Bug 1766415
Summary: | selinux blocks fail2ban nftables access | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Dan Tucny <d> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | low | Docs Contact: | |
Priority: | medium | ||
Version: | 8.0 | CC: | lvrabec, mmalik, plautrba, ssekidde, zpytela |
Target Milestone: | rc | Keywords: | Patch |
Target Release: | 8.2 | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-04-28 16:41:25 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Dan Tucny
2019-10-29 01:36:38 UTC
Fixes from Fedora: commit 0f1e997af97e443afea394e896e8a368ad80c32b (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Tue Oct 29 10:43:34 2019 +0100 Allow fail2ban_t domain to create netlink netfilter sockets. Please run the following commands and attach their output here: # rpm -qa selinux\* | sort # ls -Z `which nft` # matchpathcon `which nft` Thank you. I had some challenges reproducing this later when trying and found that this can only currently be reproduced in 8.0, either by installing 8.0 and not updating to 8.1 or by switching to the 8.0 track. Updates included in 8.1 appear to have resolved the specifically reported issue. On an 8.0 fresh install: [root@localhost ~]# rpm -qa selinux\* | sort selinux-policy-3.14.1-61.el8.noarch selinux-policy-targeted-3.14.1-61.el8.noarch [root@localhost ~]# ls -Z `which nft` system_u:object_r:bin_t:s0 /usr/sbin/nft [root@localhost ~]# matchpathcon `which nft` /usr/sbin/nft system_u:object_r:bin_t:s0 On a host updated to 8.1: [root@r8-test1 ~]# rpm -qa selinux\* | sort selinux-policy-3.14.3-20.el8.noarch selinux-policy-targeted-3.14.3-20.el8.noarch [root@r8-test1 ~]# ls -Z `which nft` system_u:object_r:iptables_exec_t:s0 /usr/sbin/nft [root@r8-test1 ~]# matchpathcon `which nft` /usr/sbin/nft system_u:object_r:iptables_exec_t:s0 (In reply to Dan Tucny from comment #11) > Updates included in 8.1 appear to have resolved the specifically reported > issue. Most likely result of https://bugzilla.redhat.com/show_bug.cgi?id=1656891 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1773 |