Bug 919893 – new selinux policy utterly breaks shorewall

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 919893 - new selinux policy utterly breaks shorewall

Summary:	new selinux policy utterly breaks shorewall

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy (Show other bugs)
Sub Component:
Version:	6.5
Hardware:	All Linux

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2013-03-10 13:57 EDT by Pierre Ossman
Modified:	2013-11-21 05:19 EST (History)
CC List:	3 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2013-11-21 05:19:49 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:1598	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2013-11-20 16:39:24 EST

Groups: None (edit)

Description Pierre Ossman 2013-03-10 13:57:11 EDT

Just got an updated selinux-policy which resulted in complete breakage of shorewall. It seems it is no longer allowed to run iptables/ip6tables, which is rather silly as that is its primary function.

audit.log is full of these:

type=AVC msg=audit(1362937693.732:325): avc:  denied  { read } for  pid=5547 comm="ip6tables" scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=system_u:object_r:sysctl_modprobe_t:s0 tclass=file
type=AVC msg=audit(1362937694.893:326): avc:  denied  { create } for  pid=5571 comm="ip6tables" scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
type=AVC msg=audit(1362937694.893:327): avc:  denied  { read } for  pid=5571 comm="ip6tables" scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=system_u:object_r:sysctl_modprobe_t:s0 tclass=file
type=AVC msg=audit(1362937975.641:329): avc:  denied  { create } for  pid=6459 comm="ip6tables" scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
type=AVC msg=audit(1362937975.641:330): avc:  denied  { getopt } for  pid=6459 comm="ip6tables" lport=255 scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
type=AVC msg=audit(1362937978.305:331): avc:  denied  { setopt } for  pid=6506 comm="ip6tables" lport=255 scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket

After setting shorewall_t to permissive, I also get these:

type=AVC msg=audit(1362937978.622:363): avc:  denied  { module_request } for  pid=6601 comm="ip6tables" kmod="ip6table_rawpost" scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=AVC msg=audit(1362937979.317:387): avc:  denied  { search } for  pid=6723 comm="sh" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1362937979.317:387): avc:  denied  { getattr } for  pid=6723 comm="sh" path="/sys/module" dev=sysfs ino=583 scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1362937979.501:392): avc:  denied  { write } for  pid=6853 comm="touch" name="shorewall" dev=dm-0 ino=393662 scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1362937979.501:392): avc:  denied  { open } for  pid=6853 comm="touch" name="shorewall" dev=dm-0 ino=393662 scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file


Shorewall itself reports the error as:

 Loading Modules...
    ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system


Things worked fine until I rebooted the machine today, so it is something recent that changed.

selinux-policy-3.7.19-195.el6_4.1.noarch

Comment 1 Milos Malik 2013-03-11 03:34:12 EDT

Following command should fix the problem:

# restorecon -v /sbin/ip*tables*

For more details please see https://bugzilla.redhat.com/show_bug.cgi?id=916727.

Comment 2 Milos Malik 2013-03-11 06:17:59 EDT

Even if /sbin/ip*tables* are labelled correctly, following AVCs appeared:

----
time->Mon Mar 11 05:49:02 2013
type=SYSCALL msg=audit(1362995342.908:183639): arch=c000003e syscall=4 success=no exit=-13 a0=2424220 a1=7fffb79b9040 a2=7fffb79b9040 a3=8 items=0 ppid=28775 pid=29014 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=6771 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:shorewall_t:s0 key=(null)
type=AVC msg=audit(1362995342.908:183639): avc:  denied  { search } for  pid=29014 comm="sh" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
----
time->Mon Mar 11 05:58:16 2013
type=SYSCALL msg=audit(1362995896.110:183752): arch=c000003e syscall=4 success=no exit=-13 a0=c28510 a1=7fff08eaa570 a2=7fff08eaa570 a3=8 items=0 ppid=30568 pid=30809 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=6771 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:shorewall_t:s0 key=(null)
type=AVC msg=audit(1362995896.110:183752): avc:  denied  { getattr } for  pid=30809 comm="sh" path="/sys/module" dev=sysfs ino=347 scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
----

# rpm -qa | grep -e selinux-policy -e shorewall | sort
selinux-policy-3.7.19-195.el6_4.3.noarch
selinux-policy-doc-3.7.19-195.el6_4.3.noarch
selinux-policy-minimum-3.7.19-195.el6_4.3.noarch
selinux-policy-mls-3.7.19-195.el6_4.3.noarch
selinux-policy-targeted-3.7.19-195.el6_4.3.noarch
shorewall-4.5.4-1.el6.noarch
shorewall-core-4.5.4-1.el6.noarch
#

Comment 3 Miroslav Grepl 2013-03-11 09:02:41 EDT

We have this in Fedora. Will back port it.

Comment 8 Miroslav Grepl 2013-08-06 07:12:19 EDT

Has been added.

Comment 11 errata-xmlrpc 2013-11-21 05:19:49 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html

Note You need to log in before you can comment on or make changes to this bug.