This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 495370 - iptables-save refuses to redirect output to a file
iptables-save refuses to redirect output to a file
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
10
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-04-12 08:50 EDT by Joel Uckelman
Modified: 2009-06-22 04:36 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-06-22 04:36:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Joel Uckelman 2009-04-12 08:50:28 EDT
Description of problem:

This awfully weird. iptables-save will, as expected, dump the current firewall rules to stdout. However, I get an empty file when I try to redirect that output to a file. I'm doing this as root, I'm not overwriting an existing file, the filesystem is not full.

If I pipe the output of iptables-save through cat first, the result makes it to the file:

[root@test sysconfig]# iptables-save | cat >foo

This happens on both of my 64-bit F10 systems, but not on my 32-bit systems.


Version-Release number of selected component (if applicable):

iptables-1.4.1.1-2.fc10.x86_64

How reproducible:

Always, on 64-bit systems.


Steps to Reproduce:
1. iptables-save
2. iptables-save >foo
  
Actual results:

foo is an empty file, instead of containing the output of iptables-save


Expected results:

foo should contain the output you'd get from running iptables-save
Comment 1 Thomas Woerner 2009-04-14 05:20:08 EDT
This is a SELinux problem. Assigning to selinux-policy-targeted.
Comment 2 Daniel Walsh 2009-04-14 10:56:47 EDT
Miroslav, I think we should not label iptabels-save as iptables_exec_t

Change iptables.fc to look like

/sbin/ip6?tables		--	gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ip6?tables-restore 	--	gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ip6?tables-multi 	--	gen_context(system_u:object_r:iptables_exec_t,s0)

Joel, if you chcon -t bin_t /sbin/iptables-save

Should fix the problem,
Comment 3 Miroslav Grepl 2009-04-14 12:50:04 EDT
Fixed in selinux-policy-3.5.13-56.fc10
Comment 4 Joel Uckelman 2009-06-21 07:26:14 EDT
I've verified that this is fixed in selinux-policy-3.5.13-61.fc10, and also in selinux-policy-3.6.12-50.fc11.

Thanks!
Comment 5 Miroslav Grepl 2009-06-22 04:36:15 EDT
Thanks for confirmation

Note You need to log in before you can comment on or make changes to this bug.