Bug 546604 - MLS policy: iptables service does not start
Summary: MLS policy: iptables service does not start
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.4
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-12-11 12:03 UTC by Eduard Benes
Modified: 2012-10-16 08:12 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-03-30 07:50:40 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2010:0182 0 normal SHIPPED_LIVE selinux-policy bug fix update 2010-03-29 12:19:53 UTC

Description Eduard Benes 2009-12-11 12:03:19 UTC
Unable to start iptables service and it is not running after system boot.
The problem seems to that following allows are missing:

#============= initrc_t ==============
allow initrc_t audisp_var_run_t:sock_file write;
allow initrc_t iptables_conf_t:file read;


After boot into MLS following AVC denials related to iptables were found in /var/log/messages:

Dec 11 11:12:00 dhcp-lab-232 kernel: type=1400 audit(1260526301.524:6): avc:  denied  { read } for  pid=1261 comm="modinfo" name="speedstep-centrino.ko" dev=dm-0 ino=1212490 scontext=system_u:system
_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=file
Dec 11 11:12:00 dhcp-lab-232 kernel: type=1300 audit(1260526301.524:6): arch=40000003 syscall=5 success=no exit=-13 a0=84a5008 a1=0 a2=1b6 a3=84ab710 items=0 ppid=1260 pid=1261 auid=4294967295 uid=0
 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modinfo" exe="/sbin/modinfo" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
Dec 11 11:12:00 dhcp-lab-232 kernel: type=1400 audit(1260526302.008:8): avc:  denied  { read } for  pid=1263 comm="S08ip6tables" name="ip6tables-config" dev=dm-0 ino=426121 scontext=system_u:system_
r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:iptables_conf_t:s0 tclass=file
Dec 11 11:12:00 dhcp-lab-232 kernel: type=1300 audit(1260526302.008:8): arch=40000003 syscall=5 success=no exit=-13 a0=992d090 a1=8000 a2=0 a3=8000 items=0 ppid=1127 pid=1263 auid=4294967295 uid=0 g
id=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S08ip6tables" exe="/bin/bash" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
Dec 11 11:12:00 dhcp-lab-232 kernel: type=1400 audit(1260526302.302:9): avc:  denied  { read } for  pid=1276 comm="S08iptables" name="iptables-config" dev=dm-0 ino=427981 scontext=system_u:system_r:
initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:iptables_conf_t:s0 tclass=file
Dec 11 11:12:00 dhcp-lab-232 kernel: type=1300 audit(1260526302.302:9): arch=40000003 syscall=33 success=no exit=-13 a0=9bc7c70 a1=4 a2=0 a3=9bc7c70 items=0 ppid=1127 pid=1276 auid=4294967295 uid=0 
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S08iptables" exe="/bin/bash" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)


# run_init service iptables status
Authenticating root.
Password: 
/etc/init.d/iptables: line 45: /etc/sysconfig/iptables-config: Permission denied

# ausearch -m avc -ts recent -sv no | audit2allow


#============= initrc_t ==============
allow initrc_t audisp_var_run_t:sock_file write;
allow initrc_t iptables_conf_t:file read;

----
time->Fri Dec 11 12:42:00 2009
type=SYSCALL msg=audit(1260531720.597:71): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=b6f157e0 a2=17d118 a3=0 items=0 ppid=1 pid=1958 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1260531720.597:71): avc:  denied  { write } for  pid=1958 comm="setroubleshootd" name="audispd_events" dev=dm-0 ino=1116621 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:audisp_var_run_t:s15:c0.c1023 tclass=sock_file
----
time->Fri Dec 11 12:42:42 2009
type=SYSCALL msg=audit(1260531762.945:75): arch=40000003 syscall=33 success=no exit=-13 a0=8d17730 a1=4 a2=0 a3=8d17730 items=0 ppid=2650 pid=2655 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="iptables" exe="/bin/bash" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1260531762.945:75): avc:  denied  { read } for  pid=2655 comm="iptables" name="iptables-config" dev=dm-0 ino=427981 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:iptables_conf_t:s0 tclass=file
----
time->Fri Dec 11 12:42:42 2009
type=SYSCALL msg=audit(1260531762.945:76): arch=40000003 syscall=5 success=no exit=-13 a0=8d31a10 a1=8000 a2=0 a3=8000 items=0 ppid=2650 pid=2655 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="iptables" exe="/bin/bash" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1260531762.945:76): avc:  denied  { read } for  pid=2655 comm="iptables" name="iptables-config" dev=dm-0 ino=427981 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:iptables_conf_t:s0 tclass=file

# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        mls


Steps to reproduce:
1) install RHEL-5.4
2) setup MLS policy and reboot
3) # run_init service iptables status

Actual results: SELinux prevents iptables from basic functionality
Authenticating root.
Password: 
/etc/init.d/iptables: line 45: /etc/sysconfig/iptables-config: Permission denied

Expected results: iptables work correctly as in permissive mode.
Authenticating root.
Password: 
Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           MARK match 0x9 
 ...

Comment 1 Daniel Walsh 2009-12-11 21:04:50 UTC
What process is running as initrc_t?  Nothing on an MLS machine should be running as initrc_t.

Comment 2 Miroslav Grepl 2009-12-14 13:14:45 UTC
(In reply to comment #1)
> What process is running as initrc_t?  Nothing on an MLS machine should be
> running as initrc_t.  

Dan,
this is caused by the following command:

# run_init service iptables status

Actually this is caused by the following line in the iptables initscript file:

# Load firewall configuration.
[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"

So I guess we need to add to init.te 

optional_policy(`
iptables_read_config(initrc_t)
')

Comment 3 Daniel Walsh 2009-12-15 13:19:07 UTC
Miroslav,  

Lets move to files_config_file to F12 policy,

IE add attribute configfile, then allow init script to read configfile.

interface(`files_read_config_files',`
	gen_require(`
		attribute configfile;
	')

	allow $1 configfile:dir list_dir_perms;
	read_files_pattern($1, configfile, configfile)
	read_lnk_files_pattern($1, configfile, configfile)
')

files_read_config_files(initrc_t)

Comment 4 Miroslav Grepl 2009-12-21 11:29:58 UTC
Fixed in selinux-policy-2.4.6-267.el5.noarch

Comment 8 errata-xmlrpc 2010-03-30 07:50:40 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0182.html


Note You need to log in before you can comment on or make changes to this bug.