Description of problem: IPSet (through Shorewall) is denied access to the shorewall_etc_t domain. This occurred (and was fixed) in the early days of FC13, but reared its ugly head again in the FC14 release. See http://lists.fedoraproject.org/pipermail/selinux/2011-January/013395.html and subsequent posts for details of this and how it can be fixed. Version-Release number of selected component (if applicable): The latest SELinux (targeted) policy for FC14 How reproducible: Always Steps to Reproduce: Assuming FC14, Shorewall and IPSet (or xtables-addons) packages are installed and if a simple ipset script is placed in a directory with shorewall_etc_t domain set, then by executing that script via Shorewall will trigger multiple (related) AVCs Actual results: type=AVC msg=audit(1294001576.891:33): avc: denied { read } for pid=2753 comm="ipset" path="/etc/shorewall/ips/blacklist-eu1.ips" dev=dm-0 ino=16488 scontext=unconfined _u:system_r:iptables_t:s0 tcontext=system_u:object_r:shorewall_etc_t:s0 tclass=file type=SYSCALL msg=audit(1294001576.891:33): arch=40000003 syscall=11 success=yes exit=0 a0=979f3c0 a1=979f520 a2=9794ba0 a3=979f520 items=0 ppid=2727 pid=2753 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ipset" exe="/sbin/ipset" subj=unconfined_u:system_r:iptables_t:s0 key=(null) Expected results: No AVC, access should be granted to this domain. Additional info: The following statement could be added (wrapped in optional_policy tag) in iptables.te: shorewall_read_config(iptables)
That is what we have in Rawhide. Need to back port to F13 and F14
This problem does not exist in FC13. Quick scan with sesearch on the policy with FC13 (which works!) reveals this: [zeek@test1 serefpolicy-3.7.19]$ sesearch -A -s iptables_t -t shorewall_etc_t Found 3 semantic av rules: allow iptables_t configfile : file { ioctl read getattr lock open } ; allow iptables_t configfile : dir { ioctl read getattr lock search open } ; allow iptables_t configfile : lnk_file { read getattr } ; How these statements are organised (and in which module) is a mystery to me, but these do not exist in FC14 (sesearch reveals nothing), hence the avc, so I am not sure you would need to change anything in FC13.
Ok, We wrote tighter policy in F14/F15, configfile is an attribute(group) indicating that iptables_t can read all content in /etc. We have tightened this up and that is why the AVC is showing up in F14/F15 SO I guess we need this in F14.
Right, so I guess you need to change the way it is implemented in FC13 and amend the policy for FC14 so that it works properly. Got it!
I was talking to Miroslav the owner of the bug.
Fixed in selinux-policy-3.9.7-23.fc14
selinux-policy-3.9.7-25.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-25.fc14
selinux-policy-3.9.7-25.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-25.fc14
selinux-policy-3.9.7-25.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.