Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Gentoo: Hardened

[selinux] /etc/init.d/iptables save doesn't work

 

 

Gentoo hardened RSS feed   Index | Next | Previous | View Threaded


richard.simpson at wgint

Oct 1, 2004, 6:16 PM

Post #1 of 1 (244 views)
Permalink
[selinux] /etc/init.d/iptables save doesn't work

Hi:

kernel = 2.6.7-r8
policy=17

When attempting to run "/etc/init.d/iptables save" for the first time (i.e.,
no existing rules-save), it fails to create the file
"/var/lib/iptables/rules-save". Filtering the selinux denials through
audit2allow gives the following needed permissions:

allow initrc_t iptables_var_lib_t:file { create };
allow iptables_t var_t:dir { search };

So then I manually created the save file with "touch
/var/lib/iptables/rules-save" and verified that it's context is:
root:object_r:iptables_var_lib_t. Re-running "iptables save" still fails,
giving this needed permission:

allow initrc_t iptables_var_lib_t:file { write };

If I execute "iptables-save > /var/lib/iptables/rules-save", the binary
works correctly with no denials. Further, rebooting successfully starts
/etc/init.d/iptables and correctly restores the iptables rules.

Since "iptables -L" appears to run correctly but gives a bunch of "var_t:dir
{ search }" denials as well, I believe a dontaudit will solve that problem,
but the other problem looks like a failure of initrc_t to transition to the
correct domain.

Has anyone run into this problem?

Thanks,
Richard Simpson



--
gentoo-hardened [at] gentoo mailing list

Gentoo hardened RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.