Bug 564376 - service iptables save does not work in MLS
service iptables save does not work in MLS
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.5
All Linux
low Severity medium
: rc
: ---
Assigned To: Daniel Walsh
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-02-12 10:16 EST by Milos Malik
Modified: 2010-03-30 03:50 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-30 03:50:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Milos Malik 2010-02-12 10:16:49 EST
Description of problem:
cannot save firewall configuration via "service iptables save".

Version-Release number of selected component (if applicable):
iptables-1.3.5-5.3.el5_4.1
iptables-ipv6-1.3.5-5.3.el5_4.1
selinux-policy-mls-2.4.6-272.el5
selinux-policy-2.4.6-272.el5
selinux-policy-minimum-2.4.6-272.el5
selinux-policy-strict-2.4.6-272.el5
selinux-policy-devel-2.4.6-272.el5
selinux-policy-targeted-2.4.6-272.el5

How reproducible:
always

Steps to Reproduce:
1. install a RHEL5.5-Server-20100201.0 machine
2. switch the machine to MLS
3. log in as root via console
# id -Z
root:sysadm_r:sysadm_t:SystemLow-SystemHigh
# ls -Z /sbin/iptables*
-rwxr-xr-x  root root system_u:object_r:iptables_exec_t:SystemLow /sbin/iptables
-rwxr-xr-x  root root system_u:object_r:iptables_exec_t:SystemLow /sbin/iptables-restore
-rwxr-xr-x  root root system_u:object_r:sbin_t:SystemLow /sbin/iptables-save
# ls -Z /etc/sysconfig/iptables*
-rw-------  root root system_u:object_r:iptables_conf_t:SystemLow /etc/sysconfig/iptables
-rw-r--r--  root root system_u:object_r:iptables_conf_t:SystemLow /etc/sysconfig/iptables-config
-rw-------  root root system_u:object_r:etc_runtime_t:SystemLow /etc/sysconfig/iptables.save
# service iptables save
Saving firewall rules to /etc/sysconfig/iptables: [FAILED]
# ausearch -m AVC -ts recent
----
time->Fri Feb 12 10:09:44 2010
type=SYSCALL msg=audit(1265987384.910:837): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=3 a2=ff a3=0 items=0 ppid=2811 pid=2822 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS1 ses=1 comm="iptables-save" exe="/sbin/iptables-save" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1265987384.910:837): avc:  denied  { create } for  pid=2822 comm="iptables-save" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=rawip_socket
----

  
Actual results:
"service iptables save" fails
got an AVC

Expected results:
"service iptables save" succeeds
no AVCs

Additional info:
Unfortunately run_init does not help. The AVC is very similar.

# run_init service iptables save
Authenticating root.
Password: 
Saving firewall rules to /etc/sysconfig/iptables: [FAILED]
# ausearch -m AVC -ts recent
----
time->Fri Feb 12 10:13:22 2010
type=SYSCALL msg=audit(1265987602.171:847): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=3 a2=ff a3=0 items=0 ppid=2851 pid=2863 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="iptables-save" exe="/sbin/iptables-save" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1265987602.171:847): avc:  denied  { create } for  pid=2863 comm="iptables-save" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=rawip_socket
----
Comment 1 Daniel Walsh 2010-02-12 10:31:57 EST
The problem is we did not have policy for iptables-save should be a pointer to iptables-multi correct?  And iptables-multi should be labeled iptables_exec_t?

Which means iptables-save should be running under a different context.
Comment 2 Miroslav Grepl 2010-02-26 11:52:23 EST
The problem is that iptables-multi does not exist in RHEL5.5. So 

run_init service iptables save

executes /sbin/iptables-save which has the sbin_t context.
Comment 3 Daniel Walsh 2010-02-26 14:23:38 EST
If we label it iptabels_exec_t what happens?
Comment 4 Miroslav Grepl 2010-03-01 05:24:36 EST
Looks good. But in this case we should change the default context for /etc/sysconfig/iptables file from iptables_conf_t to etc_runtime_t. Because this file is created with etc_runtime_t context by iptables-save (we have this for /etc/sysconfig/iptables.save file) and it will not work after restorecon without this change.
Comment 5 Daniel Walsh 2010-03-01 10:16:25 EST
I agree.
Comment 7 Miroslav Grepl 2010-03-02 04:40:35 EST
Fixed in selinux-policy-2.4.6-278.el5
Comment 11 errata-xmlrpc 2010-03-30 03:50:22 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0182.html

Note You need to log in before you can comment on or make changes to this bug.