Il 26/02/2013 19.24, News ha scritto:
Il 25/02/2013 12.28, Simon Matter ha scritto:
Hello to the list, I update a RedHat server from 6.3 to 6.4 and install the last shorewall rpm 4.5.13.0-1.el6, after this shorewall not start at boot and show the error ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system, after the boot I can start shorewall by hand.
Could it be a problem with SELinux?
Simon
What can I do? Thanks to everybody
Amedeo
Here from the shorewall newsletter...............
Simon you're magician!!!!! the update change the selinux's labels of iptables after reset this it's all ok.... I think that when the people updates frome centos 6.3 to centos 6.4 the world stopping Here is the commands:
restorecon -Rv /sbin restorecon reset /sbin/iptables-multi-1.4.7 context system_u:object_r:bin_t:s0->system_u:object_r:iptables_exec_t:s0 restorecon reset /sbin/ip6tables-multi-1.4.7 context system_u:object_r:bin_t:s0->system_u:object_r:iptables_exec_t:s0
Thanks sooo much Amedeo
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hello to the list,
I start from here because there are some news, this is the story:
I upgrade one server from Centos 6.3 to 6.5 and come back out again the problem described above, so I use restorecon -Rv /sbin but there is not output, this was strange, I reboot the server and shorewall won't start again, i try some hacks but nothing. So i tried to change selinux in permissive mode and shorewall START!! I look at files:
ls -Z /sbin/ip*
and the surprise
-rwxr-xr-x. root root unconfined_u:object_r:bin_t:s0 /sbin/ip6tables-multi-1.4.7 -rwxr-xr-x. root root unconfined_u:object_r:bin_t:s0 /sbin/iptables-multi-1.4.7
the selinux label was wrong so I look in the /etc/selinux/targeted/contexts/files/file_contexts file for the label
cat /etc/selinux/targeted/contexts/files/file_contexts | grep ip
and i don't find nothing, this was very very strange so I open manually the file and SURPRISE!! what i find:
/sbin/ebtables -- system_u:object_r:iptables_exec_t:s0 /sbin/ebtables-restore -- system_u:object_r:iptables_exec_t:s0
look!! ebtables and not iptables............................. if i use restorecon -Rv /sbin did not work because the label was wrong..... I find the same problem in a server running RedHat 6.5 but had not come out because I had upgraded from 6.4 to 6.5
[FIX] I relabel manually the two files with this commands: chcon -t iptables_exec_t /sbin/iptables-multi-1.4.7 chcon -t iptables_exec_t /sbin/ip6tables-multi-1.4.7 but i hope that the /etc/selinux/targeted/contexts/files/file_contexts will updated soon.
I hope that this can help someone Thanks Amedeo