692413 – SELinux is preventing /bin/bash (shorewall) from write access on the file /etc/iproute2/rt_tables

Bug 692413 - SELinux is preventing /bin/bash (shorewall) from write access on the file /etc/iproute2/rt_tables

Summary: SELinux is preventing /bin/bash (shorewall) from write access on the file /et...

Keywords:
Status:	CLOSED INSUFFICIENT_DATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	14
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-03-31 09:58 UTC by ZiN
Modified:	2011-04-17 09:04 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-04-17 09:04:47 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)
A message from setroubleshootd (3.07 KB, text/plain) 2011-03-31 09:58 UTC, ZiN	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description ZiN 2011-03-31 09:58:52 UTC

Created attachment 489018 [details]
A message from setroubleshootd

Description of problem:
When using shorewall as an iptables frontend such SELinux audit messages appears as in attachment.

Version-Release number of selected component (if applicable):
4.4.17-2fc14

How reproducible:
When connecting to some network via eg. networkmanager-applet a message from setroubleshootd appears.

Steps to Reproduce:
1. Install and setup shorewall
2. Setup new dispatcher for NetworkManager in /etc/NetworkManager/dispatcher.d that shoiuld reload shorewall configuration
3. Maybe restart, so that NetworkManager or netplugd get active that new dispatcher
4. Try to connect, eg. via NetworkManager, to some network
  
Actual results:
SELinux audit messages

Expected results:
No SELinux audit messages

Additional info:

Sequential usage of semanage, restorecon as is advised in attached log fails with message:

restorecon set context /etc/iproute2/rt_tables->system_u:object_r:shorewall_t:s0 failed:'Permission denied'

Comment 1 Jonathan Underwood 2011-03-31 13:35:48 UTC

This needs a fix in the SElinux policy - Miroslav/Dan, can you take a look?

Thanks.

Comment 2 Daniel Walsh 2011-03-31 13:48:06 UTC

ZiN you are attempting to put a Process label on a file, that is why it is failing.  The alert told you which types could be assigned to the file to make it work?

Comment 3 Daniel Walsh 2011-03-31 13:49:24 UTC

Does shorewall need to be able to edit any file in 

/etc/iproute2/

Note You need to log in before you can comment on or make changes to this bug.