Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 840230 - net-firewall/nftables: wrong fcontext for /var/lib/nftables and content
Summary: net-firewall/nftables: wrong fcontext for /var/lib/nftables and content
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: SE Linux Bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-04-23 00:27 UTC by David Sardari
Modified: 2022-04-24 14:26 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description David Sardari 2022-04-23 00:27:53 UTC
I belive the following fcontext change is necessary:

➤ semanage fcontext -l -C

➤ ausearch -m avc --start boot
----
time->Sat Apr 23 01:56:08 2022
type=PROCTITLE msg=audit(1650671768.186:14): proctitle=6E6674002D63002D66002F7661722F6C69622F6E667461626C65732F72756C65732D73617665
type=PATH msg=audit(1650671768.186:14): item=0 name="/var/lib/nftables/rules-save" inode=644956 dev=00:1c mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lib_t nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1650671768.186:14): cwd="/"
type=SYSCALL msg=audit(1650671768.186:14): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffe4977cb06 a2=0 a3=0 items=1 ppid=3714 pid=3715 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nft" exe="/sbin/nft" subj=system_u:system_r:iptables_t key=(null)
type=AVC msg=audit(1650671768.186:14): avc:  denied  { read } for  pid=3715 comm="nft" name="rules-save" dev="dm-0" ino=644956 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:var_lib_t tclass=file permissive=0

➤ ls -ldZ /var/lib/nftables /var/lib/nftables/rules-save
drwxr-xr-x. 1 root root system_u:object_r:var_lib_t  78 16. Apr 13:47 /var/lib/nftables/
-rw-------. 1 root root system_u:object_r:var_lib_t 598 16. Apr 13:47 /var/lib/nftables/rules-save

➤ semanage fcontext -l | grep "/var/lib/.*tables"
/var/lib/ip6?tables(/.*)?    all files    system_u:object_r:initrc_tmp_t

➤ sesearch --allow --source iptables_t --target initrc_tmp_t --class file --perm read
allow iptables_t initrc_tmp_t:file { append getattr ioctl lock open read write };

➤ semanage fcontext -a -t initrc_tmp_t "/var/lib/nftables(/.*)?"

➤ restorecon -R -F -v /var/lib/nftables
Relabeled /var/lib/nftables from system_u:object_r:var_lib_t to system_u:object_r:initrc_tmp_t
Relabeled /var/lib/nftables/.keep_net-firewall_nftables-0 from system_u:object_r:var_lib_t to system_u:object_r:initrc_tmp_t
Relabeled /var/lib/nftables/rules-save from system_u:object_r:var_lib_t to system_u:object_r:initrc_tmp_t