Hide Forgot
To expand a little on what is happening here: # service openshift-iptables-port-proxy start Can't open /dev/fd/63: Permission denied Can't open /dev/fd/63: Permission denied Here's the code that fails: #!/bin/bash # openshift-iptables-port-proxy # ### BEGIN INIT INFO # Short-Description: Script to apply the openshift port proxy iptables rules. # Description: Script to apply the openshift port proxy iptables rules. ### END INIT INFO case "$1" in start) if [ -f /etc/openshift/iptables.filter.rules ]; then iptables-restore -n <(echo "*filter"; cat /etc/openshift/iptables.filter.rules; echo "COMMIT") The iptables-restore executable has a context transition: # ls -lZlZH /sbin/iptables-restore -rwxr-xr-x. root root system_u:object_r:iptables_exec_t:s0 /sbin/iptables-restore However, Bash creates the fifo from the command substitution in the context of the initscript (this can be verified using strace -f). The <() command substitution expands to /dev/fd/63, which is passed to the iptables-restore process in its arguments list, iptables-restore tries to open /dev/fd/63, and it fails because iptables-restore has type iptables_t in its context whereas the pipe has type initrc_t in its context: # ausearch -m avc -ts recent -i ---- type=SYSCALL msg=audit(10/17/2013 16:15:29.601:131102) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=7fff73720f66 a1=80000 a2=1b6 a3=0 items=0 ppid=25304 pid=25306 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=iptables-restor exe=/sbin/iptables-multi-1.4.7 subj=unconfined_u:system_r:iptables_t:s0 key=(null) type=AVC msg=audit(10/17/2013 16:15:29.601:131102) : avc: denied { open } for pid=25306 comm=iptables-restor name= dev=pipefs ino=285957 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=fifo_file ---- type=SYSCALL msg=audit(10/17/2013 16:15:29.620:131103) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=7fff05cd1f66 a1=80000 a2=1b6 a3=0 items=0 ppid=25304 pid=25309 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=iptables-restor exe=/sbin/iptables-multi-1.4.7 subj=unconfined_u:system_r:iptables_t:s0 key=(null) type=AVC msg=audit(10/17/2013 16:15:29.620:131103) : avc: denied { open } for pid=25309 comm=iptables-restor name= dev=pipefs ino=285968 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=fifo_file
Pull request: https://github.com/openshift/origin-server/pull/3922
Commit pushed to master at https://github.com/openshift/origin-server https://github.com/openshift/origin-server/commit/19156f6032dad670ab43550eae0d5601c8f50768 oo-admin-ctl-iptables-port-proxy: SELinux fix Give input to iptables-restore on standard input instead of using command substitution. Bash was expanding the <(...) command-substitution to a fifo, which oo-admin-ctl-iptables-port-proxy was then passing to the iptables-restore command as a command-line argument. If oo-admin-ctl-iptables-port-proxy was being run from the /etc/init.d/openshift-iptables-port-proxy initscript, then Bash would have an SELinux context with type initrc_t, and it thus would create the fifo also with type initrc_t. However, iptables-restore transitions SELinux contexts so that it is running with the iptables_t type. The iptables-restore command would thus fail when it tried to open the fifo because SELinux policy blocks processes with type iptables_t from reading fifos with type initrc_t. (Interestingly, the manpage for iptables-restore does not indicate that iptables-restore is even supposed to take a filename as an argument.) This commit fixes bug 1020391.
Verified this bug with rubygem-openshift-origin-node-1.16.2-1.git.31.04b2e87.el6op.noarch in 2.0/2013-10-23.2 puddle, and PASS. # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain rhc-app-comm (0 references) target prot opt source destination [root@node1 ~]# /etc/init.d/openshift-iptables-port-proxy start [root@node1 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain rhc-app-comm (0 references) target prot opt source destination ACCEPT tcp -- anywhere 127.1.245.2 ctstate NEW tcp dpt:webcache /* 38042 */ ACCEPT tcp -- anywhere 127.1.245.2 tcp dpt:webcache /* 38042 */ ACCEPT tcp -- anywhere 127.1.245.1 ctstate NEW tcp dpt:webcache /* 38041 */ ACCEPT tcp -- anywhere 127.1.245.1 tcp dpt:webcache /* 38041 */ ACCEPT tcp -- anywhere 127.1.244.129 ctstate NEW tcp dpt:mysql /* 38036 */ ACCEPT tcp -- anywhere 127.1.244.129 tcp dpt:mysql /* 38036 */ ACCEPT tcp -- anywhere 127.1.244.2 ctstate NEW tcp dpt:webcache /* 38032 */ ACCEPT tcp -- anywhere 127.1.244.2 tcp dpt:webcache /* 38032 */ ACCEPT tcp -- anywhere 127.1.244.1 ctstate NEW tcp dpt:webcache /* 38031 */ ACCEPT tcp -- anywhere 127.1.244.1 tcp dpt:webcache /* 38031 */