644273 – Restore context in "service iptables save" and use /etc/sysconfig for temporary file

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 644273 - Restore context in "service iptables save" and use /etc/sysconfig for temporary file

Summary: Restore context in "service iptables save" and use /etc/sysconfig for tempora...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	iptables
Sub Component:
Version:	6.1
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	iptables-maint-list
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:
Depends On:	638661
Blocks:
TreeView+	depends on / blocked

Reported:	2010-10-19 10:05 UTC by Thomas Woerner
Modified:	2011-05-19 13:08 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: Consequence: Fix: Result:
Clone Of:
Environment:
Last Closed:	2011-05-19 13:08:05 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Patch for init script: Do not use /tmp for temporary files, restore contexts, use atomar mv. (1.12 KB, application/octet-stream) 2010-10-19 10:05 UTC, Thomas Woerner	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:0557	0	normal	SHIPPED_LIVE	iptables bug fix and enhancement update	2011-05-18 17:57:19 UTC

Description Thomas Woerner 2010-10-19 10:05:47 UTC

Created attachment 454315 [details]
Patch for init script: Do not use /tmp for temporary files, restore contexts, use atomar mv.

Description of problem:
"service iptables save" is not restoring the context for the new config file and is using /tmp to create the temporary file.

It should use another directory for this. For example /etc/sysconfig to be able to use an atomar copy.

At the moment "service iptables save" is not working, because SELinux silently blocks output redirection of iptables commands. Example: "iptables-save > file". See #638661.

Version-Release number of selected component (if applicable):
iptables-1.4.7-3.el6

How reproducible:
Always

Steps to Reproduce:
1. Trace service iptables save
  
Actual results:
Uses /tmp

Expected results:
Do not use /tmp.

Comment 9 Florian Nadge 2011-02-03 11:53:33 UTC

Please be so kind and add a few key words to the Technical Note field of this
Bugzilla entry using the following structure:

Cause:

Consequence:

Fix:

Result:


For details, see:
https://bugzilla.redhat.com/page.cgi?id=fields.html#cf_release_notes

Thanks

Comment 10 Florian Nadge 2011-02-03 11:53:33 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause:

Consequence:

Fix:

Result:

Comment 11 Thomas Woerner 2011-02-15 16:08:32 UTC

    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,7 +1,14 @@
 Cause:
+1) Missing restorecon for save and save backup file.
+2) Wrong directory for the temporary file.
 
 Consequence:
+1) Error for next usage of save functionality.
+2) Possible attack vector.
 
 Fix:
+iptables and ip6tables init script has been modified.
 
-Result:+Result:
+1) Restoring context for save files.
+2) Usage of /etc/sysconfig for temporary file.

Comment 12 Florian Nadge 2011-02-15 16:11:41 UTC

(In reply to comment #9)
> Please be so kind and add a few key words to the Technical Note field of this
> Bugzilla entry using the following structure:
> 
> Cause:
> 
> Consequence:
> 
> Fix:
> 
> Result:
> 
> 
> For details, see:
> https://bugzilla.redhat.com/page.cgi?id=fields.html#cf_release_notes
> 
> Thanks

Received info, thanks

Comment 13 Florian Nadge 2011-02-15 16:11:41 UTC

    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,14 +1,7 @@
 Cause:
-1) Missing restorecon for save and save backup file.
-2) Wrong directory for the temporary file.
 
 Consequence:
-1) Error for next usage of save functionality.
-2) Possible attack vector.
 
 Fix:
-iptables and ip6tables init script has been modified.
 
-Result:
+Result:-1) Restoring context for save files.
-2) Usage of /etc/sysconfig for temporary file.

Comment 14 Miroslav Grepl 2011-03-09 23:13:37 UTC

Reopening ...

https://bugzilla.redhat.com/show_bug.cgi?id=638661#c15

Comment 15 Thomas Woerner 2011-03-10 08:53:15 UTC

SELinux seems to block output redirections for iptables commands, still. The line "$IPTABLES-save $OPT > $TMP_FILE" (iptables-save > /etc/sysconfig/iptables.3thN80) is triggering the AVC according to #638661#c13

Comment 16 Miroslav Grepl 2011-03-10 09:00:42 UTC

Yes and Dan explained it here and also he attached a patch

https://bugzilla.redhat.com/show_bug.cgi?id=638661#c3

Comment 17 Thomas Woerner 2011-03-10 10:54:34 UTC

The use of cat in the output redirection is a hack according to his comment and can be fixed in SELinux rules:

"The hack for using cat is just because > /etc/iptables.tmp is created by initrc_t which will label it etc_runtime_t. If this is too onerous we can change iptables_t to be allowed to write to etc_runtime_t."

Using output redirection without 'the cat hack' is currently not possible for all iptables commands used in init scripts. This is undocumented and might be a surprise for admins or users.

Comment 18 Miroslav Grepl 2011-03-11 09:22:15 UTC

(In reply to comment #17)
> The use of cat in the output redirection is a hack according to his comment and
> can be fixed in SELinux rules:
> 
> "The hack for using cat is just because > /etc/iptables.tmp is created by
> initrc_t which will label it etc_runtime_t. If this is too onerous we can
> change iptables_t to be allowed to write to etc_runtime_t."

It would be really good to have an iptables directory for iptables files.

We have these default contexts

system_u:object_r:system_conf_t:s0 /etc/sysconfig/iptables
system_u:object_r:system_conf_t:s0 /etc/sysconfig/iptables-config
system_u:object_r:system_conf_t:s0 /etc/sysconfig/iptables-config.old
system_u:object_r:system_conf_t:s0 /etc/sysconfig/iptables.old

system_u:object_r:etc_runtime_t:s0 /etc/sysconfig/iptables.save

which I do not like. We treat "iptables.save" with the different label.  We added system_conf file type for those iptables files and we allow iptables to manage these files. 

And my idea with this type is broken if we need to add rules which allow to write files labeled etc_runtime_t type.


So I can add a rule, but also this is not a solution from SELinux point of you.

> 
> Using output redirection without 'the cat hack' is currently not possible for
> all iptables commands used in init scripts. This is undocumented and might be a
> surprise for admins or users.


Other good reason to have a special directory for that.

Comment 19 Thomas Woerner 2011-03-17 11:29:51 UTC

For this update package it is not possible to add this directory. Adding an iptables directory could break current configurations and needs additional documentation.

According to #638661#c19 a rule has been added to be able to write to the temporary file in /etc/sysconfig without the 'cat hack'.

Assigning back to ON_QA.

Comment 21 errata-xmlrpc 2011-05-19 13:08:05 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0557.html

Note You need to log in before you can comment on or make changes to this bug.