Description of problem: Shorewall fails to start due to SELinux. Version-Release number of selected component (if applicable): How reproducible: Every time. Normal startup. Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: As delivered, Shorewall had the wrong chkconfig priority parameters that caused it to attempt to start before the NICs were up. Filed bug # 505444 I fixed that first issue via chkconfig --level 35 shorewall resetpriorities after editing the chkconfig line manually. These bugs are loosely connected because only after fixing the first bug does the second one show up. Rebooting then fails on this issue: SELinux denied access requested by .start. It is not expected that this access is required by .start and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:shorewall_t:s0 Target Context system_u:system_r:shorewall_t:s0 Target Objects None [ process ] Source .start Source Path /bin/bash Port <Unknown> Host billlaptop.private.ycc Source RPM Packages bash-4.0-6.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.12-39.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name billlaptop.private.ycc Platform Linux billlaptop.private.ycc 2.6.29.4-167.fc11.x86_64 #1 SMP Wed May 27 17:27:08 EDT 2009 x86_64 x86_64 Alert Count 2 First Seen Thu Jun 11 15:25:56 2009 Last Seen Thu Jun 11 16:00:01 2009 Local ID 419e9fe2-eb85-4112-8ebc-4bde2457f12b Line Numbers Raw Audit Messages node=billlaptop.private.ycc type=AVC msg=audit(1244757601.842:5): avc: denied { signal } for pid=2081 comm=".start" scontext=system_u:system_r:shorewall_t:s0 tcontext=system_u:system_r:shorewall_t:s0 tclass=process node=billlaptop.private.ycc type=SYSCALL msg=audit(1244757601.842:5): arch=c000003e syscall=62 success=no exit=1938472920 a0=821 a1=f a2=0 a3=821 items=0 ppid=1658 pid=2081 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=".start" exe="/bin/bash" subj=system_u:system_r:shorewall_t:s0 key=(null)
Failed to mention that Shorewall starts fine via service shorewall start after the initial boot sequence finishes and you're able to login and enter that command manually.
Fixed in selinux-policy-3.6.12-50.fc11.src.rpm You can allow this for now by executing # grep shorewall /var/log/audit/audit.log | audit2aloow -M myshorewall # semodule -i myshorewall.pp