Bug 245599

Summary: service iptables status silently fails when selinux is enforcing
Product: Red Hat Enterprise Linux 5 Reporter: John T. Rose <inode0>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: 5.0CC: dwalsh, ebenes, mmalik
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2007-0544 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-11-07 16:40:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John T. Rose 2007-06-25 17:17:09 UTC 
Description of problem:
Sorry if this is filed against the wrong component. Here are the facts:

Fresh current install of RHEL5 (behavior is apparent on all my RHEL5 boxes).
selinux is running in enforcing mode.

service iptables status does not return the usual information while in enforcing
mode. There are no AVC messages or logged information that I can find related to
this. After setenforce 0 the command returns the usual information.

More details below.

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-30.el5, selinux-policy-targeted-2.4.6-30.el5

How reproducible:
always

Steps to Reproduce:
1. selinux running in enforcing mode
2. iptables running
3. run service iptables status (or /etc/init.d/iptables status)
  
Actual results:
[root@osiris ~]# service iptables status
Table: filter

[root@osiris ~]#

Expected results:
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain RH-Firewall-1-INPUT (2 references)
num  target     prot opt source               destination         
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255 
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED 
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
dpt:22 
5    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with
icmp-host-prohibited 

or something similar.

Additional info:
Curiously in enforcing mode I can get the usual output if I do the following:
[root@osiris ~]# bash /etc/init.d/iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
...
whereas
[root@osiris ~]# /etc/init.d/iptables status
Table: filter

[root@osiris ~]#
returns nothing.

[root@osiris ~]# ll -Z /etc/*/iptables*
-rwxr-xr-x  root root system_u:object_r:initrc_exec_t  /etc/init.d/iptables
-rw-------  root root system_u:object_r:etc_t          /etc/sysconfig/iptables
-rw-r--r--  root root system_u:object_r:etc_runtime_t 
/etc/sysconfig/iptables-config

[root@osiris ~]# grep -i avc /var/log/audit/audit*
[root@osiris ~]#
Comment 1 John T. Rose 2007-06-25 17:43:36 UTC 
I don't know if this is helpful at all but both of the following work as
expected as well.

# run_init /etc/init.d/iptables status

and

# iptables -t filter --list
Comment 2 Daniel Walsh 2007-06-26 09:51:46 UTC 
Fixed in selinux-policy-2.4.6-76.el5

This is the u1 policy and is available for testing at
http://people.redhat.com/dwalsh/SELinux/RHEL5
Comment 3 John T. Rose 2007-06-26 13:31:59 UTC 
I've installed selinux-policy-2.4.6-76.el5 and this issue has been resolved, thanks.
Comment 5 RHEL Program Management 2007-06-26 15:43:57 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 10 errata-xmlrpc 2007-11-07 16:40:06 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0544.html