Bug 1030627 – iptables restart fails on OpenShift on RHEL 6.5

Bug 1030627 - iptables restart fails on OpenShift on RHEL 6.5

Summary:	iptables restart fails on OpenShift on RHEL 6.5

Status:	CLOSED NOTABUG

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy (Show other bugs)
Sub Component:
Version:	6.5
Hardware:	Unspecified Unspecified

Priority	unspecified Severity high
Target Milestone:	rc
Target Release:	---
Assigned To:	Daniel Walsh
QA Contact:	BaseOS QE Security Team
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:	1030780
Blocks:
	Show dependency tree / graph

Reported:	2013-11-14 15:12 EST by Mrunal Patel
Modified:	2013-11-15 13:16 EST (History)
CC List:	3 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2013-11-15 13:16:08 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Mrunal Patel 2013-11-14 15:12:18 EST

Description of problem:
iptables restart fails on OpenShift on RHEL 6.5

Applying this rule gets us past the issue:

    module iprule2 1.0;
     
    require {
            type admin_home_t;
            type iptables_t;
            class file { read open };
    }
     
    #============= iptables_t ==============
    allow iptables_t admin_home_t:file open;
     
    #!!!! This avc is allowed in the current policy
    allow iptables_t admin_home_t:file read;



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Spin up OpenShift with RHEL 6.5
2. iptables restart

Actual results:
[~]# service iptables restart
iptables: Applying firewall rules: Can't open /etc/sysconfig/iptables: Permission denied
                                                           [FAILED]


Expected results:
[~]# service iptables restart
iptables: Applying firewall rules:                         [  OK  ]

Comment 1 Milos Malik 2013-11-14 15:22:43 EST

What is the output of following command on your machine?

# ls -Z /etc/sysconfig/iptables*

Comment 3 Adam Miller 2013-11-14 15:45:00 EST

-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /etc/sysconfig/iptables

Comment 4 Adam Miller 2013-11-14 15:47:39 EST

Apologies.

-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /etc/sysconfig/iptables
-rw-------. root root system_u:object_r:system_conf_t:s0 /etc/sysconfig/iptables-config

Comment 5 Milos Malik 2013-11-15 03:02:48 EST

Please, run "restorecon -Rv /etc" on your machine. The /etc/sysconfig/iptables is mislabeled. Possible cause: it was moved from /root directory into /etc/sysconfig directory (mv preserves SELinux context, cp does not).

According to SELinux policy the files should have following labels:
# matchpathcon /etc/sysconfig/iptables
/etc/sysconfig/iptables	system_u:object_r:system_conf_t:s0
# matchpathcon /etc/sysconfig/iptables-config
/etc/sysconfig/iptables-config	system_u:object_r:system_conf_t:s0
#

Comment 6 Adam Miller 2013-11-15 13:16:08 EST

This appears to be a flaw in the way we're constructing our internal development environments. I've submitted a pull request to fix this.

https://github.com/openshift/li/pull/2163

Closing, NOTABUG.

Note You need to log in before you can comment on or make changes to this bug.