| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
|---|---|---|---|---|---|---|---|---|---|
| 0006274 | CentOS-6 | selinux-policy | public | 2013-02-28 15:55 | 2014-01-02 18:46 | ||||
| Reporter | rsandu | ||||||||
| Priority | urgent | Severity | minor | Reproducibility | have not tried | ||||
| Status | resolved | Resolution | fixed | ||||||
| Product Version | 6.3 | ||||||||
| Target Version | Fixed in Version | 6.5 | |||||||
| Summary | 0006274: Recent SELinux update disables iptables firewall managed by Shorewall? | ||||||||
| Description | Hello, After recent updates (end February 2013) my firewall managed by Shorewall (http://www.shorewall.net) ceased to start. When doing: service shorewall restart the service does not start and I get, in /var/log/messages: Feb 28 17:26:25 mail1 shorewall[6124]: Compiling... Feb 28 17:26:25 mail1 shorewall[6124]: Processing /etc/shorewall/params ... Feb 28 17:26:25 mail1 shorewall[6124]: Processing /etc/shorewall/shorewall.conf... Feb 28 17:26:25 mail1 shorewall[6124]: Loading Modules... Feb 28 17:26:25 mail1 shorewall[6124]: ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system Feb 28 17:26:25 mail1 rsandu: ERROR:Shorewall restart failed By googling, it seems to be a SELinux issue: http://www.mail-archive.com/shorewall-users@lists.sourceforge.net/msg14885.html I've solved it by doing a touch /.autorelabel; reboot but it is pretty nasty, because it may *completely disable* firewwall/Shorewall on an unattended machine, if the machine gets a restart. Versions are: kernel-2.6.32-358.0.1.el6.x86_64 shorewall-4.5.4-1.el6.noarch (from EPEL) selinux-policy-targeted-3.7.19-195.el6_4.1.noarch Best regards, R?zvan | ||||||||
| Steps To Reproduce | Have not tried. | ||||||||
| Tags | No tags attached. | ||||||||
| Attached Files |
| ||||||||
 Relationships |
|
 Relationships |
| Notes |
|
|
tru (administrator) 2013-02-28 20:32 |
this workaround should be enough: restorecon -Rv /sbin It should catch: restorecon reset /sbin/iptables-multi-1.4.7 context system_u:object_r:bin_t:s0->system_u:object_r:iptables_exec_t:s0 restorecon reset /sbin/ip6tables-multi-1.4.7 context system_u:object_r:bin_t:s0->system_u:object_r:iptables_exec_t:s0 |
|
wolfy (developer) 2013-03-01 18:24 |
It was already reported upstream as https://bugzilla.redhat.com/show_bug.cgi?id=916727 |
|
tigalch (manager) 2014-01-02 18:46 |
Reported as SOLVED upstream with http://rhn.redhat.com/errata/RHBA-2013-1608.html |
| Notes |
| Issue History |
|||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2013-02-28 15:55 | rsandu | New Issue | |
| 2013-02-28 20:32 | tru | Note Added: 0016564 | |
| 2013-03-01 18:24 | wolfy | Note Added: 0016570 | |
| 2014-01-02 18:46 | tigalch | Note Added: 0018754 | |
| 2014-01-02 18:46 | tigalch | Status | new => resolved |
| 2014-01-02 18:46 | tigalch | Fixed in Version | => 6.5 |
| 2014-01-02 18:46 | tigalch | Resolution | open => fixed |
| Issue History |
