Bug 245599 - service iptables status silently fails when selinux is enforcing
service iptables status silently fails when selinux is enforcing
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
5.0
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-25 13:17 EDT by John T. Rose
Modified: 2012-10-16 04:12 EDT (History)
3 users (show)

See Also:
Fixed In Version: RHBA-2007-0544
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-07 11:40:06 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description John T. Rose 2007-06-25 13:17:09 EDT
Description of problem:
Sorry if this is filed against the wrong component. Here are the facts:

Fresh current install of RHEL5 (behavior is apparent on all my RHEL5 boxes).
selinux is running in enforcing mode.

service iptables status does not return the usual information while in enforcing
mode. There are no AVC messages or logged information that I can find related to
this. After setenforce 0 the command returns the usual information.

More details below.

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-30.el5, selinux-policy-targeted-2.4.6-30.el5

How reproducible:
always

Steps to Reproduce:
1. selinux running in enforcing mode
2. iptables running
3. run service iptables status (or /etc/init.d/iptables status)
  
Actual results:
[root@osiris ~]# service iptables status
Table: filter

[root@osiris ~]#

Expected results:
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain RH-Firewall-1-INPUT (2 references)
num  target     prot opt source               destination         
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255 
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED 
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
dpt:22 
5    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with
icmp-host-prohibited 

or something similar.

Additional info:
Curiously in enforcing mode I can get the usual output if I do the following:
[root@osiris ~]# bash /etc/init.d/iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
...
whereas
[root@osiris ~]# /etc/init.d/iptables status
Table: filter

[root@osiris ~]#
returns nothing.

[root@osiris ~]# ll -Z /etc/*/iptables*
-rwxr-xr-x  root root system_u:object_r:initrc_exec_t  /etc/init.d/iptables
-rw-------  root root system_u:object_r:etc_t          /etc/sysconfig/iptables
-rw-r--r--  root root system_u:object_r:etc_runtime_t 
/etc/sysconfig/iptables-config

[root@osiris ~]# grep -i avc /var/log/audit/audit*
[root@osiris ~]#
Comment 1 John T. Rose 2007-06-25 13:43:36 EDT
I don't know if this is helpful at all but both of the following work as
expected as well.

# run_init /etc/init.d/iptables status

and

# iptables -t filter --list
Comment 2 Daniel Walsh 2007-06-26 05:51:46 EDT
Fixed in selinux-policy-2.4.6-76.el5

This is the u1 policy and is available for testing at
http://people.redhat.com/dwalsh/SELinux/RHEL5
Comment 3 John T. Rose 2007-06-26 09:31:59 EDT
I've installed selinux-policy-2.4.6-76.el5 and this issue has been resolved, thanks.
Comment 5 RHEL Product and Program Management 2007-06-26 11:43:57 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 10 errata-xmlrpc 2007-11-07 11:40:06 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0544.html

Note You need to log in before you can comment on or make changes to this bug.