Bug 1030627

Summary: iptables restart fails on OpenShift on RHEL 6.5
Product: Red Hat Enterprise Linux 6 Reporter: Mrunal Patel <mpatel>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.5CC: admiller, dwalsh, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-15 18:16:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1030780    
Bug Blocks:    

Description Mrunal Patel 2013-11-14 20:12:18 UTC 
Description of problem:
iptables restart fails on OpenShift on RHEL 6.5

Applying this rule gets us past the issue:

    module iprule2 1.0;
     
    require {
            type admin_home_t;
            type iptables_t;
            class file { read open };
    }
     
    #============= iptables_t ==============
    allow iptables_t admin_home_t:file open;
     
    #!!!! This avc is allowed in the current policy
    allow iptables_t admin_home_t:file read;



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Spin up OpenShift with RHEL 6.5
2. iptables restart

Actual results:
[~]# service iptables restart
iptables: Applying firewall rules: Can't open /etc/sysconfig/iptables: Permission denied
                                                           [FAILED]


Expected results:
[~]# service iptables restart
iptables: Applying firewall rules:                         [  OK  ]
Comment 1 Milos Malik 2013-11-14 20:22:43 UTC 
What is the output of following command on your machine?

# ls -Z /etc/sysconfig/iptables*
Comment 3 Adam Miller 2013-11-14 20:45:00 UTC 
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /etc/sysconfig/iptables
Comment 4 Adam Miller 2013-11-14 20:47:39 UTC 
Apologies.

-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /etc/sysconfig/iptables
-rw-------. root root system_u:object_r:system_conf_t:s0 /etc/sysconfig/iptables-config
Comment 5 Milos Malik 2013-11-15 08:02:48 UTC 
Please, run "restorecon -Rv /etc" on your machine. The /etc/sysconfig/iptables is mislabeled. Possible cause: it was moved from /root directory into /etc/sysconfig directory (mv preserves SELinux context, cp does not).

According to SELinux policy the files should have following labels:
# matchpathcon /etc/sysconfig/iptables
/etc/sysconfig/iptables	system_u:object_r:system_conf_t:s0
# matchpathcon /etc/sysconfig/iptables-config
/etc/sysconfig/iptables-config	system_u:object_r:system_conf_t:s0
#
Comment 6 Adam Miller 2013-11-15 18:16:08 UTC 
This appears to be a flaw in the way we're constructing our internal development environments. I've submitted a pull request to fix this.

https://github.com/openshift/li/pull/2163

Closing, NOTABUG.