Bug 1001406
Summary: | SELinux is preventing iptables (iptables_t) "read write" to socket (initrc_t) | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | jessicahu <jessicahu0118> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 5.9 | CC: | daniel, dwalsh, eparis, jessicahu0118, mmalik |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-03-24 13:51:23 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
jessicahu
2013-08-27 01:58:08 UTC
What does $ ps -eZ |grep initrc Oh~Sorry.. Here is my information: [root@mail ~]# ps -eZ | grep initrc system_u:system_r:initrc_t 2679 ? 00:00:08 vmtoolsd system_u:system_r:initrc_t 3693 ? 00:00:08 fail2ban-server system_u:system_r:initrc_t 3695 ? 00:00:02 gam_server while adding a fail2ban rule to run iptables rule, can rules be added to allow the connection to ipset to create ipsets and to add and remove elements from IPsets? I realise it may be a couple of releases off being used. https://github.com/fail2ban/fail2ban/blob/master/config/action.d/iptables-ipset-proto6.conf This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release. FYI, fail2ban now has actions for firewalld (https://github.com/fail2ban/fail2ban/blob/master/config/action.d/firewallcmd-ipset.conf / https://github.com/fail2ban/fail2ban/blob/master/config/action.d/firewallcmd-new.conf ) that where included in the 0.8.12 release of fail2ban. In https://github.com/grooverdan/fail2ban/tree/firewalld.py I'm working on a python implementation and the ipset implementation (when I get it working) I'm planning on donating it to firewalld (https://fedorahosted.org/firewalld/ticket/12). If supporting a wide(r) range of selinux permissions for fail2ban isn't an option, perhaps the firewalld interface will be sufficient for RHEL. If there's directions you'd like fail2ban to take in its development to make it easier please let us know. Daniel Black fail2ban dev We are not going to turn policies on for these services in RHEL5. You will need to add a local policy to make it working. |