Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 704184 - improve SELinux policy for nftables
Summary: improve SELinux policy for nftables
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: SE Linux Bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-12-29 15:57 UTC by thomasb
Modified: 2019-12-29 15:57 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description thomasb 2019-12-29 15:57:51 UTC 
nftable rules cannot be load during system boot. /etc/init.d/nftables instructs nft to read them from /var/lib/nftables/rules-save, which has the wrong context:

type=AVC msg=audit(1577610590.822:28): avc:  denied  { read } for  pid=5819 comm="nft" name="rules-save" dev="dm-3" ino=134 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:var_lib_t tclass=file permissive=1
type=AVC msg=audit(1577610590.822:28): avc:  denied  { open } for  pid=5819 comm="nft" path="/var/lib/nftables/rules-save" dev="dm-3" ino=134 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:var_lib_t tclass=file permissive=1

I fixed it on my system with the following context definition:

semanage fcontext -a -s system_u -t iptables_conf_t "/var/lib/nftables(/.*)?"


Reproducible: Always

Steps to Reproduce:
1. have /etc/init.d/nftables added to default runlevel and let it load the previously saved ruleset on boot
2. reboot your machine
3. run ausearch --start boot -m avc to find the deny messages I posted in this report