1 |
Hi: |
2 |
|
3 |
kernel = 2.6.7-r8 |
4 |
policy=17 |
5 |
|
6 |
When attempting to run "/etc/init.d/iptables save" for the first time (i.e., |
7 |
no existing rules-save), it fails to create the file |
8 |
"/var/lib/iptables/rules-save". Filtering the selinux denials through |
9 |
audit2allow gives the following needed permissions: |
10 |
|
11 |
allow initrc_t iptables_var_lib_t:file { create }; |
12 |
allow iptables_t var_t:dir { search }; |
13 |
|
14 |
So then I manually created the save file with "touch |
15 |
/var/lib/iptables/rules-save" and verified that it's context is: |
16 |
root:object_r:iptables_var_lib_t. Re-running "iptables save" still fails, |
17 |
giving this needed permission: |
18 |
|
19 |
allow initrc_t iptables_var_lib_t:file { write }; |
20 |
|
21 |
If I execute "iptables-save > /var/lib/iptables/rules-save", the binary |
22 |
works correctly with no denials. Further, rebooting successfully starts |
23 |
/etc/init.d/iptables and correctly restores the iptables rules. |
24 |
|
25 |
Since "iptables -L" appears to run correctly but gives a bunch of "var_t:dir |
26 |
{ search }" denials as well, I believe a dontaudit will solve that problem, |
27 |
but the other problem looks like a failure of initrc_t to transition to the |
28 |
correct domain. |
29 |
|
30 |
Has anyone run into this problem? |
31 |
|
32 |
Thanks, |
33 |
Richard Simpson |
34 |
|
35 |
|
36 |
|
37 |
-- |
38 |
gentoo-hardened@g.o mailing list |