View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0012648 | CentOS-7 | selinux-policy | public | 2017-01-13 16:50 | 2020-05-23 20:37 |
Reporter | feehans | Assigned To | |||
Priority | normal | Severity | major | Reproducibility | always |
Status | new | Resolution | open | ||
OS | CentOS 7 | OS Version | 7.3.1611 | ||
Product Version | 7.3.1611 | ||||
Summary | 0012648: selinux denies for iptables.init | ||||
Description | After the update to 7.3.1611 on reboot selinux logs: type=AVC msg=audit(1484321818.514:30931): avc: denied { setattr } for pid=14042 comm="chmod" name="iptables.save" dev="dm-0" ino=35288115 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=file type=AVC msg=audit(1484321818.516:30932): avc: denied { execute } for pid=14010 comm="iptables.init" name="plymouth" dev="dm-0" ino=67870175 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:plymouth_exec_t:s0 tclass=file type=AVC msg=audit(1484321818.521:30937): avc: denied { execute } for pid=14011 comm="ip6tables.init" name="plymouth" dev="dm-0" ino=67870175 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:plymouth_exec_t:s0 tclass=file type=AVC msg=audit(1484321818.525:30942): avc: denied { execute } for pid=14011 comm="ip6tables.init" name="plymouth" dev="dm-0" ino=67870175 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:plymouth_exec_t:s0 tclass=file type=AVC msg=audit(1484321838.681:15): avc: denied { read } for pid=723 comm="ip6tables.init" name="modprobe.d" dev="dm-0" ino=34095125 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir | ||||
Steps To Reproduce | set selinux to enforcing and reboot. | ||||
Tags | No tags attached. | ||||
abrt_hash | |||||
URL | |||||
Also have the same issue in latest CentOS 7 release, CentOS 7.8. iptables never saves the config after running save a 2nd time (when /etc/sysconfig/iptables.save file exists). Reproduce by saving iptables.save file, either by changing relevant /etc/sysconfig/iptables-config settings or /usr/libexec/iptables/iptables.init save Details: ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -i|tail ---- type=PROCTITLE msg=audit(05/23/2020 16:15:51.998:2285) : proctitle=chmod 600 /etc/sysconfig/iptables.save type=SYSCALL msg=audit(05/23/2020 16:15:51.998:2285) : arch=x86_64 syscall=fchmodat success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c a1=0x192b0f0 a2=0600 a3=0x7fff8e109a20 items=0 ppid=5879 pid=5891 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chmod exe=/usr/bin/chmod subj=system_u:system_r:iptables_t:s0 key=(null) type=AVC msg=audit(05/23/2020 16:15:51.998:2285) : avc: denied { setattr } for pid=5891 comm=chmod name=iptables.save dev="sda1" ino=63210 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file permissive=0 journalctl -t setroubleshoot --since=16:00 May 23 16:21:58 centos7 setroubleshoot[6207]: SELinux is preventing /usr/bin/chmod from setattr access on the file iptables.save. For complete SELinux messages run: sealert -l 86281ed4-8d01-464e-8ef4-dd5a1af6468c sealert -l 86281ed4-8d01-464e-8ef4-dd5a1af6468c SELinux is preventing /usr/bin/chmod from setattr access on the file iptables.save. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that chmod should be allowed setattr access on the iptables.save file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'chmod' --raw | audit2allow -M my-chmod # semodule -i my-chmod.pp Additional Information: Source Context system_u:system_r:iptables_t:s0 Target Context system_u:object_r:etc_runtime_t:s0 Target Objects iptables.save [ file ] Source chmod Source Path /usr/bin/chmod Port <Unknown> Host centos7 Source RPM Packages coreutils-8.22-24.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-266.el7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name centos7 Platform Linux centos7 3.10.0-1127.8.2.el7.x86_64 #1 SMP Tue May 12 16:57:42 UTC 2020 x86_64 x86_64 Alert Count 1 First Seen 2020-05-23 16:21:57 UTC Last Seen 2020-05-23 16:21:57 UTC Local ID 86281ed4-8d01-464e-8ef4-dd5a1af6468c Raw Audit Messages type=AVC msg=audit(1590250917.427:2394): avc: denied { setattr } for pid=6199 comm="chmod" name="iptables.save" dev="sda1" ino=63210 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1590250917.427:2394): arch=x86_64 syscall=fchmodat success=no exit=EACCES a0=ffffffffffffff9c a1=23600f0 a2=180 a3=7ffd5bca58a0 items=0 ppid=6187 pid=6199 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=chmod exe=/usr/bin/chmod subj=system_u:system_r:iptables_t:s0 key=(null) Hash: chmod,iptables_t,etc_runtime_t,file,setattr Workaround: ausearch -c 'chmod' --raw | audit2allow -M my-chmod semodule -i my-chmod.pp For reference, the .te file contents: cat my-chmod.te module my-chmod 1.0; require { type iptables_t; type etc_runtime_t; class file setattr; } #============= iptables_t ============== #!!!! WARNING: 'etc_runtime_t' is a base type. allow iptables_t etc_runtime_t:file setattr; |
|
Impact: Saving the iptables rules a 2nd time will silently fail. So you think you are saving the iptables rules, but the save never happens resulting in anything added to iptables rules will be lost on iptables service restart or reboot. | |