Bug 613862 - iptables -L creates zero-length output when written direct to file
Summary: iptables -L creates zero-length output when written direct to file
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted   
(Show other bugs)
Version: 13
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-07-13 01:30 UTC by Ian Donaldson
Modified: 2010-10-19 07:06 UTC (History)
2 users (show)

Fixed In Version: selinux-policy-3.7.19-65.fc13
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-10-19 07:06:20 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
strace output for last post (73.02 KB, text/plain)
2010-07-16 00:43 UTC, Ian Donaldson
no flags Details

Description Ian Donaldson 2010-07-13 01:30:49 UTC
Description of problem:

If you do this:

     iptables -L -v -n > somefile    

the size of somefile is  always zero.

However if you write it to the terminal or pipe it via cat, you see it all.

eg:   iptables -L -v -n 
         - works fine

      iptables -L -v -n | cat > somefile
         - works fine


strace of iptables shows the write(1, ...) working fine; several
kilobytes of data is being written but after iptables ends, there
is nothing in the file.

This works fine on RHEL5 and fc7, but not fc12.  Haven't tried others.

Version-Release number of selected component (if applicable):

FC12

$ rpm -q iptables
iptables-1.4.5-1.fc12.i686

$ uname -a
Linux MYHOST 2.6.32.14-127.fc12.i686.PAE #1 SMP Fri May 28 04:47:04 UTC 2010 i686 i686 i386 GNU/Linux

also

Linux MYOTHERHOST 2.6.32.14-127.fc12.x86_64 #1 SMP Fri May 28 04:30:39 UTC 2010 x86_64 x86_64 x86_64 GNU/Linux



How reproducible:

100%

Steps to Reproduce:

# iptables -L -v -n > /tmp/xx
# ls -l /tmp/xx
-rw-r--r--. 1 root root 0 Jul 13 01:21 /tmp/xx
# iptables -L -v -n | cat > /tmp/xx
# ls -l /tmp/xx
-rw-r--r--. 1 root root 34045 Jul 13 01:21 /tmp/xx
# strace -e write  iptables -L -v -n > /tmp/xx
write(1, "Chain INPUT (policy DROP 7 packe"..., 4096) = 4096
write(1, "       0.0.0.0/0           tcp d"..., 4096) = 4096
write(1, ".0/24      0.0.0.0/0           t"..., 4096) = 4096
write(1, ".122.0/23      0.0.0.0/0        "..., 4096) = 4096
write(1, "7.189.0.0/19       0.0.0.0/0    "..., 4096) = 4096
write(1, "  91.194.0.0/23        0.0.0.0/0"..., 4096) = 4096
write(1, "      91.213.72.0/24       0.0.0"..., 4096) = 4096
write(1, ".0/0           state RELATED,EST"..., 4096) = 4096
write(1, " 0.0.0.0/0           tcp flags:0"..., 1277) = 1277
# ls -l /tmp/xx
-rw-r--r--. 1 root root 0 Jul 13 01:23 /tmp/xx


A full strace output doesn't seem to reveal anything else going
on special with fd #1 (like a truncate-on-close option or something)

And just to prove its not bash...

# echo boo > /tmp/xx
# ls -l /tmp/xx
-rw-r--r--. 1 root root 4 Jul 13 01:27 /tmp/xx

# sh -c '/bin/echo bar' > /tmp/xx
# ls -l  /tmp/xx
-rw-r--r--. 1 root root 4 Jul 13 01:27 /tmp/xx

# cat /etc/group > /tmp/xx
# ls -l /tmp/xx
-rw-r--r--. 1 root root 1050 Jul 13 01:28 /tmp/xx
# ls -l /etc/group
-r--r--r--. 1 root root 1050 Jun 22 23:56 /etc/group

Sounds like a wierd kernel bug to me.

Expected results:

direct output should be the same as piped via cat


Additional info:

Comment 1 Thomas Woerner 2010-07-13 09:13:18 UTC
Please check if there was a SELinux error.

Comment 2 Ian Donaldson 2010-07-13 12:16:13 UTC
Yeah that did occur to me too, but I 
can't see any evidence of a SELinux reported error related to this:

# date
Tue Jul 13 22:12:30 EST 2010
# ls -l /var/log/audit/audit.log
-rw-------. 1 root root 971950 Jul 13 22:10 /var/log/audit/audit.log
# iptables -L -v -n > /tmp/kj
# ls -l /var/log/audit/audit.log
-rw-------. 1 root root 971950 Jul 13 22:10 /var/log/audit/audit.log
# date
Tue Jul 13 22:12:49 EST 2010
# ls -l /tmp/kj
-rw-r--r--. 1 root root 0 Jul 13 22:12 /tmp/kj

Comment 3 Ian Donaldson 2010-07-16 00:40:29 UTC
This happens on fc13 also (just yum upgraded a fc12 system)

# uname -a
Linux MYHOST 2.6.33.6-147.fc13.i686.PAE #1 SMP Tue Jul 6 22:24:44 UTC 2010 i686 i686 i386 GNU/Linux

# rpm -q iptables
iptables-1.4.7-2.fc13.i686

# rpm -q bash
bash-4.1.7-1.fc13.i686

# ls -l /tmp/va
ls: cannot access /tmp/va: No such file or directory

# iptables -L -v -n 
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1708  422K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
   21  1260 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
  983  162K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT 1598 packets, 281K bytes)
 pkts bytes target     prot opt in     out     source               destination         
# iptables -L -v -n  > /tmp/va
# ls -l /tmp/va
-rw-r--r--. 1 root root 0 Jul 16 10:34 /tmp/va
# cat /tmp/va
# strace -f -o /tmp/z1 bash -c 'iptables -L -v -n > /tmp/zq'
# ls -l /tmp/zq
-rw-r--r--. 1 root root 0 Jul 16 10:35 /tmp/zq

Attached is the strace output.

Comment 4 Ian Donaldson 2010-07-16 00:43:45 UTC
Created attachment 432266 [details]
strace output for last post

Comment 5 Thomas Woerner 2010-09-29 15:25:31 UTC
This is a SELinux error and it is set to do not audit. Reassigning to selinux-policy-targeted.

Comment 6 Daniel Walsh 2010-09-29 20:41:08 UTC
iptables-save | cat > /tmp/xx 

will work.

Miroslav we need a unconfined_iptables_t domain, that transition etc_t to system_conf_t.

Comment 7 Miroslav Grepl 2010-10-05 14:59:37 UTC
Fixed in selinux-policy-3.7.19-64.fc13

Comment 8 Fedora Update System 2010-10-08 10:31:54 UTC
selinux-policy-3.7.19-65.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-65.fc13

Comment 9 Fedora Update System 2010-10-08 20:48:25 UTC
selinux-policy-3.7.19-65.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-65.fc13

Comment 10 Fedora Update System 2010-10-19 07:05:10 UTC
selinux-policy-3.7.19-65.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.