Gentoo's init.d script for iptables saves by default the rules at shutdown to /var/lib/iptables/rules-save. The problem is that these files are labelled as var_lib_t which does allow the script to touch the file (and create it) but not send any output to it, resulting in the file being left empty. This results in gentoos default configuration leaving the user without a working firewall if rebooted inside of SELinux. The same problem exists with ip6tables. Reproducible: Always Steps to Reproduce: 1. Make some iptables rules 2. run_init /etc/init.d/iptables save (for some reason targeted does not run 'run_init' by default, but that is a diffrent bug) 3. cat /var/lib/iptables/rules-save Actual Results: Nothing. The files is completly empty. Expected Results: The rules you just did should be displayed. I did try 'chcon -t iptables_t /var/lib/iptables -R' and after that '/etc/init.d/iptables save' works like it should. I suggest adding a 'iptables_var_lib_t' context, makeing it writable by iptables and by default label /var/lib/ip{,6}tables with it. I considered setting this as "Critical" as the current configuration in the stable arch makes you lose your saved rules during shutdown/reboot.
Is there anyone working on this? Currently iptables does not work at all with SELinux by default as SELinux blocks all attempts for iptables-restore to do anything with /var/lib/iptables, even restore the rules at startup.
Xake I'm not in selinux team and I'm not using Selinux. But could you suggest solution for this problem (better in form of patch).
(In reply to comment #0) > Gentoo's init.d script for iptables saves by default the rules at shutdown to > /var/lib/iptables/rules-save. > The problem is that these files are labelled as var_lib_t which does allow the > script to touch the file (and create it) but not send any output to it, > resulting in the file being left empty. > This results in gentoos default configuration leaving the user without a > working firewall if rebooted inside of SELinux. > > The same problem exists with ip6tables. > > Reproducible: Always > > Steps to Reproduce: > 1. Make some iptables rules > 2. run_init /etc/init.d/iptables save > (for some reason targeted does not run 'run_init' by default, but that is a > diffrent bug) > 3. cat /var/lib/iptables/rules-save > > Actual Results: > Nothing. The files is completly empty. > > Expected Results: > The rules you just did should be displayed. > > I did try 'chcon -t iptables_t /var/lib/iptables -R' and after that > '/etc/init.d/iptables save' works like it should. > > I suggest adding a 'iptables_var_lib_t' context, makeing it writable by > iptables and by default label /var/lib/ip{,6}tables with it. > > I considered setting this as "Critical" as the current configuration in the > stable arch makes you lose your saved rules during shutdown/reboot. > Try "/etc/init.d/iptables save" as root (with actual root context, not su). It should prompt you for your root password and save the results.
Xake (or anyone else), do you still see this problem on your system? The affected SELinux domains have seen a few changes since and it's been years since this bug was last checked.
I do not have a system setup to test this with any longer.
I've made a quick test here; simple install of iptables and made one rule: iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT Then running /etc/init.d/iptables save indeed yields an empty file. From reading the policy, the idea is that any save operation should be done towards a tmp file for initrc (initrc_tmp_t). I've changed the label for /var/lib/iptables from var_lib_t to initrc_tmp_t and things seem to work (file is created with content, no denials, ...) I'm just wondering if we just mark /var/lib/iptables as initrc_tmp_t and go on with things, or create an iptables_var_lib_t to which initrc has read/write rights to (and iptables_t as well).
I can still confirm this, even with sysadm_r, this is what i get on avc.log... avc: denied { read } for pid=1831 comm="iptables-restor" path="/var/lib/iptables/rules-save" dev=sda6 ino=202008 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:var_lib_t tclass=file avc: denied { read } for pid=1832 comm="modprobe" path="/var/lib/iptables/rules-save" dev=sda6 ino=202008 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:var_lib_t tclass=file avc: denied { getattr } for pid=1831 comm="iptables-restor" path="/var/lib/iptables/rules-save" dev=sda6 ino=202008 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:var_lib_t tclass=file
And if you change the context of the /var/lib/iptables location from var_lib_t to initrc_tmp_t ?
I'll try it asap and let you know... BTW here are the logs during iptables-rules-save... avc: denied { write } for pid=2954 comm="iptables-save" path="/var/lib/iptables/rules-save" dev=sda6 ino=202008 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:var_lib_t tclass=file avc: denied { write } for pid=2955 comm="modprobe" path="/var/lib/iptables/rules-save" dev=sda6 ino=202008 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:var_lib_t tclass=file avc: denied { getattr } for pid=2954 comm="iptables-save" path="/var/lib/iptables/rules-save" dev=sda6 ino=202008 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:var_lib_t tclass=file
During boot... avc: denied { read } for pid=1944 comm="iptables-restor" path="/var/lib/iptables/rules-save" dev=sda6 ino=202008 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:var_lib_t tclass=file avc: denied { read } for pid=1945 comm="modprobe" path="/var/lib/iptables/rules-save" dev=sda6 ino=202008 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:var_lib_t tclass=file avc: denied { getattr } for pid=1944 comm="iptables-restor" path="/var/lib/iptables/rules-save" dev=sda6 ino=202008 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:var_lib_t tclass=file I don't get anything during save but I don't have any rules anyway. I think during boot we should do a restorecon on /etc/init.d/iptables because even if we set the context it won't load it on reboot I think...
A restorecon might not be necessary; if the directory is created all we need to know is which process(es) create it and then make sure their domains use the correct label. Yet, still, I'm wondering if I should use initrc_t or iptables_var_lib_t or something like that. I'll do a few tests here and let everyone know.
With: ~# semanage -a -t initrc_tmp_t "/var/lib/iptables(/.*)?" ~# restorecon -R /var/lib/iptables I am able to work as it should with iptables: create rules, save them (rc-service iptables save), start/stop the iptables script, reboot (and verify that the rules are still available), ... I will be adding this context on the next selinux-base-policy build.
that is, semanage fcontext -a ...
Is in hardened-dev overlay.
In portage tree (~arch)