0006274: Recent SELinux update disables iptables firewall managed by Shorewall? - CentOS Bug Tracker

ID	Project	Category	View Status	Date Submitted	Last Update

0006274	CentOS-6	selinux-policy	public	2013-02-28 15:55	2014-01-02 18:46

Reporter	rsandu	Assigned To
Priority	urgent	Severity	minor	Reproducibility	have not tried
Status	resolved	Resolution	fixed
Product Version	6.3
Fixed in Version	6.5

Summary	0006274: Recent SELinux update disables iptables firewall managed by Shorewall?
Description	Hello, After recent updates (end February 2013) my firewall managed by Shorewall (http://www.shorewall.net) ceased to start. When doing: service shorewall restart the service does not start and I get, in /var/log/messages: Feb 28 17:26:25 mail1 shorewall[6124]: Compiling... Feb 28 17:26:25 mail1 shorewall[6124]: Processing /etc/shorewall/params ... Feb 28 17:26:25 mail1 shorewall[6124]: Processing /etc/shorewall/shorewall.conf... Feb 28 17:26:25 mail1 shorewall[6124]: Loading Modules... Feb 28 17:26:25 mail1 shorewall[6124]: ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system Feb 28 17:26:25 mail1 rsandu: ERROR:Shorewall restart failed By googling, it seems to be a SELinux issue: http://www.mail-archive.com/shorewall-users@lists.sourceforge.net/msg14885.html I've solved it by doing a touch /.autorelabel; reboot but it is pretty nasty, because it may completely disable firewwall/Shorewall on an unattended machine, if the machine gets a restart. Versions are: kernel-2.6.32-358.0.1.el6.x86_64 shorewall-4.5.4-1.el6.noarch (from EPEL) selinux-policy-targeted-3.7.19-195.el6_4.1.noarch Best regards, R?zvan
Steps To Reproduce	Have not tried.
Tags	No tags attached.

tru 2013-02-28 20:32 administrator ~0016564	this workaround should be enough: restorecon -Rv /sbin It should catch: restorecon reset /sbin/iptables-multi-1.4.7 context system_u:object_r:bin_t:s0->system_u:object_r:iptables_exec_t:s0 restorecon reset /sbin/ip6tables-multi-1.4.7 context system_u:object_r:bin_t:s0->system_u:object_r:iptables_exec_t:s0

~~user1999~~ 2013-03-01 18:24 ~0016570	It was already reported upstream as https://bugzilla.redhat.com/show_bug.cgi?id=916727

tigalch 2014-01-02 18:46 manager ~0018754	Reported as SOLVED upstream with http://rhn.redhat.com/errata/RHBA-2013-1608.html

Date Modified	Username	Field	Change
2013-02-28 15:55	rsandu	New Issue
2013-02-28 20:32	tru	Note Added: 0016564
2013-03-01 18:24	~~user1999~~	Note Added: 0016570
2014-01-02 18:46	tigalch	Note Added: 0018754
2014-01-02 18:46	tigalch	Status	new => resolved
2014-01-02 18:46	tigalch	Fixed in Version	=> 6.5
2014-01-02 18:46	tigalch	Resolution	open => fixed