Hide Forgot
Description of problem: iptables restart fails on OpenShift on RHEL 6.5 Applying this rule gets us past the issue: module iprule2 1.0; require { type admin_home_t; type iptables_t; class file { read open }; } #============= iptables_t ============== allow iptables_t admin_home_t:file open; #!!!! This avc is allowed in the current policy allow iptables_t admin_home_t:file read; Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Spin up OpenShift with RHEL 6.5 2. iptables restart Actual results: [~]# service iptables restart iptables: Applying firewall rules: Can't open /etc/sysconfig/iptables: Permission denied [FAILED] Expected results: [~]# service iptables restart iptables: Applying firewall rules: [ OK ]
What is the output of following command on your machine? # ls -Z /etc/sysconfig/iptables*
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /etc/sysconfig/iptables
Apologies. -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /etc/sysconfig/iptables -rw-------. root root system_u:object_r:system_conf_t:s0 /etc/sysconfig/iptables-config
Please, run "restorecon -Rv /etc" on your machine. The /etc/sysconfig/iptables is mislabeled. Possible cause: it was moved from /root directory into /etc/sysconfig directory (mv preserves SELinux context, cp does not). According to SELinux policy the files should have following labels: # matchpathcon /etc/sysconfig/iptables /etc/sysconfig/iptables system_u:object_r:system_conf_t:s0 # matchpathcon /etc/sysconfig/iptables-config /etc/sysconfig/iptables-config system_u:object_r:system_conf_t:s0 #
This appears to be a flaw in the way we're constructing our internal development environments. I've submitted a pull request to fix this. https://github.com/openshift/li/pull/2163 Closing, NOTABUG.