Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1406860 - restorecon location in /usr/libexec/iptables/iptables.init in assumed incorrectly
restorecon location in /usr/libexec/iptables/iptables.init in assumed incorre...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: iptables (Show other bugs)
7.3
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Phil Sutter
Tomas Dolezal
:
Depends On:
Blocks: 1472751 1489118
  Show dependency treegraph
 
Reported: 2016-12-21 11:45 EST by Andrew Tumelty
Modified: 2018-04-10 07:28 EDT (History)
8 users (show)

See Also:
Fixed In Version: iptables-1.4.21-22.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1246380
: 1489118 (view as bug list)
Environment:
Last Closed: 2018-04-10 07:28:02 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2018:0715 normal SHIPPED_LIVE iptables bug fix and enhancement update 2018-04-10 12:09:27 EDT

  None (edit)
Description Andrew Tumelty 2016-12-21 11:45:46 EST 
As part of Bug #1246380, a check was introduced to ensure restorecon was available. The check that has been introduced assumes restorecon is available at /bin/restorecon. See lines 32-33 of /usr/libexec/iptables/iptables.init:

RESTORECON=/bin/restorecon
[ ! -x "$RESTORECON" ] && RESTORECON=/bin/true

This means for systems with restorecon at a different location (such as /sbin/restorecon), restorecon is never ran against stored iptables data, resulting in an error when starting iptables if data had previously been stored with an incorrect context: "iptables: Applying firewall rules: Can't open /etc/sysconfig/iptables: Permission denied"

This was introduced in iptables-services-1.4.21-17.el7.x86_64

# rpm -q iptables-services
iptables-services-1.4.21-17.el7.x86_64
Comment 3 Phil Sutter 2017-09-06 13:52:32 EDT 
OK, so my proposed solution is to use which:

RESTORECON=$(which restorecon)

This works fine, but only after adjusting selinux policies. After loading the following module into the kernel, everything works fine:

module iptables.init_restorecon 1.0;

require {
	type setfiles_exec_t;
	type iptables_t;
	class file { execute getattr };
}

#============= iptables_t ==============
allow iptables_t setfiles_exec_t:file { execute getattr };
Comment 8 errata-xmlrpc 2018-04-10 07:28:02 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0715
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.