iptables rules from is defined as "/etc/sysconfig/iptables". The location you wish to restore iptables rules from is not that location. Your choice of location should not be used to save iptables rules to or restore rules from because it is in a non-system area, meaning integrity cannot be verified: a user can change contents at will.

If you modified the iptables initscript then please change it back to defaults and use the default file location. If you need to change /etc/sysconfig/iptables for testing purposes you can use Sudo ('man sudoers') and say a script:

Code:

#!/bin/sh --
# ^ Script accepts no input from user.
fail() { echo FAILED; exit 1; }
# Expect the file to copy to have this name.
SOURCE="/home/david/iptables"
# Expect this executable script to live here.
[ "$0" = "/usr/local/bin/iptables-test" ] || fail
# If file to copy is empty, exit.
[ -s "${SOURCE}" ] || fail
# Copy file to sysconfig dir.
cp "${SOURCE}" -Z system_u:object_r:etc_t --backup=numbered --target-directory=/etc/sysconfig || fail
# Save last ruleset for restore.
LAST=`/bin/ls -1t /etc/sysconfig/iptables.~*|head -1`
# See what a manual test would yield.
/sbin/iptables-restore -v -t < /etc/sysconfig/iptables || fail
# Stop iptables, then start. If failed restore ruleset.
/etc/init.d/iptables stop && \
/etc/init.d/iptables start || { cat "${LAST}" > /etc/sysconfig/iptables && /etc/init.d/iptables start; }
exit 0

test script before using, and even then YMMV(VM), as usual.

If you do not care for any of that then you can run the AVC message through 'audit2allow' and add th result to your local SELinux policy. I hope that from what I explained that you understand why that is not a best practice and not a workaround anyone should be willing to support or use.

cdhgee · 05-02-2008, 07:40 AM

I haven't changed anything, especially not the iptables initscript. What I'm trying to do is load a firewall configuration from a file, which happens to reside in my home directory. Reading the man page, iptables-restore should allow me to do that - it always has in the past. It shouldn't matter where the file resides.

What is the correct "selinux-approved" way of running iptables-restore?

unSpawn · 05-02-2008, 12:01 PM

Quote:

Originally Posted by cdhgee

What is the correct "selinux-approved" way of running iptables-restore?

There is no "SELinux approved way" AFAIK, it's just the lines between admin and user domain. If you look at /etc/rc.d/init.d/iptables you see a start() and a save() function. When you start iptables the start() function loads rules from /etc/sysconfig/iptables, and when you stop iptables (when /etc/sysconfig/iptables-config has IPTABLES_SAVE_ON_STOP="yes") it uses save() to put rules in /etc/rc.d/init.d/iptables.save. So all the service needs resides in /etc. Being root, the safest way would be to make a backup first either manually copying /etc/rc.d/init.d/iptables to say /etc/rc.d/init.d/iptables.bak or by setting IPTABLES_SAVE_ON_STOP="yes", stopping iptables, catting /home/david/firewall-new.conf > /etc/rc.d/init.d/iptables, then starting iptables. If you don't care for backups you can just cat /home/david/firewall-new.conf > /etc/rc.d/init.d/iptables (if you copy you have to 'chcon' the destination) and restart iptables. Again, note that if you want to force your machine to accept your behaviour you can run the original AVC message through 'audit2allow' and build a local SELinux policy easily.