Bug 644273
| Summary: | Restore context in "service iptables save" and use /etc/sysconfig for temporary file | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Thomas Woerner <twoerner> | ||||
| Component: | iptables | Assignee: | iptables-maint-list <iptables-maint-list> | ||||
| Status: | CLOSED ERRATA | QA Contact: | qe-baseos-daemons | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 6.1 | CC: | azelinka, fnadge, mgrepl, mishu, pknirsch, psklenar, syeghiay | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: |
Cause:
Consequence:
Fix:
Result:
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2011-05-19 13:08:05 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 638661 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
Please be so kind and add a few key words to the Technical Note field of this Bugzilla entry using the following structure: Cause: Consequence: Fix: Result: For details, see: https://bugzilla.redhat.com/page.cgi?id=fields.html#cf_release_notes Thanks
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Cause:
Consequence:
Fix:
Result:
Technical note updated. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
Diffed Contents:
@@ -1,7 +1,14 @@
Cause:
+1) Missing restorecon for save and save backup file.
+2) Wrong directory for the temporary file.
Consequence:
+1) Error for next usage of save functionality.
+2) Possible attack vector.
Fix:
+iptables and ip6tables init script has been modified.
-Result:+Result:
+1) Restoring context for save files.
+2) Usage of /etc/sysconfig for temporary file.
(In reply to comment #9) > Please be so kind and add a few key words to the Technical Note field of this > Bugzilla entry using the following structure: > > Cause: > > Consequence: > > Fix: > > Result: > > > For details, see: > https://bugzilla.redhat.com/page.cgi?id=fields.html#cf_release_notes > > Thanks Received info, thanks
Technical note updated. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
Diffed Contents:
@@ -1,14 +1,7 @@
Cause:
-1) Missing restorecon for save and save backup file.
-2) Wrong directory for the temporary file.
Consequence:
-1) Error for next usage of save functionality.
-2) Possible attack vector.
Fix:
-iptables and ip6tables init script has been modified.
-Result:
+Result:-1) Restoring context for save files.
-2) Usage of /etc/sysconfig for temporary file.
Reopening ... https://bugzilla.redhat.com/show_bug.cgi?id=638661#c15 SELinux seems to block output redirections for iptables commands, still. The line "$IPTABLES-save $OPT > $TMP_FILE" (iptables-save > /etc/sysconfig/iptables.3thN80) is triggering the AVC according to #638661#c13 Yes and Dan explained it here and also he attached a patch https://bugzilla.redhat.com/show_bug.cgi?id=638661#c3 The use of cat in the output redirection is a hack according to his comment and can be fixed in SELinux rules: "The hack for using cat is just because > /etc/iptables.tmp is created by initrc_t which will label it etc_runtime_t. If this is too onerous we can change iptables_t to be allowed to write to etc_runtime_t." Using output redirection without 'the cat hack' is currently not possible for all iptables commands used in init scripts. This is undocumented and might be a surprise for admins or users. (In reply to comment #17) > The use of cat in the output redirection is a hack according to his comment and > can be fixed in SELinux rules: > > "The hack for using cat is just because > /etc/iptables.tmp is created by > initrc_t which will label it etc_runtime_t. If this is too onerous we can > change iptables_t to be allowed to write to etc_runtime_t." It would be really good to have an iptables directory for iptables files. We have these default contexts system_u:object_r:system_conf_t:s0 /etc/sysconfig/iptables system_u:object_r:system_conf_t:s0 /etc/sysconfig/iptables-config system_u:object_r:system_conf_t:s0 /etc/sysconfig/iptables-config.old system_u:object_r:system_conf_t:s0 /etc/sysconfig/iptables.old system_u:object_r:etc_runtime_t:s0 /etc/sysconfig/iptables.save which I do not like. We treat "iptables.save" with the different label. We added system_conf file type for those iptables files and we allow iptables to manage these files. And my idea with this type is broken if we need to add rules which allow to write files labeled etc_runtime_t type. So I can add a rule, but also this is not a solution from SELinux point of you. > > Using output redirection without 'the cat hack' is currently not possible for > all iptables commands used in init scripts. This is undocumented and might be a > surprise for admins or users. Other good reason to have a special directory for that. For this update package it is not possible to add this directory. Adding an iptables directory could break current configurations and needs additional documentation. According to #638661#c19 a rule has been added to be able to write to the temporary file in /etc/sysconfig without the 'cat hack'. Assigning back to ON_QA. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0557.html |
Created attachment 454315 [details] Patch for init script: Do not use /tmp for temporary files, restore contexts, use atomar mv. Description of problem: "service iptables save" is not restoring the context for the new config file and is using /tmp to create the temporary file. It should use another directory for this. For example /etc/sysconfig to be able to use an atomar copy. At the moment "service iptables save" is not working, because SELinux silently blocks output redirection of iptables commands. Example: "iptables-save > file". See #638661. Version-Release number of selected component (if applicable): iptables-1.4.7-3.el6 How reproducible: Always Steps to Reproduce: 1. Trace service iptables save Actual results: Uses /tmp Expected results: Do not use /tmp.