View Issue Details

IDProjectCategoryView StatusLast Update
0012648CentOS-7selinux-policypublic2020-05-23 20:37
Reporterfeehans 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
PlatformOSCentOS 7OS Version7.3.1611
Product Version7.3.1611 
Target VersionFixed in Version 
Summary0012648: selinux denies for iptables.init
DescriptionAfter the update to 7.3.1611 on reboot selinux logs:

type=AVC msg=audit(1484321818.514:30931): avc: denied { setattr } for pid=14042 comm="chmod" name="iptables.save" dev="dm-0" ino=35288115 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=file

type=AVC msg=audit(1484321818.516:30932): avc: denied { execute } for pid=14010 comm="iptables.init" name="plymouth" dev="dm-0" ino=67870175 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:plymouth_exec_t:s0 tclass=file

type=AVC msg=audit(1484321818.521:30937): avc: denied { execute } for pid=14011 comm="ip6tables.init" name="plymouth" dev="dm-0" ino=67870175 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:plymouth_exec_t:s0 tclass=file

type=AVC msg=audit(1484321818.525:30942): avc: denied { execute } for pid=14011 comm="ip6tables.init" name="plymouth" dev="dm-0" ino=67870175 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:plymouth_exec_t:s0 tclass=file

type=AVC msg=audit(1484321838.681:15): avc: denied { read } for pid=723 comm="ip6tables.init" name="modprobe.d" dev="dm-0" ino=34095125 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir

Steps To Reproduceset selinux to enforcing and reboot.
TagsNo tags attached.
abrt_hash
URL

Activities

ryencoke

ryencoke

2020-05-23 20:12

reporter   ~0036979

Also have the same issue in latest CentOS 7 release, CentOS 7.8. iptables never saves the config after running save a 2nd time (when /etc/sysconfig/iptables.save file exists).

Reproduce by saving iptables.save file, either by changing relevant /etc/sysconfig/iptables-config settings or /usr/libexec/iptables/iptables.init save

Details:
ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -i|tail
----
type=PROCTITLE msg=audit(05/23/2020 16:15:51.998:2285) : proctitle=chmod 600 /etc/sysconfig/iptables.save
type=SYSCALL msg=audit(05/23/2020 16:15:51.998:2285) : arch=x86_64 syscall=fchmodat success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c a1=0x192b0f0 a2=0600 a3=0x7fff8e109a20 items=0 ppid=5879 pid=5891 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chmod exe=/usr/bin/chmod subj=system_u:system_r:iptables_t:s0 key=(null)
type=AVC msg=audit(05/23/2020 16:15:51.998:2285) : avc: denied { setattr } for pid=5891 comm=chmod name=iptables.save dev="sda1" ino=63210 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file permissive=0

journalctl -t setroubleshoot --since=16:00
May 23 16:21:58 centos7 setroubleshoot[6207]: SELinux is preventing /usr/bin/chmod from setattr access on the file iptables.save. For complete SELinux messages run: sealert -l 86281ed4-8d01-464e-8ef4-dd5a1af6468c

sealert -l 86281ed4-8d01-464e-8ef4-dd5a1af6468c
SELinux is preventing /usr/bin/chmod from setattr access on the file iptables.save.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that chmod should be allowed setattr access on the iptables.save file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'chmod' --raw | audit2allow -M my-chmod
# semodule -i my-chmod.pp


Additional Information:
Source Context system_u:system_r:iptables_t:s0
Target Context system_u:object_r:etc_runtime_t:s0
Target Objects iptables.save [ file ]
Source chmod
Source Path /usr/bin/chmod
Port <Unknown>
Host centos7
Source RPM Packages coreutils-8.22-24.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-266.el7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name centos7
Platform Linux centos7 3.10.0-1127.8.2.el7.x86_64 #1 SMP
                              Tue May 12 16:57:42 UTC 2020 x86_64 x86_64
Alert Count 1
First Seen 2020-05-23 16:21:57 UTC
Last Seen 2020-05-23 16:21:57 UTC
Local ID 86281ed4-8d01-464e-8ef4-dd5a1af6468c

Raw Audit Messages
type=AVC msg=audit(1590250917.427:2394): avc: denied { setattr } for pid=6199 comm="chmod" name="iptables.save" dev="sda1" ino=63210 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1590250917.427:2394): arch=x86_64 syscall=fchmodat success=no exit=EACCES a0=ffffffffffffff9c a1=23600f0 a2=180 a3=7ffd5bca58a0 items=0 ppid=6187 pid=6199 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=chmod exe=/usr/bin/chmod subj=system_u:system_r:iptables_t:s0 key=(null)

Hash: chmod,iptables_t,etc_runtime_t,file,setattr


Workaround:
ausearch -c 'chmod' --raw | audit2allow -M my-chmod
semodule -i my-chmod.pp

For reference, the .te file contents:
cat my-chmod.te

module my-chmod 1.0;

require {
        type iptables_t;
        type etc_runtime_t;
        class file setattr;
}

#============= iptables_t ==============

#!!!! WARNING: 'etc_runtime_t' is a base type.
allow iptables_t etc_runtime_t:file setattr;
ryencoke

ryencoke

2020-05-23 20:37

reporter   ~0036980

Impact: Saving the iptables rules a 2nd time will silently fail. So you think you are saving the iptables rules, but the save never happens resulting in anything added to iptables rules will be lost on iptables service restart or reboot.

Issue History

Date Modified Username Field Change
2017-01-13 16:50 feehans New Issue
2020-05-23 20:12 ryencoke Note Added: 0036979
2020-05-23 20:37 ryencoke Note Added: 0036980