Summary: | net-firewall/nftables: wrong fcontext for /var/lib/nftables and content | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | David Sardari <d> |
Component: | SELinux | Assignee: | SE Linux Bugs <selinux> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | d, gentoo |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
David Sardari
2022-04-23 00:27:53 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6f537bac5606bd0ad279ab8016c2c8c51476956d commit 6f537bac5606bd0ad279ab8016c2c8c51476956d Author: Kenton Groombridge <concord@gentoo.org> AuthorDate: 2022-05-30 22:51:28 +0000 Commit: Kenton Groombridge <concord@gentoo.org> CommitDate: 2022-09-03 20:04:19 +0000 iptables: add file context for /usr/libexec/nftables/nftables.sh Bug: https://bugs.gentoo.org/840230 Signed-off-by: Kenton Groombridge <concord@gentoo.org> policy/modules/system/iptables.fc | 2 ++ 1 file changed, 2 insertions(+) https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d935f927cd34c1a91d3a8f3c9278baeeef852320 commit d935f927cd34c1a91d3a8f3c9278baeeef852320 Author: Kenton Groombridge <concord@gentoo.org> AuthorDate: 2021-01-27 01:02:21 +0000 Commit: Kenton Groombridge <concord@gentoo.org> CommitDate: 2022-09-03 20:04:08 +0000 iptables: add file context for saved rules Bug: https://bugs.gentoo.org/840230 Signed-off-by: Kenton Groombridge <concord@gentoo.org> policy/modules/system/init.fc | 1 - policy/modules/system/iptables.fc | 5 +++++ 2 files changed, 5 insertions(+), 1 deletion(-) I added "sec-policy/* ~amd64" to /etc/portage/package.accept_keywords/main and updated packages to 2.20220520-r1. fcontext is fine with ">=sec-policy/*-2.20220520-r1" packages: ❯ matchpathcon /var/lib/{ip,ip6,nf}tables{,/*} /usr/libexec/nftables/nftables.sh | column -t /var/lib/iptables system_u:object_r:iptables_conf_t:s0 /var/lib/ip6tables system_u:object_r:iptables_conf_t:s0 /var/lib/nftables system_u:object_r:iptables_conf_t:s0 /var/lib/nftables/rules-save system_u:object_r:iptables_conf_t:s0 /usr/libexec/nftables/nftables.sh system_u:object_r:iptables_exec_t:s0 ❯ sesearch --allow --source iptables_t --target iptables_conf_t --class file --perm read allow iptables_t iptables_conf_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; So, this bug is solved with ">=sec-policy/*-2.20220520-r1". I don't think that makes it invalid at all. That new version fixes your issue and it was in response to this bug, it's simply FIXED. k, I didn't know it got fixed in 2.20220520 in response to this bug :) |