| Summary: | SELinux is preventing /bin/bash (shorewall) from write access on the file /etc/iproute2/rt_tables | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | ZiN <metanoite> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 14 | CC: | dwalsh, jonathan.underwood, mgrepl | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2011-04-17 09:04:47 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
This needs a fix in the SElinux policy - Miroslav/Dan, can you take a look? Thanks. ZiN you are attempting to put a Process label on a file, that is why it is failing. The alert told you which types could be assigned to the file to make it work? Does shorewall need to be able to edit any file in /etc/iproute2/ |
Created attachment 489018 [details] A message from setroubleshootd Description of problem: When using shorewall as an iptables frontend such SELinux audit messages appears as in attachment. Version-Release number of selected component (if applicable): 4.4.17-2fc14 How reproducible: When connecting to some network via eg. networkmanager-applet a message from setroubleshootd appears. Steps to Reproduce: 1. Install and setup shorewall 2. Setup new dispatcher for NetworkManager in /etc/NetworkManager/dispatcher.d that shoiuld reload shorewall configuration 3. Maybe restart, so that NetworkManager or netplugd get active that new dispatcher 4. Try to connect, eg. via NetworkManager, to some network Actual results: SELinux audit messages Expected results: No SELinux audit messages Additional info: Sequential usage of semanage, restorecon as is advised in attached log fails with message: restorecon set context /etc/iproute2/rt_tables->system_u:object_r:shorewall_t:s0 failed:'Permission denied'