View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0006274 | CentOS-6 | selinux-policy | public | 2013-02-28 15:55 | 2014-01-02 18:46 |
Reporter | rsandu | Assigned To | |||
Priority | urgent | Severity | minor | Reproducibility | have not tried |
Status | resolved | Resolution | fixed | ||
Product Version | 6.3 | ||||
Fixed in Version | 6.5 | ||||
Summary | 0006274: Recent SELinux update disables iptables firewall managed by Shorewall? | ||||
Description | Hello, After recent updates (end February 2013) my firewall managed by Shorewall (http://www.shorewall.net) ceased to start. When doing: service shorewall restart the service does not start and I get, in /var/log/messages: Feb 28 17:26:25 mail1 shorewall[6124]: Compiling... Feb 28 17:26:25 mail1 shorewall[6124]: Processing /etc/shorewall/params ... Feb 28 17:26:25 mail1 shorewall[6124]: Processing /etc/shorewall/shorewall.conf... Feb 28 17:26:25 mail1 shorewall[6124]: Loading Modules... Feb 28 17:26:25 mail1 shorewall[6124]: ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system Feb 28 17:26:25 mail1 rsandu: ERROR:Shorewall restart failed By googling, it seems to be a SELinux issue: http://www.mail-archive.com/shorewall-users@lists.sourceforge.net/msg14885.html I've solved it by doing a touch /.autorelabel; reboot but it is pretty nasty, because it may *completely disable* firewwall/Shorewall on an unattended machine, if the machine gets a restart. Versions are: kernel-2.6.32-358.0.1.el6.x86_64 shorewall-4.5.4-1.el6.noarch (from EPEL) selinux-policy-targeted-3.7.19-195.el6_4.1.noarch Best regards, R?zvan | ||||
Steps To Reproduce | Have not tried. | ||||
Tags | No tags attached. | ||||
this workaround should be enough: restorecon -Rv /sbin It should catch: restorecon reset /sbin/iptables-multi-1.4.7 context system_u:object_r:bin_t:s0->system_u:object_r:iptables_exec_t:s0 restorecon reset /sbin/ip6tables-multi-1.4.7 context system_u:object_r:bin_t:s0->system_u:object_r:iptables_exec_t:s0 |
|
It was already reported upstream as https://bugzilla.redhat.com/show_bug.cgi?id=916727 | |
Reported as SOLVED upstream with http://rhn.redhat.com/errata/RHBA-2013-1608.html | |
Date Modified | Username | Field | Change |
---|---|---|---|
2013-02-28 15:55 | rsandu | New Issue | |
2013-02-28 20:32 | tru | Note Added: 0016564 | |
2013-03-01 18:24 |
|
Note Added: 0016570 | |
2014-01-02 18:46 | tigalch | Note Added: 0018754 | |
2014-01-02 18:46 | tigalch | Status | new => resolved |
2014-01-02 18:46 | tigalch | Fixed in Version | => 6.5 |
2014-01-02 18:46 | tigalch | Resolution | open => fixed |