[CentOS] RedHat 6.5 - ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system - NEW CRAZY BUG

Wed Aug 27 17:43:33 UTC 2014
News <news at scasrl.it>

Il 26/02/2013 19.24, News ha scritto:
> Il 25/02/2013 12.28, Simon Matter ha scritto:
>>> Hello to the list,
>>> I update a RedHat server from 6.3 to 6.4 and install the last shorewall
>>> rpm  4.5.13.0-1.el6, after this shorewall not start at boot and show the
>>> error ERROR: Your kernel/iptables do not include state match support. No
>>> version of Shorewall will run on this system, after the boot I can start
>>> shorewall by hand.
>>
>> Could it be a problem with SELinux?
>>
>> Simon
>>
>>> What can I do?
>>> Thanks to everybody
>>>
>>> Amedeo
>
> Here from the shorewall newsletter...............
>
> Simon you're magician!!!!!
> the update change the selinux's labels of iptables after reset this it's all ok....
> I think that when the people updates frome centos 6.3 to centos 6.4 the world stopping
> Here is the commands:
>
> restorecon -Rv /sbin
> restorecon reset /sbin/iptables-multi-1.4.7 context system_u:object_r:bin_t:s0->system_u:object_r:iptables_exec_t:s0
> restorecon reset /sbin/ip6tables-multi-1.4.7 context system_u:object_r:bin_t:s0->system_u:object_r:iptables_exec_t:s0
>
> Thanks sooo much
> Amedeo
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

Hello to the list,

I start from here because there are some news, this is the story:

I upgrade one server from Centos 6.3 to 6.5 and come back out again the problem described above, so I use
restorecon -Rv /sbin
but there is not output, this was strange, I reboot the server and shorewall won't start again, i try some hacks but nothing.
So i tried to change selinux in permissive mode and shorewall START!!
I look at files:

ls -Z /sbin/ip*

and the surprise

-rwxr-xr-x. root root unconfined_u:object_r:bin_t:s0 /sbin/ip6tables-multi-1.4.7
-rwxr-xr-x. root root unconfined_u:object_r:bin_t:s0 /sbin/iptables-multi-1.4.7

the selinux label was wrong so I look in the /etc/selinux/targeted/contexts/files/file_contexts file for the label

cat /etc/selinux/targeted/contexts/files/file_contexts | grep ip

and i don't find nothing, this was very very strange so I open manually the file and SURPRISE!!	 what i find:

/sbin/ebtables  --      system_u:object_r:iptables_exec_t:s0
/sbin/ebtables-restore  --      system_u:object_r:iptables_exec_t:s0

look!! ebtables and not iptables............................. if i use restorecon -Rv /sbin did not work because the label was wrong.....
I find the same problem in a server running RedHat 6.5 but had not come out because I had upgraded from 6.4 to 6.5

[FIX]
I relabel manually the two files with this commands:
chcon -t iptables_exec_t /sbin/iptables-multi-1.4.7
chcon -t iptables_exec_t /sbin/ip6tables-multi-1.4.7
but i hope that the /etc/selinux/targeted/contexts/files/file_contexts will updated soon.

I hope that this can help someone
Thanks
Amedeo