Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 442528 - [selinux] ipset tool fails in restricted mode
Summary: [selinux] ipset tool fails in restricted mode
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Sven Vermeulen (RETIRED)
URL:
Whiteboard: sec-policy r7
Keywords:
Depends on:
Blocks:
 
Reported: 2012-11-10 00:55 UTC by Reuben Martin
Modified: 2012-12-13 10:09 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
emerge --info (emerge.info,4.38 KB, text/plain)
2012-11-10 00:59 UTC, Reuben Martin
Details
/usr/src/linux/.config (kernel.config,74.80 KB, text/plain)
2012-11-10 00:59 UTC, Reuben Martin
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Reuben Martin 2012-11-10 00:55:33 UTC
This is a new bug stemming from BUG #438068, comment 20.

the ipset tool in permissive mode works as expected. In restricted mode it cannot connect to the kernel.

example:

ipset -L
> ipset v6.13: Cannot open session to kernel.




Reproducible: Always
Comment 1 Reuben Martin 2012-11-10 00:59:21 UTC
Created attachment 329050 [details]
emerge --info
Comment 2 Reuben Martin 2012-11-10 00:59:44 UTC
Created attachment 329052 [details]
/usr/src/linux/.config
Comment 3 Reuben Martin 2012-11-10 01:11:13 UTC
changing the context to match that of iptables seems to fix the problem:

chcon -t iptables_exec_t /usr/sbin/ipset


The default context however has the type set to bin_t
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-12 21:59:19 UTC
fixed in repo (live ebuilds) and will be in rev7
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-14 21:10:31 UTC
r7 is now in hardened-dev
Comment 6 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-18 15:27:33 UTC
In main tree, ~arch'ed
Comment 7 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-13 10:09:54 UTC
r8 is now stable