| Summary: | shorewall fails at startup due to selinux restrictions | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Harley Race <flyingboxcutter> |
| Component: | shorewall | Assignee: | Jonathan Underwood <jonathan.underwood> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | urgent | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 14 | CC: | jonathan.underwood |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-03-22 23:19:07 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
*** This bug has been marked as a duplicate of bug 689165 *** |
Description of problem: Shorewall fails to properly configure iptables on startup due to selinux policy. If "shorewall start" is run when the host is up and not booting, the command is successful. Using a single interface configuration in shorewall. Version-Release number of selected component (if applicable): Fedora 14 minimal install selinux-policy version: 3.9.7 release: 31.fc14 Build Date: Thu 17 Feb 2011 05:41:26 AM EST shorewall version: 4.4.17 release: 2.fc14 build date: Mar 2011 09:13:20 AM EST How reproducible: always Steps to Reproduce: 1.Per shorewall docs, "chkconfig --del iptables" 2."service iptables stop" and then run command "shorewall start". Command completes successfully and firewall works as expected. 3.and shorewall into startup with "chkconfig shorewall on". Reboot host and shorewall will fail to configure iptables. Actual results: Shorewall fails at startup. AVC denied messages syslog messages: Mar 22 11:24:59 black shorewall[1002]: Compiling... Mar 22 11:25:00 black shorewall[1002]: Processing /etc/shorewall/params ... Mar 22 11:25:00 black shorewall[1002]: Can't exec "/usr/share/shorewall//getparams": Permission denied at /usr/share/shorewall/Shorewall/Config.pm line 2867. Mar 22 11:25:00 black shorewall[1002]: ERROR: Processing of /etc/shorewall/params failed Mar 22 11:25:00 black logger: ERROR:Shorewall start failed audit.log messages: type=DAEMON_END msg=audit(1300807452.303:9377): auditd normal halt, sending auid=0 pid=2355 subj=system_u:system_r:initrc_t:s0 res=success type=DAEMON_START msg=audit(1300807498.031:6210): auditd start, ver=2.0.6 format=raw kernel=2.6.35.11-83.fc14.i686.PAE auid=4294967295 pid=945 subj=system_u:system_r:auditd_t:s0 res=success type=CONFIG_CHANGE msg=audit(1300807498.204:4): audit_backlog_limit=320 old=64 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditctl_t:s0 res=1 type=AVC msg=audit(1300807500.287:5): avc: denied { execute } for pid=1018 comm="perl" name="getparams" dev=dm-1 ino=28905 scontext=system_u:system_r:shorewall_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1300807500.287:5): arch=40000003 syscall=11 success=no exit=-13 a0=8e63580 a1=8e634c0 a2=8681658 a3=6ec9c4 items=0 ppid=1017 pid=1018 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="perl" exe="/usr/bin/perl" subj=system_u:system_r:shorewall_t:s0 key=(null) Expected results: Shorewall should have configured iptables with rules contained in /etc/shorewall/rules Additional info: Using a single interface configuration in shorewall.