CentOS Bug Tracker
CentOS Bug Tracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0006274CentOS-6selinux-policypublic2013-02-28 15:552014-01-02 18:46
Reporterrsandu 
PriorityurgentSeverityminorReproducibilityhave not tried
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version6.3 
Target VersionFixed in Version6.5 
Summary0006274: Recent SELinux update disables iptables firewall managed by Shorewall?
DescriptionHello,

After recent updates (end February 2013) my firewall managed by Shorewall (http://www.shorewall.net [^]) ceased to start.

When doing:

service shorewall restart

the service does not start and I get, in /var/log/messages:


Feb 28 17:26:25 mail1 shorewall[6124]: Compiling...
Feb 28 17:26:25 mail1 shorewall[6124]: Processing /etc/shorewall/params ...
Feb 28 17:26:25 mail1 shorewall[6124]: Processing /etc/shorewall/shorewall.conf...
Feb 28 17:26:25 mail1 shorewall[6124]: Loading Modules...
Feb 28 17:26:25 mail1 shorewall[6124]: ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system
Feb 28 17:26:25 mail1 rsandu: ERROR:Shorewall restart failed


By googling, it seems to be a SELinux issue:

http://www.mail-archive.com/shorewall-users@lists.sourceforge.net/msg14885.html [^]


I've solved it by doing a

touch /.autorelabel; reboot

but it is pretty nasty, because it may *completely disable* firewwall/Shorewall on an unattended machine, if the machine gets a restart.

Versions are:

kernel-2.6.32-358.0.1.el6.x86_64
shorewall-4.5.4-1.el6.noarch (from EPEL)
selinux-policy-targeted-3.7.19-195.el6_4.1.noarch


Best regards,
R?zvan
Steps To ReproduceHave not tried.
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
(0016564)
tru (administrator)
2013-02-28 20:32

this workaround should be enough:
restorecon -Rv /sbin

It should catch:
restorecon reset /sbin/iptables-multi-1.4.7 context
system_u:object_r:bin_t:s0->system_u:object_r:iptables_exec_t:s0
restorecon reset /sbin/ip6tables-multi-1.4.7 context
system_u:object_r:bin_t:s0->system_u:object_r:iptables_exec_t:s0
(0016570)
wolfy (developer)
2013-03-01 18:24

It was already reported upstream as https://bugzilla.redhat.com/show_bug.cgi?id=916727 [^]
(0018754)
tigalch (developer)
2014-01-02 18:46

Reported as SOLVED upstream with http://rhn.redhat.com/errata/RHBA-2013-1608.html [^]

- Issue History
Date Modified Username Field Change
2013-02-28 15:55 rsandu New Issue
2013-02-28 20:32 tru Note Added: 0016564
2013-03-01 18:24 wolfy Note Added: 0016570
2014-01-02 18:46 tigalch Note Added: 0018754
2014-01-02 18:46 tigalch Status new => resolved
2014-01-02 18:46 tigalch Fixed in Version => 6.5
2014-01-02 18:46 tigalch Resolution open => fixed


Copyright © 2000 - 2014 MantisBT Team
Powered by Mantis Bugtracker