Bug 638661
| Summary: | avc: denied { write } for comm="iptables-save" path="/etc/sysconfig/iptables" | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Thomas Woerner <twoerner> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 6.0 | CC: | dwalsh, mgrepl, mishu, mmalik, pknirsch, snagar, syeghiay | ||||
| Target Milestone: | rc | Keywords: | Regression, ZStream | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | selinux-policy-3.7.19-79.el6 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2011-05-19 11:56:37 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 644273, 645658 | ||||||
| Attachments: |
|
||||||
Looking into this further I actually do not like the way the iptables script works currently. Created attachment 450580 [details]
This patch changes /etc/init.d/iptables to work correctly with SELinux
The init script should not be using /tmp. for the storage of its iptables.save files. These should go directly into /etc/ and be deleted when done. Putting stuff in a directory a user could screw around in when you do not have to makes no sense.
I added the restorecon to make sure the save files are labeled correctly when it completes.
The hack for using cat is just because > /etc/iptables.tmp is created by initrc_t which will label it etc_runtime_t. If this is too onerous we can change iptables_t to be allowed to write to etc_runtime_t.
Miroslav I think we need to add unconfined_iptables_t which is an unconfined domain and will transition to system_conf_t when creating files in an etc_t directory. Yes, adding a cat to do the file output redirection might be a solution for the service, but for an admin it is unexpected that a command like "iptables -L > file" or "iptables-save > file" are generating empty files and all that without any avc message. The only way to get the avc is to temporarily remove dontaudits from policy. Also "iptables-restore < file" is not working if the file is not located in /etc and labeled correctly. Which is why I want https://bugzilla.redhat.com/show_bug.cgi?id=638661#c4 The iptables commands can not write to files with output redirection. This is a policy problem. Examples: iptables-save > file iptables -L > file I opened another bug for the iptables services (#644273) to write temporary file to /etc/sysconfig, restore contexts and use atomar mv for "service iptables save". This new bug depends on this one, because output redirection is not working for iptables commands and this is used by service iptables save. The patch in comment 3 is not fixing the problem with the policy. Adding a pipe to cat for output redirection is only fixinf the service, but not the use of iptables commands on the command line. HOWTOS and documentations for netfilter and iptables are suggesting to use iptables-save > file to save rules. This is a regression to RHEL-5 behaviour. (In reply to comment #8) > The iptables commands can not write to files with output redirection. This is a > policy problem. Examples: > > iptables-save > file > iptables -L > file > The transition from unconfined_t to iptables_t was removed in selinux-policy-3.7.19-56.el6 which fix this issue. Milos, are you testing it with the latest RHEL6 iptables? Well, you are right. The iptables is not fixed. I am switching the bug back to ON_QA and reopening iptables bug https://bugzilla.redhat.com/show_bug.cgi?id=644273 The AVC appeared on 2 machines where following packages were installed: iptables-1.4.7-4.el6 iptables-ipv6-1.4.7-4.el6 selinux-policy-3.7.19-76.el6 selinux-policy-doc-3.7.19-76.el6 selinux-policy-minimum-3.7.19-76 selinux-policy-mls-3.7.19-76.el6 selinux-policy-targeted-3.7.19-76 As mentioned in comment #3 here is that this should be fixed in the selinux-policy, so this bug should go back on ON_DEV and the iptables bug should stay on ON_QA, right? Thanks & regards, Phil I am adding this rule. Fixed in selinux-policy-3.7.19-79.el6 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0526.html |
Description of problem: ip*tables, ip*tables-multi can not write to files. Examples: service iptables save iptables-save > rules iptables -L > rules There are no AVC messages, because policies are dontaudit, used semodule -DB to make the AVC visible. It is not possible to save the firewall rules with service iptables save., Which is very bad. The service is failing as long as SELinux is in enforcing mode. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.7.19-54.el6.noarch How reproducible: Always Steps to Reproduce: 1. See above Actual results: Empty file Expected results: File with rules. Additional info: type=AVC msg=audit(1285771311.312:1360): avc: denied { write } for pid=10957 comm="iptables-save" path="/etc/sysconfig/iptables" dev=sdb3 ino=2095526 scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1285771311.312:1360): arch=c000003e syscall=59 success=yes exit=0 a0=24c0f70 a1=24f1790 a2=24c1000 a3=7fff9f7c31e0 items=0 ppid=10455 pid=10957 auid=2433 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=1 comm="iptables-save" exe="/sbin/iptables-multi" subj=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 key=(null) type=MAC_POLICY_LOAD msg=audit(1285771631.848:1361): policy loaded auid=2433 ses=1 Setting /sbin/iptables-multi to bin_t resolves the problem. iptables_exec_t does not allow to write to files.