1291243 – Allow {ip|ip6|eb}tables-restore to use read and getattr on files in (/var)/run/firewalld

Bug 1291243 - Allow {ip|ip6|eb}tables-restore to use read and getattr on files in (/var)/run/firewalld

Summary: Allow {ip|ip6|eb}tables-restore to use read and getattr on files in (/var)/ru...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	23
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1304723 1332123
TreeView+	depends on / blocked

Reported:	2015-12-14 11:57 UTC by Thomas Woerner
Modified:	2016-05-02 09:51 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.13.1-158.fc23
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1304723 (view as bug list)
Environment:
Last Closed:	2015-12-22 22:03:44 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Thomas Woerner 2015-12-14 11:57:16 UTC

Description of problem:
For an enhancement of firewalld it is needed to be able to use the {ip|ip6|eb}tables-restore commands with temporary files that are passed to the restore commands on stdin.
firewalld will create the directory /run/firewalld at startup and will create the temporary files in there.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-155.fc23

Here are the AVC messages:

ype=AVC msg=audit(1450092486.349:70144): avc:  denied  { read } for  pid=17865 comm="iptables-restor" path="/run/firewalld/temp.gciaj0pn" dev="tmpfs" ino=1078786 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:firewalld_var_run_t:s0 tclass=file permissive=1


type=SYSCALL msg=audit(1450092486.349:70144): arch=x86_64 syscall=execve success=yes exit=0 a0=7f3310f82520 a1=55bb740c6b60 a2=55bb73ccdd00 a3=1 items=0 ppid=17787 pid=17865 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=iptables-restor exe=/usr/sbin/xtables-multi subj=system_u:system_r:iptables_t:s0 key=(null)

Hash: iptables-restor,iptables_t,firewalld_var_run_t,file,read



type=AVC msg=audit(1450092486.350:70145): avc:  denied  { getattr } for  pid=17865 comm="iptables-restor" path="/run/firewalld/temp.gciaj0pn" dev="tmpfs" ino=1078786 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:firewalld_var_run_t:s0 tclass=file permissive=1


type=SYSCALL msg=audit(1450092486.350:70145): arch=x86_64 syscall=fstat success=yes exit=0 a0=0 a1=7fffa63c6300 a2=7fffa63c6300 a3=7fde21bbc700 items=0 ppid=17787 pid=17865 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=iptables-restor exe=/usr/sbin/xtables-multi subj=system_u:system_r:iptables_t:s0 key=(null)

Hash: iptables-restor,iptables_t,firewalld_var_run_t,file,getattr



Please also add these for F-22 and rawhide.

On F-22 I had to allow firewalld to create the directory in (/var)/run:

allow firewalld_t var_run_t:dir create;

Comment 1 Lukas Vrabec 2015-12-14 12:16:32 UTC

commit 872c7b4c77ca92788eb0f097a82c73c921469ef7
Author: Lukas Vrabec <lvrabec>
Date:   Mon Dec 14 13:06:06 2015 +0100

    Add interface firewalld_read_pid_files()

commit 132fbc10ee97fa1a9d3838842fadf6e5e842f856
Author: Lukas Vrabec <lvrabec>
Date:   Mon Dec 14 13:07:21 2015 +0100

    Allow iptables to read firewalld pid files. BZ(1291243)

Comment 2 Lukas Vrabec 2015-12-14 12:30:21 UTC

commit 44a47e0c0d2e9e365a5750539e817a061c7c248c
Author: Lukas Vrabec <lvrabec>
Date:   Mon Dec 14 13:27:19 2015 +0100

    Allow firewalld to create firewalld_var_run_t directory. BZ(1291243)

Comment 3 Fedora Update System 2015-12-16 11:06:35 UTC

selinux-policy-3.13.1-158.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-eb32da49ac

Comment 4 Fedora Update System 2015-12-17 10:29:02 UTC

selinux-policy-3.13.1-158.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update selinux-policy'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-eb32da49ac

Comment 5 Fedora Update System 2015-12-22 22:03:35 UTC

selinux-policy-3.13.1-158.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.