[CentOS-docs] Re: IPTables HowTo (Comment)

Mon Aug 25 13:39:23 UTC 2008
Ned Slider <ned at unixmail.co.uk>

Manuel Wolfshant wrote:
> Ned Slider wrote:
>> SELinux doesn't like this approach either >:)
> worked like a breeze here:
> [root at pc39 ~]# echo 'service iptables stop' | at now + 1 minutes
> job 2 at 2008-08-25 16:02
> [root at pc39 ~]# service iptables status
> Table: nat
> Chain PREROUTING (policy ACCEPT)
> num  target     prot opt source               destination
> num  target     prot opt source               destination
> 1    MASQUERADE  all  --
> [...]
> [root at pc39 ~]# date
> Mon Aug 25 16:01:47 EEST 2008
> [root at pc39 ~]# service iptables status
> Firewall is stopped.
> [root at pc39 ~]# date
> Mon Aug 25 16:03:42 EEST 2008
> [root at pc39 ~]# getenforce
> Enforcing
> What error did you get ?

Here you go:


SELinux is preventing the iptables from using potentially mislabeled files

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux has denied iptables access to potentially mislabeled file(s)
(2F746D702F73682D7468642D31323139363839303737202864656C6574656429). This 
that SELinux will not allow iptables to use these files. It is common 
for users
to edit files in their home directory or tmp directories and then move 
(mv) them
to system directories. The problem is that the files end up with the 
wrong file
context which confined applications are not allowed to access.

Allowing Access:

If you want iptables to access this files, you need to relabel them using
restorecon -v
'2F746D702F73682D7468642D31323139363839303737202864656C6574656429'. You 
want to relabel the entire directory using restorecon -R -v ''.

Additional Information:

Source Context                root:system_r:iptables_t
Target Context                root:object_r:tmp_t
Target Objects 
                               656C6574656429 [ file ]
Source                        iptables
Source Path                   /sbin/iptables
Port                          <Unknown>
Host                          Quad
Source RPM Packages           iptables-1.3.5-4.el5
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-137.1.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   home_tmp_bad_labels
Host Name                     Quad
Platform                      Linux Quad 2.6.18-92.1.10.el5 #1 SMP Tue Aug 5
                               07:42:41 EDT 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Mon Aug 25 13:32:00 2008
Last Seen                     Mon Aug 25 13:32:00 2008
Local ID                      3bc60583-05fc-4f9b-881e-a98a01bbe491
Line Numbers

Raw Audit Messages

host=Quad type=AVC msg=audit(1219667520.880:7319): avc:  denied  { read 
} for  pid=25422 comm="iptables" 
dev=sda6 ino=35423960 scontext=root:system_r:iptables_t:s0 
tcontext=root:object_r:tmp_t:s0 tclass=file

host=Quad type=AVC msg=audit(1219667520.880:7319): avc:  denied  { write 
} for  pid=25422 comm="iptables" 
path="/var/spool/at/spool/a0000901362d70" dev=sda6 ino=39551902 
tcontext=system_u:object_r:cron_spool_t:s0 tclass=file

host=Quad type=SYSCALL msg=audit(1219667520.880:7319): arch=c000003e 
syscall=59 success=yes exit=0 a0=159348e0 a1=159342c0 a2=15903c00 a3=8 
items=0 ppid=25411 pid=25422 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 
egid=0 sgid=0 fsgid=0 tty=(none) ses=533 comm="iptables" 
exe="/sbin/iptables" subj=root:system_r:iptables_t:s0 key=(null)