Bug 1291243 - Allow {ip|ip6|eb}tables-restore to use read and getattr on files in (/var)/run/firewalld
Allow {ip|ip6|eb}tables-restore to use read and getattr on files in (/var)/ru...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
23
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 1332123 1304723
  Show dependency treegraph
 
Reported: 2015-12-14 06:57 EST by Thomas Woerner
Modified: 2016-05-02 05:51 EDT (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-158.fc23
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1304723 (view as bug list)
Environment:
Last Closed: 2015-12-22 17:03:44 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Thomas Woerner 2015-12-14 06:57:16 EST
Description of problem:
For an enhancement of firewalld it is needed to be able to use the {ip|ip6|eb}tables-restore commands with temporary files that are passed to the restore commands on stdin.
firewalld will create the directory /run/firewalld at startup and will create the temporary files in there.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-155.fc23

Here are the AVC messages:

ype=AVC msg=audit(1450092486.349:70144): avc:  denied  { read } for  pid=17865 comm="iptables-restor" path="/run/firewalld/temp.gciaj0pn" dev="tmpfs" ino=1078786 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:firewalld_var_run_t:s0 tclass=file permissive=1


type=SYSCALL msg=audit(1450092486.349:70144): arch=x86_64 syscall=execve success=yes exit=0 a0=7f3310f82520 a1=55bb740c6b60 a2=55bb73ccdd00 a3=1 items=0 ppid=17787 pid=17865 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=iptables-restor exe=/usr/sbin/xtables-multi subj=system_u:system_r:iptables_t:s0 key=(null)

Hash: iptables-restor,iptables_t,firewalld_var_run_t,file,read



type=AVC msg=audit(1450092486.350:70145): avc:  denied  { getattr } for  pid=17865 comm="iptables-restor" path="/run/firewalld/temp.gciaj0pn" dev="tmpfs" ino=1078786 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:firewalld_var_run_t:s0 tclass=file permissive=1


type=SYSCALL msg=audit(1450092486.350:70145): arch=x86_64 syscall=fstat success=yes exit=0 a0=0 a1=7fffa63c6300 a2=7fffa63c6300 a3=7fde21bbc700 items=0 ppid=17787 pid=17865 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=iptables-restor exe=/usr/sbin/xtables-multi subj=system_u:system_r:iptables_t:s0 key=(null)

Hash: iptables-restor,iptables_t,firewalld_var_run_t,file,getattr



Please also add these for F-22 and rawhide.

On F-22 I had to allow firewalld to create the directory in (/var)/run:

allow firewalld_t var_run_t:dir create;
Comment 1 Lukas Vrabec 2015-12-14 07:16:32 EST
commit 872c7b4c77ca92788eb0f097a82c73c921469ef7
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Mon Dec 14 13:06:06 2015 +0100

    Add interface firewalld_read_pid_files()

commit 132fbc10ee97fa1a9d3838842fadf6e5e842f856
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Mon Dec 14 13:07:21 2015 +0100

    Allow iptables to read firewalld pid files. BZ(1291243)
Comment 2 Lukas Vrabec 2015-12-14 07:30:21 EST
commit 44a47e0c0d2e9e365a5750539e817a061c7c248c
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Mon Dec 14 13:27:19 2015 +0100

    Allow firewalld to create firewalld_var_run_t directory. BZ(1291243)
Comment 3 Fedora Update System 2015-12-16 06:06:35 EST
selinux-policy-3.13.1-158.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-eb32da49ac
Comment 4 Fedora Update System 2015-12-17 05:29:02 EST
selinux-policy-3.13.1-158.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update selinux-policy'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-eb32da49ac
Comment 5 Fedora Update System 2015-12-22 17:03:35 EST
selinux-policy-3.13.1-158.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.