Hide Forgot
Description of problem: When "service shorewall status" is executed this normally gives status of the shorewall service (it displays useful information regardless of whether or not the service is running), but this is impossible if SELinux is in enforcing mode. There are *no* avcs of any kind (probably because of "dontaudit" statements in shorewall.te) Version-Release number of selected component (if applicable): The latest SElinux policy, but previous versions have the same problem (this has been for quite a while now). Any recent shorewall version, which produces this output is suitable for reproducing this bug. How reproducible: Always. Steps to Reproduce: 1. From the console "service shorewall status" (regardless of whether shorewall is currently running or not) 2. There is no output at all 3. Actual results: Nothing is displayed and no avc are given in the audit file. Expected results: The same as when "shorewall status" is executed from the console. Additional info: "service shorewall status" runs as expected when I disable SELinux with "echo 0 > /selinux/enforce", so I presume something in shorewall.te is preventing this - can't tell what as there are no avcs shown.
Could you execute following commands # rpm -q selinux-policy # semodule -DB # semanage permissive -a shorewall_t # service shorewall status # ausearch -m avc -ts recent |grep shorewall
selinux-policy-3.7.19-101.fc13.noarch The execution of "ausearch -m avc -ts recent |grep shorewall" returns this: type=SYSCALL msg=audit(1305581125.893:32190): arch=c000003e syscall=59 success=yes exit=0 a0=911270 a1=9110a0 a2=91d340 a3=18 items=0 ppid=1220 pid=1223 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="shorewall" exe="/bin/bash" subj=unconfined_u:system_r:shorewall_t:s0 key=(null) type=AVC msg=audit(1305581126.024:32191): avc: denied { read } for pid=1227 comm="id" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=AVC msg=audit(1305581126.024:32191): avc: denied { open } for pid=1227 comm="id" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=SYSCALL msg=audit(1305581126.024:32191): arch=c000003e syscall=2 success=yes exit=3 a0=7fffe7244bc0 a1=0 a2=7fffe7244bcc a3=fffffff8 items=0 ppid=1223 pid=1227 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="id" exe="/usr/bin/id" subj=unconfined_u:system_r:shorewall_t:s0 key=(null) type=AVC msg=audit(1305581126.063:32192): avc: denied { getattr } for pid=1223 comm="shorewall" path="/dev/pts/0" dev=devpts ino=3 scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file type=SYSCALL msg=audit(1305581126.063:32192): arch=c000003e syscall=5 success=yes exit=0 a0=1 a1=7fff7181dba0 a2=7fff7181dba0 a3=ffffffb4 items=0 ppid=1220 pid=1223 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="shorewall" exe="/bin/bash" subj=unconfined_u:system_r:shorewall_t:s0 key=(null) type=AVC msg=audit(1305581126.064:32193): avc: denied { rlimitinh } for pid=1236 comm="iptables" scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:system_r:iptables_t:s0 tclass=process type=AVC msg=audit(1305581126.064:32193): avc: denied { siginh } for pid=1236 comm="iptables" scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:system_r:iptables_t:s0 tclass=process type=AVC msg=audit(1305581126.064:32193): avc: denied { noatsecure } for pid=1236 comm="iptables" scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:system_r:iptables_t:s0 tclass=process type=SYSCALL msg=audit(1305581126.064:32193): arch=c000003e syscall=59 success=yes exit=0 a0=a1afa0 a1=92f590 a2=a1f620 a3=28 items=0 ppid=1223 pid=1236 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="iptables" exe="/sbin/iptables-multi" subj=unconfined_u:system_r:iptables_t:s0 key=(null) [root@xp1 ~]# ausearch -m avc -ts recent | grep shorewall type=SYSCALL msg=audit(1305581126.024:32191): arch=c000003e syscall=2 success=yes exit=3 a0=7fffe7244bc0 a1=0 a2=7fffe7244bcc a3=fffffff8 items=0 ppid=1223 pid=1227 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="id" exe="/usr/bin/id" subj=unconfined_u:system_r:shorewall_t:s0 key=(null) type=AVC msg=audit(1305581126.024:32191): avc: denied { open } for pid=1227 comm="id" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=AVC msg=audit(1305581126.024:32191): avc: denied { read } for pid=1227 comm="id" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=SYSCALL msg=audit(1305581125.893:32190): arch=c000003e syscall=59 success=yes exit=0 a0=911270 a1=9110a0 a2=91d340 a3=18 items=0 ppid=1220 pid=1223 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="shorewall" exe="/bin/bash" subj=unconfined_u:system_r:shorewall_t:s0 key=(null) type=AVC msg=audit(1305581125.893:32190): avc: denied { read write } for pid=1223 comm="shorewall" name="0" dev=devpts ino=3 scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file type=SYSCALL msg=audit(1305581126.063:32192): arch=c000003e syscall=5 success=yes exit=0 a0=1 a1=7fff7181dba0 a2=7fff7181dba0 a3=ffffffb4 items=0 ppid=1220 pid=1223 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="shorewall" exe="/bin/bash" subj=unconfined_u:system_r:shorewall_t:s0 key=(null) type=AVC msg=audit(1305581126.063:32192): avc: denied { getattr } for pid=1223 comm="shorewall" path="/dev/pts/0" dev=devpts ino=3 scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file type=AVC msg=audit(1305581126.064:32193): avc: denied { noatsecure } for pid=1236 comm="iptables" scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:system_r:iptables_t:s0 tclass=process type=AVC msg=audit(1305581126.064:32193): avc: denied { siginh } for pid=1236 comm="iptables" scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:system_r:iptables_t:s0 tclass=process type=AVC msg=audit(1305581126.064:32193): avc: denied { rlimitinh } for pid=1236 comm="iptables" scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:system_r:iptables_t:s0 tclass=process Also, I would appreciate it if, in the future, when you send instructions which alter my current selinux policy (semodule -DB in this instance) to also send similar instructions on how to revert to the state of the policy I've had prior to following these!
Thank you, I apologize. # setsebool allow_daemons_use_tty on Will allow it for now. # semodule -B # semanage permissive -d shorewall_t Probably you have already done these steps.
In F16 we can add userdom_use_inherited_user_ttys(shorewall_t) userdom_use_inherited_user_ptys(shorewall_t) We probably need to add this to all releases.
Fixed in selinux-policy-3.7.19-108.fc13
This message is a reminder that Fedora 13 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '13'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 13's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 13 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Fedora 13 changed to end-of-life (EOL) status on 2011-06-25. Fedora 13 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.