Bug 248835 - SELinux is preventing /sbin/ip6tables-restore (iptables_t) "create" to (iptables_t).
SELinux is preventing /sbin/ip6tables-restore (iptables_t) "create" to (iptab...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.0
i686 Linux
low Severity high
: rc
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-18 23:16 EDT by dave peck
Modified: 2008-04-08 16:17 EDT (History)
1 user (show)

See Also:
Fixed In Version: U1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-08 16:17:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description dave peck 2007-07-18 23:16:50 EDT
Description of problem:

SELinux is preventing /sbin/ip6tables-restore (iptables_t) "name_connect" to
(ldap_port_t).


I am getting these sets errors with the following additional information from
the SEtroubleshooter upon each IPL (system restart); albeit infrequent the delay
is quite long.

-- first error set:

  Source Context:  user_u:system_r:iptables_t
  Target Context:  user_u:system_r:iptables_t
  Target Objects:  None [ netlink_route_socket ]
  Affected RPM Packages:  iptables-ipv6-1.3.5-1.2.1 [application]
  Policy RPM:  selinux-policy-2.4.6-30.el5
  Selinux Enabled:  True
  Policy Type:  targeted
  MLS Enabled:  True
  Enforcing Mode:  Enforcing
  Plugin Name:  plugins.catchall
  Host Name:  xuxa
  Platform:  Linux xuxa 2.6.18-8.1.8.el5 #1 SMP Mon Jun 25 17:06:19 EDT 2007
i686 i686
  Alert Count:  28
  Line Numbers:   
  Raw Audit Messages :
avc: denied { create } for comm="ip6tables-resto" egid=0 euid=0
exe="/sbin/ip6tables-restore" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=4000
scontext=user_u:system_r:iptables_t:s0 sgid=0 subj=user_u:system_r:iptables_t:s0
suid=0 tclass=netlink_route_socket tcontext=user_u:system_r:iptables_t:s0
tty=(none) uid=0 

-- second error set:

    Context:  system_u:object_r:ldap_port_t
    Target Objects:  None [ tcp_socket ] 
    Affected RPM Packages:  iptables-ipv6-1.3.5-1.2.1 [application]
    Policy RPM:  selinux-policy-2.4.6-30.el5
    Selinux Enabled:  True
    Policy Type:  targeted
    MLS Enabled:  True
    Enforcing Mode:  Enforcing
    Plugin Name:  plugins.catchall
    Host Name:  xuxa
    Platform:  Linux xuxa 2.6.18-8.1.8.el5 #1 SMP Mon Jun 25 17:06:19 EDT 2007
i686 i686
    Alert Count:  14
    Line Numbers:
    Raw Audit Messages :
avc: denied { name_connect } for comm="ip6tables-resto" dest=389 egid=0 euid=0
exe="/sbin/ip6tables-restore" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=3809
scontext=user_u:system_r:iptables_t:s0 sgid=0 subj=user_u:system_r:iptables_t:s0
suid=0 tclass=tcp_socket tcontext=system_u:object_r:ldap_port_t:s0 tty=(none) uid=0 

Version-Release number of selected component (if applicable):

[peckd@xuxa ~]$ rpm -qa | grep selinux
libselinux-devel-1.33.4-2.el5
libselinux-1.33.4-2.el5
selinux-policy-2.4.6-30.el5
selinux-policy-targeted-2.4.6-30.el5
selinux-policy-devel-2.4.6-30.el5
libselinux-python-1.33.4-2.el5
[peckd@xuxa ~]$

[peckd@xuxa ~]$ rpm -qa | grep iptables
iptables-ipv6-1.3.5-1.2.1
iptables-1.3.5-1.2.1
[peckd@xuxa ~]$ 

[peckd@xuxa ~]$ rpm -qa | grep ldap
ldapjdk-4.17-1jpp.7
nss_ldap-253-3
compat-openldap-2.3.27_2.2.29-5
openldap-servers-2.3.27-5
openldap-devel-2.3.27-5
openldap-clients-2.3.27-5
php-ldap-5.1.6-12.el5
openldap-2.3.27-5
python-ldap-2.2.0-2.1
[peckd@xuxa ~]$


How reproducible:

Restart the ip6tables service.. or attempt to IPL the system.

Steps to Reproduce:
1. Issue "serivce ip6tables restart" from the command prompt as root.
2.
3.
  
Actual results:

Takes a really long time to complete with errors logged by SELinux blocking
access...

Expected results:

Fairly snappy start-up and service reload... with SELinux not blocking access or
logging errors.

Additional info:

I'm tempted to simply shut ip6tables down (disable the service)... and will
probably do so to avoid this delat; but figured I should at least report the
anomaly I am seeing and perhaps find a less drastic solution.
Comment 1 dave peck 2007-07-18 23:21:51 EDT
This is the 'Summary' line being logged for the first set of SELinux errors:

"SELinux is preventing /sbin/ip6tables-restore (iptables_t) "create" to
(iptables_t)."


Thanks again,

    ==> dave
Comment 2 Daniel Walsh 2007-07-19 09:17:53 EDT
Looks like ipv6 is looking up an UID or username and this is using nsswitch to
connect to an ldap server.  Current policy does not allow this.  

You can add these rules using audit2allow

setenforce 0
# Test iptables
grep iptabl /var/log/audit/audit.log | audit2allow -M myiptables
semodule -i myiptables.pp
setenforce 1
# Test iptables

The fix will be in selinux-policy-2.4.6-80
but might not make u1.
Comment 3 dave peck 2007-07-19 20:41:10 EDT
Hi,

Perfect; and you were exactly correct. Once I'd applied the fix, and ip6tables
was no longer blocked and happy again, I checked the slapd log and found the
following message:

Jul 19 18:25:13 vixen slapd[4728]: conn=103 fd=20 ACCEPT from
IP=172.28.149.9:49197 (IP=0.0.0.0:389) 
Jul 19 18:25:13 vixen slapd[4728]: conn=103 op=0 STARTTLS 
Jul 19 18:25:13 vixen slapd[4728]: conn=103 op=0 RESULT oid= err=0 text= 
Jul 19 18:25:13 vixen slapd[4728]: conn=103 fd=20 TLS established tls_ssf=256
ssf=256 
Jul 19 18:25:13 vixen slapd[4728]: conn=103 op=1 BIND dn="" method=128 
Jul 19 18:25:13 vixen slapd[4728]: conn=103 op=1 RESULT tag=97 err=0 text= 
Jul 19 18:25:13 vixen slapd[4728]: conn=103 op=2 SRCH
base="dc=problematic,dc=us" scope=2 deref=0
filter="(&(objectClass=ipProtocol)(cn=icmpv6))" 
Jul 19 18:25:13 vixen slapd[4728]: conn=103 op=2 SRCH attr=cn ipProtocolNumber 
Jul 19 18:25:13 vixen slapd[4728]: conn=103 op=2 SEARCH RESULT tag=101 err=0
nentries=0 text= 
Jul 19 18:25:13 vixen slapd[4728]: conn=103 fd=20 closed (connection lost) 

It would appear that it is actually looking up an ipProtocolNumber... how odd.

In any event, I really appreciate you taking the time to look at this and coming
up with a fix so quickly.

Thanks again,

    ==> dave


Note You need to log in before you can comment on or make changes to this bug.