Bug 689857 - shorewall fails at startup due to selinux restrictions
Summary: shorewall fails at startup due to selinux restrictions
Keywords:
Status: CLOSED DUPLICATE of bug 689165
Alias: None
Product: Fedora
Classification: Fedora
Component: shorewall
Version: 14
Hardware: i386
OS: Unspecified
unspecified
urgent
Target Milestone: ---
Assignee: Jonathan Underwood
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-22 16:46 UTC by Harley Race
Modified: 2011-03-22 23:19 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-03-22 23:19:07 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Harley Race 2011-03-22 16:46:07 UTC 
Description of problem:
Shorewall fails to properly configure iptables on startup due to selinux policy.  If "shorewall start" is run when the host is up and not booting, the command is successful.  Using a single interface configuration in shorewall.

Version-Release number of selected component (if applicable):
Fedora 14 minimal install

selinux-policy 
version: 3.9.7
release: 31.fc14
Build Date: Thu 17 Feb 2011 05:41:26 AM EST

shorewall
version: 4.4.17
release: 2.fc14
build date: Mar 2011 09:13:20 AM EST

How reproducible:
always

Steps to Reproduce:
1.Per shorewall docs, "chkconfig --del iptables"
2."service iptables stop" and then run command "shorewall start".  Command completes successfully and firewall works as expected.
3.and shorewall into startup with "chkconfig shorewall on".  Reboot host and shorewall will fail to configure iptables.
  
Actual results:

Shorewall fails at startup. AVC denied messages

syslog messages:

Mar 22 11:24:59 black shorewall[1002]: Compiling...
Mar 22 11:25:00 black shorewall[1002]: Processing /etc/shorewall/params ...
Mar 22 11:25:00 black shorewall[1002]: Can't exec "/usr/share/shorewall//getparams": Permission denied at /usr/share/shorewall/Shorewall/Config.pm line 2867.
Mar 22 11:25:00 black shorewall[1002]:    ERROR: Processing of /etc/shorewall/params failed
Mar 22 11:25:00 black logger: ERROR:Shorewall start failed


audit.log messages:

type=DAEMON_END msg=audit(1300807452.303:9377): auditd normal halt, sending auid=0 pid=2355 subj=system_u:system_r:initrc_t:s0 res=success
type=DAEMON_START msg=audit(1300807498.031:6210): auditd start, ver=2.0.6 format=raw kernel=2.6.35.11-83.fc14.i686.PAE auid=4294967295 pid=945 subj=system_u:system_r:auditd_t:s0 res=success
type=CONFIG_CHANGE msg=audit(1300807498.204:4): audit_backlog_limit=320 old=64 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditctl_t:s0 res=1
type=AVC msg=audit(1300807500.287:5): avc:  denied  { execute } for  pid=1018 comm="perl" name="getparams" dev=dm-1 ino=28905 scontext=system_u:system_r:shorewall_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1300807500.287:5): arch=40000003 syscall=11 success=no exit=-13 a0=8e63580 a1=8e634c0 a2=8681658 a3=6ec9c4 items=0 ppid=1017 pid=1018 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="perl" exe="/usr/bin/perl" subj=system_u:system_r:shorewall_t:s0 key=(null)


Expected results:
Shorewall should have configured iptables with rules contained in /etc/shorewall/rules

Additional info:

Using a single interface configuration in shorewall.
Comment 1 Jonathan Underwood 2011-03-22 23:19:07 UTC 

*** This bug has been marked as a duplicate of bug 689165 ***
Note You need to log in before you can comment on or make changes to this bug.