Description of problem: cannot save firewall configuration via "service iptables save". Version-Release number of selected component (if applicable): iptables-1.3.5-5.3.el5_4.1 iptables-ipv6-1.3.5-5.3.el5_4.1 selinux-policy-mls-2.4.6-272.el5 selinux-policy-2.4.6-272.el5 selinux-policy-minimum-2.4.6-272.el5 selinux-policy-strict-2.4.6-272.el5 selinux-policy-devel-2.4.6-272.el5 selinux-policy-targeted-2.4.6-272.el5 How reproducible: always Steps to Reproduce: 1. install a RHEL5.5-Server-20100201.0 machine 2. switch the machine to MLS 3. log in as root via console # id -Z root:sysadm_r:sysadm_t:SystemLow-SystemHigh # ls -Z /sbin/iptables* -rwxr-xr-x root root system_u:object_r:iptables_exec_t:SystemLow /sbin/iptables -rwxr-xr-x root root system_u:object_r:iptables_exec_t:SystemLow /sbin/iptables-restore -rwxr-xr-x root root system_u:object_r:sbin_t:SystemLow /sbin/iptables-save # ls -Z /etc/sysconfig/iptables* -rw------- root root system_u:object_r:iptables_conf_t:SystemLow /etc/sysconfig/iptables -rw-r--r-- root root system_u:object_r:iptables_conf_t:SystemLow /etc/sysconfig/iptables-config -rw------- root root system_u:object_r:etc_runtime_t:SystemLow /etc/sysconfig/iptables.save # service iptables save Saving firewall rules to /etc/sysconfig/iptables: [FAILED] # ausearch -m AVC -ts recent ---- time->Fri Feb 12 10:09:44 2010 type=SYSCALL msg=audit(1265987384.910:837): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=3 a2=ff a3=0 items=0 ppid=2811 pid=2822 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS1 ses=1 comm="iptables-save" exe="/sbin/iptables-save" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1265987384.910:837): avc: denied { create } for pid=2822 comm="iptables-save" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=rawip_socket ---- Actual results: "service iptables save" fails got an AVC Expected results: "service iptables save" succeeds no AVCs Additional info: Unfortunately run_init does not help. The AVC is very similar. # run_init service iptables save Authenticating root. Password: Saving firewall rules to /etc/sysconfig/iptables: [FAILED] # ausearch -m AVC -ts recent ---- time->Fri Feb 12 10:13:22 2010 type=SYSCALL msg=audit(1265987602.171:847): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=3 a2=ff a3=0 items=0 ppid=2851 pid=2863 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="iptables-save" exe="/sbin/iptables-save" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1265987602.171:847): avc: denied { create } for pid=2863 comm="iptables-save" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=rawip_socket ----
The problem is we did not have policy for iptables-save should be a pointer to iptables-multi correct? And iptables-multi should be labeled iptables_exec_t? Which means iptables-save should be running under a different context.
The problem is that iptables-multi does not exist in RHEL5.5. So run_init service iptables save executes /sbin/iptables-save which has the sbin_t context.
If we label it iptabels_exec_t what happens?
Looks good. But in this case we should change the default context for /etc/sysconfig/iptables file from iptables_conf_t to etc_runtime_t. Because this file is created with etc_runtime_t context by iptables-save (we have this for /etc/sysconfig/iptables.save file) and it will not work after restorecon without this change.
I agree.
Fixed in selinux-policy-2.4.6-278.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0182.html