RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 638661 - avc: denied { write } for comm="iptables-save" path="/etc/sysconfig/iptables"
Summary: avc: denied { write } for comm="iptables-save" path="/etc/sysconfig/iptables"
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.0
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 644273 645658
TreeView+ depends on / blocked
 
Reported: 2010-09-29 15:36 UTC by Thomas Woerner
Modified: 2012-10-16 08:12 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.7.19-79.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-19 11:56:37 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
This patch changes /etc/init.d/iptables to work correctly with SELinux (938 bytes, application/octet-stream)
2010-09-29 20:37 UTC, Daniel Walsh 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0526 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-05-19 09:37:41 UTC

Description Thomas Woerner 2010-09-29 15:36:47 UTC 
Description of problem:
ip*tables, ip*tables-multi can not write to files. Examples:

service iptables save
iptables-save > rules
iptables -L > rules

There are no AVC messages, because policies are dontaudit, used semodule -DB to make the AVC visible.

It is not possible to save the firewall rules with service iptables save., Which is very bad. The service is failing as long as SELinux is in enforcing mode.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.7.19-54.el6.noarch

How reproducible:
Always

Steps to Reproduce:
1. See above
  
Actual results:
Empty file

Expected results:
File with rules.

Additional info:

type=AVC msg=audit(1285771311.312:1360): avc:  denied  { write } for  pid=10957 comm="iptables-save" path="/etc/sysconfig/iptables" dev=sdb3 ino=2095526 scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1285771311.312:1360): arch=c000003e syscall=59 success=yes exit=0 a0=24c0f70 a1=24f1790 a2=24c1000 a3=7fff9f7c31e0 items=0 ppid=10455 pid=10957 auid=2433 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=1 comm="iptables-save" exe="/sbin/iptables-multi" subj=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 key=(null)
type=MAC_POLICY_LOAD msg=audit(1285771631.848:1361): policy loaded auid=2433 ses=1

Setting /sbin/iptables-multi to bin_t resolves the problem. iptables_exec_t does not allow to write to files.
Comment 2 Daniel Walsh 2010-09-29 20:33:18 UTC 
Looking into this further I actually do not like the way the iptables script works currently.
Comment 3 Daniel Walsh 2010-09-29 20:37:21 UTC 
Created attachment 450580 [details]
This patch changes /etc/init.d/iptables to work correctly with SELinux

The init script should not be using /tmp.  for the storage of its iptables.save files.  These should go directly into /etc/ and be deleted when done.  Putting stuff in a directory a user could screw around in when you do not have to makes no sense.

I added the restorecon to make sure the save files are labeled correctly when it completes.  

The hack for using cat is just because > /etc/iptables.tmp is created by initrc_t which will label it etc_runtime_t. If this is too onerous we can change iptables_t to be allowed to write to etc_runtime_t.
Comment 4 Daniel Walsh 2010-09-29 20:39:22 UTC 
Miroslav I think we need to add unconfined_iptables_t which is an unconfined domain and will transition to system_conf_t when creating files in an etc_t directory.
Comment 5 Thomas Woerner 2010-09-29 21:01:45 UTC 
Yes, adding a cat to do the file output redirection might be a solution for the service, but for an admin it is unexpected that a command like "iptables -L > file" or "iptables-save > file" are generating empty files and all that without any avc message. The only way to get the avc is to temporarily remove dontaudits from policy.

Also "iptables-restore < file" is not working if the file is not located in /etc and labeled correctly.
Comment 6 Daniel Walsh 2010-09-29 21:08:12 UTC 
Which is why I want https://bugzilla.redhat.com/show_bug.cgi?id=638661#c4
Comment 8 Thomas Woerner 2010-10-19 10:18:44 UTC 
The iptables commands can not write to files with output redirection. This is a policy problem. Examples:

iptables-save > file
iptables -L > file

I opened another bug for the iptables services (#644273) to write temporary
file to /etc/sysconfig, restore contexts and use atomar mv for "service
iptables save". This new bug depends on this one, because output redirection is
not working for iptables commands and this is used by service iptables save.

The patch in comment 3 is not fixing the problem with the policy. Adding a pipe
to cat for output redirection is only fixinf the service, but not the use of
iptables commands on the command line. HOWTOS and documentations for netfilter
and iptables are suggesting to use iptables-save > file to save rules.

This is a regression to RHEL-5 behaviour.
Comment 9 Miroslav Grepl 2010-10-19 11:31:13 UTC 
(In reply to comment #8)
> The iptables commands can not write to files with output redirection. This is a
> policy problem. Examples:
> 
> iptables-save > file
> iptables -L > file
> 

The transition from unconfined_t to iptables_t was removed in selinux-policy-3.7.19-56.el6 which fix this issue.
Comment 14 Miroslav Grepl 2011-03-09 22:14:34 UTC 
Milos,
are you testing it with the latest RHEL6 iptables?
Comment 15 Miroslav Grepl 2011-03-09 23:12:26 UTC 
Well, you are right. The iptables is not fixed. 

I am switching the bug back to ON_QA and reopening iptables bug

https://bugzilla.redhat.com/show_bug.cgi?id=644273
Comment 16 Milos Malik 2011-03-10 08:24:48 UTC 
The AVC appeared on 2 machines where following packages were installed:

iptables-1.4.7-4.el6
iptables-ipv6-1.4.7-4.el6
selinux-policy-3.7.19-76.el6
selinux-policy-doc-3.7.19-76.el6
selinux-policy-minimum-3.7.19-76
selinux-policy-mls-3.7.19-76.el6
selinux-policy-targeted-3.7.19-76
Comment 17 Phil Knirsch 2011-03-10 15:09:24 UTC 
As mentioned in comment #3 here is that this should be fixed in the selinux-policy, so this bug should go back on ON_DEV and the iptables bug should stay on ON_QA, right?

Thanks & regards, Phil
Comment 18 Miroslav Grepl 2011-03-14 08:09:13 UTC 
I am adding this rule.
Comment 19 Miroslav Grepl 2011-03-17 10:25:45 UTC 
Fixed in selinux-policy-3.7.19-79.el6
Comment 22 errata-xmlrpc 2011-05-19 11:56:37 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html
Note You need to log in before you can comment on or make changes to this bug.