Manuel Wolfshant wrote: > Ned Slider wrote: >> >> SELinux doesn't like this approach either >:) > worked like a breeze here: > [root at pc39 ~]# echo 'service iptables stop' | at now + 1 minutes > job 2 at 2008-08-25 16:02 > [root at pc39 ~]# service iptables status > Table: nat > Chain PREROUTING (policy ACCEPT) > num target prot opt source destination > > Chain POSTROUTING (policy ACCEPT) > num target prot opt source destination > 1 MASQUERADE all -- 192.168.122.0/24 0.0.0.0/0 > > [...] > [root at pc39 ~]# date > Mon Aug 25 16:01:47 EEST 2008 > [root at pc39 ~]# service iptables status > Firewall is stopped. > [root at pc39 ~]# date > Mon Aug 25 16:03:42 EEST 2008 > [root at pc39 ~]# getenforce > Enforcing > > > What error did you get ? Here you go: Summary: SELinux is preventing the iptables from using potentially mislabeled files (2F746D702F73682D7468642D31323139363839303737202864656C6574656429). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux has denied iptables access to potentially mislabeled file(s) (2F746D702F73682D7468642D31323139363839303737202864656C6574656429). This means that SELinux will not allow iptables to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want iptables to access this files, you need to relabel them using restorecon -v '2F746D702F73682D7468642D31323139363839303737202864656C6574656429'. You might want to relabel the entire directory using restorecon -R -v ''. Additional Information: Source Context root:system_r:iptables_t Target Context root:object_r:tmp_t Target Objects 2F746D702F73682D7468642D31323139363839303737202864 656C6574656429 [ file ] Source iptables Source Path /sbin/iptables Port <Unknown> Host Quad Source RPM Packages iptables-1.3.5-4.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-137.1.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name home_tmp_bad_labels Host Name Quad Platform Linux Quad 2.6.18-92.1.10.el5 #1 SMP Tue Aug 5 07:42:41 EDT 2008 x86_64 x86_64 Alert Count 1 First Seen Mon Aug 25 13:32:00 2008 Last Seen Mon Aug 25 13:32:00 2008 Local ID 3bc60583-05fc-4f9b-881e-a98a01bbe491 Line Numbers Raw Audit Messages host=Quad type=AVC msg=audit(1219667520.880:7319): avc: denied { read } for pid=25422 comm="iptables" path=2F746D702F73682D7468642D31323139363839303737202864656C6574656429 dev=sda6 ino=35423960 scontext=root:system_r:iptables_t:s0 tcontext=root:object_r:tmp_t:s0 tclass=file host=Quad type=AVC msg=audit(1219667520.880:7319): avc: denied { write } for pid=25422 comm="iptables" path="/var/spool/at/spool/a0000901362d70" dev=sda6 ino=39551902 scontext=root:system_r:iptables_t:s0 tcontext=system_u:object_r:cron_spool_t:s0 tclass=file host=Quad type=SYSCALL msg=audit(1219667520.880:7319): arch=c000003e syscall=59 success=yes exit=0 a0=159348e0 a1=159342c0 a2=15903c00 a3=8 items=0 ppid=25411 pid=25422 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=533 comm="iptables" exe="/sbin/iptables" subj=root:system_r:iptables_t:s0 key=(null)