Bug 1436904
| Summary: | iptables cannot access /run/xtables.lock | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Steven Haigh <netwiz> | ||||
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.3 | CC: | james.edington, lvrabec, mgrepl, mmalik, netwiz, plautrba, pvrabec, ssekidde | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | selinux-policy-3.13.1-141 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2017-04-10 15:29:03 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Interestingly, the following resets fine and removes the error until the next boot: $ restorecon -v /run/xtables.lock restorecon reset /run/xtables.lock context system_u:object_r:var_run_t:s0->system_u:object_r:iptables_var_run_t:s0 Could it be a priority issue where we match var_run_t instead of iptables_var_run_t on file creation? I believe this bug is a duplicate of BZ#1376343. Unfortunately, this bug is not fixed in any RHEL-7.3.z. I can't assist there: You are not authorized to access bug #1376343. After reviewing, this does seem to be the same problem. Happy to mark as duplicate and close this if you wish? This doesn't seem to have been fixed yet. I'm experiencing it on selinux-policy-3.13.1-266.el7 on RHEL 7.7. Also, nobody in our company can access the bug this has been listed as a "duplicate" of. Created attachment 1710572 [details]
systemd service to reset the permissions on xtables.lock
This fixed it for our systems, where we deduced it's a McAfee x SELinux bug that impacts iptables.
|
SELinux is preventing /usr/sbin/xtables-multi from read access on the file xtables.lock. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that xtables-multi should be allowed read access on the xtables.lock file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'iptables' --raw | audit2allow -M my-iptables # semodule -i my-iptables.pp Additional Information: Source Context system_u:system_r:iptables_t:s0 Target Context system_u:object_r:var_run_t:s0 Target Objects xtables.lock [ file ] Source iptables Source Path /usr/sbin/xtables-multi Port <Unknown> Host <Unknown> Source RPM Packages iptables-1.4.21-17.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-102.el7_3.15.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name spin-gw.crc.id.au Platform Linux spin-gw.crc.id.au 4.9.18-1.el7xen.x86_64 #1 SMP Mon Mar 27 00:30:03 AEDT 2017 x86_64 x86_64 Alert Count 35 First Seen 2017-03-28 23:41:32 AEDT Last Seen 2017-03-28 23:42:37 AEDT Local ID 89dcf827-b6d2-4024-80fd-83c3ecea55df Raw Audit Messages type=AVC msg=audit(1490704957.914:374): avc: denied { read } for pid=2743 comm="ip6tables" name="xtables.lock" dev="tmpfs" ino=15464 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1490704957.914:374): arch=x86_64 syscall=open success=no exit=EACCES a0=412a7b a1=40 a2=180 a3=7ffe2f7c4ef0 items=0 ppid=2667 pid=2743 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ip6tables exe=/usr/sbin/xtables-multi subj=system_u:system_r:iptables_t:s0 key=(null) Hash: iptables,iptables_t,var_run_t,file,read