Bug 638661
Summary: | avc: denied { write } for comm="iptables-save" path="/etc/sysconfig/iptables" | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Thomas Woerner <twoerner> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 6.0 | CC: | dwalsh, mgrepl, mishu, mmalik, pknirsch, snagar, syeghiay | ||||
Target Milestone: | rc | Keywords: | Regression, ZStream | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | selinux-policy-3.7.19-79.el6 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2011-05-19 11:56:37 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 644273, 645658 | ||||||
Attachments: |
|
Description
Thomas Woerner
2010-09-29 15:36:47 UTC
Looking into this further I actually do not like the way the iptables script works currently. Created attachment 450580 [details]
This patch changes /etc/init.d/iptables to work correctly with SELinux
The init script should not be using /tmp. for the storage of its iptables.save files. These should go directly into /etc/ and be deleted when done. Putting stuff in a directory a user could screw around in when you do not have to makes no sense.
I added the restorecon to make sure the save files are labeled correctly when it completes.
The hack for using cat is just because > /etc/iptables.tmp is created by initrc_t which will label it etc_runtime_t. If this is too onerous we can change iptables_t to be allowed to write to etc_runtime_t.
Miroslav I think we need to add unconfined_iptables_t which is an unconfined domain and will transition to system_conf_t when creating files in an etc_t directory. Yes, adding a cat to do the file output redirection might be a solution for the service, but for an admin it is unexpected that a command like "iptables -L > file" or "iptables-save > file" are generating empty files and all that without any avc message. The only way to get the avc is to temporarily remove dontaudits from policy. Also "iptables-restore < file" is not working if the file is not located in /etc and labeled correctly. Which is why I want https://bugzilla.redhat.com/show_bug.cgi?id=638661#c4 The iptables commands can not write to files with output redirection. This is a policy problem. Examples: iptables-save > file iptables -L > file I opened another bug for the iptables services (#644273) to write temporary file to /etc/sysconfig, restore contexts and use atomar mv for "service iptables save". This new bug depends on this one, because output redirection is not working for iptables commands and this is used by service iptables save. The patch in comment 3 is not fixing the problem with the policy. Adding a pipe to cat for output redirection is only fixinf the service, but not the use of iptables commands on the command line. HOWTOS and documentations for netfilter and iptables are suggesting to use iptables-save > file to save rules. This is a regression to RHEL-5 behaviour. (In reply to comment #8) > The iptables commands can not write to files with output redirection. This is a > policy problem. Examples: > > iptables-save > file > iptables -L > file > The transition from unconfined_t to iptables_t was removed in selinux-policy-3.7.19-56.el6 which fix this issue. Milos, are you testing it with the latest RHEL6 iptables? Well, you are right. The iptables is not fixed. I am switching the bug back to ON_QA and reopening iptables bug https://bugzilla.redhat.com/show_bug.cgi?id=644273 The AVC appeared on 2 machines where following packages were installed: iptables-1.4.7-4.el6 iptables-ipv6-1.4.7-4.el6 selinux-policy-3.7.19-76.el6 selinux-policy-doc-3.7.19-76.el6 selinux-policy-minimum-3.7.19-76 selinux-policy-mls-3.7.19-76.el6 selinux-policy-targeted-3.7.19-76 As mentioned in comment #3 here is that this should be fixed in the selinux-policy, so this bug should go back on ON_DEV and the iptables bug should stay on ON_QA, right? Thanks & regards, Phil I am adding this rule. Fixed in selinux-policy-3.7.19-79.el6 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0526.html |