Gentoo Archives: gentoo-hardened

From: Richard Simpson <richard.simpson@×××××.com>
To: gentoo-hardened <gentoo-hardened@l.g.o>
Subject: [gentoo-hardened] [selinux] /etc/init.d/iptables save doesn't work
Date: Sat, 02 Oct 2004 01:14:14
Message-Id: BJENLMGHDPAAAGKKPOFOCEEPCFAA.richard.simpson@wgint.com
1 Hi:
2
3 kernel = 2.6.7-r8
4 policy=17
5
6 When attempting to run "/etc/init.d/iptables save" for the first time (i.e.,
7 no existing rules-save), it fails to create the file
8 "/var/lib/iptables/rules-save". Filtering the selinux denials through
9 audit2allow gives the following needed permissions:
10
11 allow initrc_t iptables_var_lib_t:file { create };
12 allow iptables_t var_t:dir { search };
13
14 So then I manually created the save file with "touch
15 /var/lib/iptables/rules-save" and verified that it's context is:
16 root:object_r:iptables_var_lib_t. Re-running "iptables save" still fails,
17 giving this needed permission:
18
19 allow initrc_t iptables_var_lib_t:file { write };
20
21 If I execute "iptables-save > /var/lib/iptables/rules-save", the binary
22 works correctly with no denials. Further, rebooting successfully starts
23 /etc/init.d/iptables and correctly restores the iptables rules.
24
25 Since "iptables -L" appears to run correctly but gives a bunch of "var_t:dir
26 { search }" denials as well, I believe a dontaudit will solve that problem,
27 but the other problem looks like a failure of initrc_t to transition to the
28 correct domain.
29
30 Has anyone run into this problem?
31
32 Thanks,
33 Richard Simpson
34
35
36
37 --
38 gentoo-hardened@g.o mailing list