Unable to start iptables service and it is not running after system boot. The problem seems to that following allows are missing: #============= initrc_t ============== allow initrc_t audisp_var_run_t:sock_file write; allow initrc_t iptables_conf_t:file read; After boot into MLS following AVC denials related to iptables were found in /var/log/messages: Dec 11 11:12:00 dhcp-lab-232 kernel: type=1400 audit(1260526301.524:6): avc: denied { read } for pid=1261 comm="modinfo" name="speedstep-centrino.ko" dev=dm-0 ino=1212490 scontext=system_u:system _r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=file Dec 11 11:12:00 dhcp-lab-232 kernel: type=1300 audit(1260526301.524:6): arch=40000003 syscall=5 success=no exit=-13 a0=84a5008 a1=0 a2=1b6 a3=84ab710 items=0 ppid=1260 pid=1261 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modinfo" exe="/sbin/modinfo" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) Dec 11 11:12:00 dhcp-lab-232 kernel: type=1400 audit(1260526302.008:8): avc: denied { read } for pid=1263 comm="S08ip6tables" name="ip6tables-config" dev=dm-0 ino=426121 scontext=system_u:system_ r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:iptables_conf_t:s0 tclass=file Dec 11 11:12:00 dhcp-lab-232 kernel: type=1300 audit(1260526302.008:8): arch=40000003 syscall=5 success=no exit=-13 a0=992d090 a1=8000 a2=0 a3=8000 items=0 ppid=1127 pid=1263 auid=4294967295 uid=0 g id=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S08ip6tables" exe="/bin/bash" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) Dec 11 11:12:00 dhcp-lab-232 kernel: type=1400 audit(1260526302.302:9): avc: denied { read } for pid=1276 comm="S08iptables" name="iptables-config" dev=dm-0 ino=427981 scontext=system_u:system_r: initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:iptables_conf_t:s0 tclass=file Dec 11 11:12:00 dhcp-lab-232 kernel: type=1300 audit(1260526302.302:9): arch=40000003 syscall=33 success=no exit=-13 a0=9bc7c70 a1=4 a2=0 a3=9bc7c70 items=0 ppid=1127 pid=1276 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S08iptables" exe="/bin/bash" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) # run_init service iptables status Authenticating root. Password: /etc/init.d/iptables: line 45: /etc/sysconfig/iptables-config: Permission denied # ausearch -m avc -ts recent -sv no | audit2allow #============= initrc_t ============== allow initrc_t audisp_var_run_t:sock_file write; allow initrc_t iptables_conf_t:file read; ---- time->Fri Dec 11 12:42:00 2009 type=SYSCALL msg=audit(1260531720.597:71): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=b6f157e0 a2=17d118 a3=0 items=0 ppid=1 pid=1958 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1260531720.597:71): avc: denied { write } for pid=1958 comm="setroubleshootd" name="audispd_events" dev=dm-0 ino=1116621 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:audisp_var_run_t:s15:c0.c1023 tclass=sock_file ---- time->Fri Dec 11 12:42:42 2009 type=SYSCALL msg=audit(1260531762.945:75): arch=40000003 syscall=33 success=no exit=-13 a0=8d17730 a1=4 a2=0 a3=8d17730 items=0 ppid=2650 pid=2655 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="iptables" exe="/bin/bash" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1260531762.945:75): avc: denied { read } for pid=2655 comm="iptables" name="iptables-config" dev=dm-0 ino=427981 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:iptables_conf_t:s0 tclass=file ---- time->Fri Dec 11 12:42:42 2009 type=SYSCALL msg=audit(1260531762.945:76): arch=40000003 syscall=5 success=no exit=-13 a0=8d31a10 a1=8000 a2=0 a3=8000 items=0 ppid=2650 pid=2655 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="iptables" exe="/bin/bash" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1260531762.945:76): avc: denied { read } for pid=2655 comm="iptables" name="iptables-config" dev=dm-0 ino=427981 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:iptables_conf_t:s0 tclass=file # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: mls Steps to reproduce: 1) install RHEL-5.4 2) setup MLS policy and reboot 3) # run_init service iptables status Actual results: SELinux prevents iptables from basic functionality Authenticating root. Password: /etc/init.d/iptables: line 45: /etc/sysconfig/iptables-config: Permission denied Expected results: iptables work correctly as in permissive mode. Authenticating root. Password: Table: nat Chain PREROUTING (policy ACCEPT) num target prot opt source destination Chain POSTROUTING (policy ACCEPT) num target prot opt source destination 1 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 MARK match 0x9 ...
What process is running as initrc_t? Nothing on an MLS machine should be running as initrc_t.
(In reply to comment #1) > What process is running as initrc_t? Nothing on an MLS machine should be > running as initrc_t. Dan, this is caused by the following command: # run_init service iptables status Actually this is caused by the following line in the iptables initscript file: # Load firewall configuration. [ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG" So I guess we need to add to init.te optional_policy(` iptables_read_config(initrc_t) ')
Miroslav, Lets move to files_config_file to F12 policy, IE add attribute configfile, then allow init script to read configfile. interface(`files_read_config_files',` gen_require(` attribute configfile; ') allow $1 configfile:dir list_dir_perms; read_files_pattern($1, configfile, configfile) read_lnk_files_pattern($1, configfile, configfile) ') files_read_config_files(initrc_t)
Fixed in selinux-policy-2.4.6-267.el5.noarch
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0182.html