Bug 1030627 - iptables restart fails on OpenShift on RHEL 6.5
iptables restart fails on OpenShift on RHEL 6.5
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
Unspecified Unspecified
unspecified Severity high
: rc
: ---
Assigned To: Daniel Walsh
BaseOS QE Security Team
Depends On: 1030780
  Show dependency treegraph
Reported: 2013-11-14 15:12 EST by Mrunal Patel
Modified: 2013-11-15 13:16 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-11-15 13:16:08 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Mrunal Patel 2013-11-14 15:12:18 EST
Description of problem:
iptables restart fails on OpenShift on RHEL 6.5

Applying this rule gets us past the issue:

    module iprule2 1.0;
    require {
            type admin_home_t;
            type iptables_t;
            class file { read open };
    #============= iptables_t ==============
    allow iptables_t admin_home_t:file open;
    #!!!! This avc is allowed in the current policy
    allow iptables_t admin_home_t:file read;

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Spin up OpenShift with RHEL 6.5
2. iptables restart

Actual results:
[~]# service iptables restart
iptables: Applying firewall rules: Can't open /etc/sysconfig/iptables: Permission denied

Expected results:
[~]# service iptables restart
iptables: Applying firewall rules:                         [  OK  ]
Comment 1 Milos Malik 2013-11-14 15:22:43 EST
What is the output of following command on your machine?

# ls -Z /etc/sysconfig/iptables*
Comment 3 Adam Miller 2013-11-14 15:45:00 EST
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /etc/sysconfig/iptables
Comment 4 Adam Miller 2013-11-14 15:47:39 EST

-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /etc/sysconfig/iptables
-rw-------. root root system_u:object_r:system_conf_t:s0 /etc/sysconfig/iptables-config
Comment 5 Milos Malik 2013-11-15 03:02:48 EST
Please, run "restorecon -Rv /etc" on your machine. The /etc/sysconfig/iptables is mislabeled. Possible cause: it was moved from /root directory into /etc/sysconfig directory (mv preserves SELinux context, cp does not).

According to SELinux policy the files should have following labels:
# matchpathcon /etc/sysconfig/iptables
/etc/sysconfig/iptables	system_u:object_r:system_conf_t:s0
# matchpathcon /etc/sysconfig/iptables-config
/etc/sysconfig/iptables-config	system_u:object_r:system_conf_t:s0
Comment 6 Adam Miller 2013-11-15 13:16:08 EST
This appears to be a flaw in the way we're constructing our internal development environments. I've submitted a pull request to fix this.


Closing, NOTABUG.

Note You need to log in before you can comment on or make changes to this bug.