Red Hat Bugzilla – Bug 245599
service iptables status silently fails when selinux is enforcing
Last modified: 2012-10-16 04:12:32 EDT
Description of problem: Sorry if this is filed against the wrong component. Here are the facts: Fresh current install of RHEL5 (behavior is apparent on all my RHEL5 boxes). selinux is running in enforcing mode. service iptables status does not return the usual information while in enforcing mode. There are no AVC messages or logged information that I can find related to this. After setenforce 0 the command returns the usual information. More details below. Version-Release number of selected component (if applicable): selinux-policy-2.4.6-30.el5, selinux-policy-targeted-2.4.6-30.el5 How reproducible: always Steps to Reproduce: 1. selinux running in enforcing mode 2. iptables running 3. run service iptables status (or /etc/init.d/iptables status) Actual results: [root@osiris ~]# service iptables status Table: filter [root@osiris ~]# Expected results: Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited or something similar. Additional info: Curiously in enforcing mode I can get the usual output if I do the following: [root@osiris ~]# bash /etc/init.d/iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 ... whereas [root@osiris ~]# /etc/init.d/iptables status Table: filter [root@osiris ~]# returns nothing. [root@osiris ~]# ll -Z /etc/*/iptables* -rwxr-xr-x root root system_u:object_r:initrc_exec_t /etc/init.d/iptables -rw------- root root system_u:object_r:etc_t /etc/sysconfig/iptables -rw-r--r-- root root system_u:object_r:etc_runtime_t /etc/sysconfig/iptables-config [root@osiris ~]# grep -i avc /var/log/audit/audit* [root@osiris ~]#
I don't know if this is helpful at all but both of the following work as expected as well. # run_init /etc/init.d/iptables status and # iptables -t filter --list
Fixed in selinux-policy-2.4.6-76.el5 This is the u1 policy and is available for testing at http://people.redhat.com/dwalsh/SELinux/RHEL5
I've installed selinux-policy-2.4.6-76.el5 and this issue has been resolved, thanks.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0544.html