Mailing List Archive

[selinux] /etc/init.d/iptables save doesn't work

kernel = 2.6.7-r8

When attempting to run "/etc/init.d/iptables save" for the first time (i.e.,
no existing rules-save), it fails to create the file
"/var/lib/iptables/rules-save". Filtering the selinux denials through
audit2allow gives the following needed permissions:

allow initrc_t iptables_var_lib_t:file { create };
allow iptables_t var_t:dir { search };

So then I manually created the save file with "touch
/var/lib/iptables/rules-save" and verified that it's context is:
root:object_r:iptables_var_lib_t. Re-running "iptables save" still fails,
giving this needed permission:

allow initrc_t iptables_var_lib_t:file { write };

If I execute "iptables-save > /var/lib/iptables/rules-save", the binary
works correctly with no denials. Further, rebooting successfully starts
/etc/init.d/iptables and correctly restores the iptables rules.

Since "iptables -L" appears to run correctly but gives a bunch of "var_t:dir
{ search }" denials as well, I believe a dontaudit will solve that problem,
but the other problem looks like a failure of initrc_t to transition to the
correct domain.

Has anyone run into this problem?

Richard Simpson

-- mailing list