It's not clear what you're doing here. In several cases you have the output of
ls -Z, without entering the command?
Yes selinux is prohibiting from looking at {getattr}, creating {write}, or
deleting {unlink} the shorewall lockfile. The correct setting for the lockfile
(and the path down to it) is: system_u:object_r:var_lock_t:s0
You don't say whether you've rebooted or not.
> -------- Original Message --------
> Subject: Re: [Shorewall-users] Centos7: SELinux is preventing /usr/bin/touch
> from 'write' accesses on the file shorewall
> Local Time: December 17, 2017 9:12 AM
> UTC Time: December 17, 2017 5:12 PM
> From: d.le...@solinos.it
> To: shorewall-users@lists.sourceforge.net
>
> Il giorno ven, 15/12/2017 alle 10.10 -0500, Bill Shirley ha scritto:
>
>> He should at least do a 'ls -lZ' on the file and report to the list.
>>
>> I have activate this log:
>>
>> [ root@s-virt ~]# tail -f /var/log/audit/audit.log | grep --color=auto
>> denied &
>> [1] 7937
>>
>> This is the result:
>>
>> [ root@s-virt ~]# ls -lZ /run/lock/subsys/shorewall /run/lock/subsys/
>> -rw-------. root root unconfined_u:object_r:var_lock_t:s0
>> /run/lock/subsys/shorewall
>>
>> /run/lock/subsys/:
>> -rw-r--r--. root root system_u:object_r:var_lock_t:s0 libvirt-guests
>> -rw-r--r--. root root system_u:object_r:var_lock_t:s0 network
>> -rw-------. root root unconfined_u:object_r:var_lock_t:s0 shorewall
>> [ root@s-virt ~]# chcon system_u:object_r:var_lock_t:s0
>> /run/lock/subsys/shorewall
>> [ root@s-virt ~]# service shorewall restart
>> Redirecting to /bin/systemctl restart shorewall.service
>> type=AVC msg=audit(1513528726.972:629): avc: denied { getattr } for pid=6475
>> comm="rm" path="/run/lock/subsys/shorewall" dev="tmpfs" ino=40257
>> scontext=system_u:system_r:shorewall_t:s0
>> tcontext=system_u:object_r:var_lock_t:s0 tclass=file
>> type=AVC msg=audit(1513528726.972:630): avc: denied { unlink } for pid=6475
>> comm="rm" name="shorewall" dev="tmpfs" ino=40257
>> scontext=system_u:system_r:shorewall_t:s0
>> tcontext=system_u:object_r:var_lock_t:s0 tclass=file
>> type=AVC msg=audit(1513528727.363:674): avc: denied { write } for pid=6724
>> comm="touch" name="shorewall" dev="tmpfs" ino=40257
>> scontext=system_u:system_r:shorewall_t:s0
>> tcontext=system_u:object_r:var_lock_t:s0 tclass=file
>> type=AVC msg=audit(1513528727.363:675): avc: denied { write } for pid=6724
>> comm="touch" name="shorewall" dev="tmpfs" ino=40257
>> scontext=system_u:system_r:shorewall_t:s0
>> tcontext=system_u:object_r:var_lock_t:s0 tclass=file
>> [ root@s-virt ~]# ls -lZ /run/lock/subsys/shorewall
>> -rw-------. root root system_u:object_r:var_lock_t:s0
>> /run/lock/subsys/shorewall
>> [ root@s-virt ~]# chcon system_u:system_r:shorewall_t:s0
>> /run/lock/subsys/shorewall
>> type=AVC msg=audit(1513528816.785:684): avc: denied { relabelto } for
>> pid=6791 comm="chcon" name="shorewall" dev="tmpfs" ino=40257
>> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> tcontext=system_u:system_r:shorewall_t:s0 tclass=file
>> chcon: cambio del contesto di "/run/lock/subsys/shorewall" in
>> "system_u:system_r:shorewall_t:s0" non riuscito: Permesso negato
>>
>> Also a 'grep denied /var/log/audit/audit.log'.
>>
>> This is output of selinux error
>>
>> [ root@s-virt ~]# grep -E 'denied.*shorewall' /var/log/audit/audit.log|tail
>> -16
>> type=AVC msg=audit(1513182259.328:11708): avc: denied { getattr } for
>> pid=25598 comm="rm" path="/run/lock/subsys/shorewall" dev="tmpfs" ino=192726
>> scontext=system_u:system_r:shorewall_t:s0
>> tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
>> type=AVC msg=audit(1513182259.328:11709): avc: denied { unlink } for
>> pid=25598 comm="rm" name="shorewall" dev="tmpfs" ino=192726
>> scontext=system_u:system_r:shorewall_t:s0
>> tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
>> type=AVC msg=audit(1513182259.738:11753): avc: denied { write } for
>> pid=25858 comm="touch" name="shorewall" dev="tmpfs" ino=192726
>> scontext=system_u:system_r:shorewall_t:s0
>> tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
>> type=AVC msg=audit(1513182259.738:11754): avc: denied { write } for
>> pid=25858 comm="touch" name="shorewall" dev="tmpfs" ino=192726
>> scontext=system_u:system_r:shorewall_t:s0
>> tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
>> type=AVC msg=audit(1513183584.000:11776): avc: denied { getattr } for
>> pid=26688 comm="rm" path="/run/lock/subsys/shorewall" dev="tmpfs" ino=192726
>> scontext=system_u:system_r:shorewall_t:s0
>> tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
>> type=AVC msg=audit(1513183584.000:11777): avc: denied { unlink } for
>> pid=26688 comm="rm" name="shorewall" dev="tmpfs" ino=192726
>> scontext=system_u:system_r:shorewall_t:s0
>> tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
>> type=AVC msg=audit(1513183584.415:11821): avc: denied { write } for
>> pid=26941 comm="touch" name="shorewall" dev="tmpfs" ino=192726
>> scontext=system_u:system_r:shorewall_t:s0
>> tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
>> type=AVC msg=audit(1513183584.415:11822): avc: denied { write } for
>> pid=26941 comm="touch" name="shorewall" dev="tmpfs" ino=192726
>> scontext=system_u:system_r:shorewall_t:s0
>> tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
>> type=AVC msg=audit(1513260511.403:13267): avc: denied { getattr } for
>> pid=29332 comm="rm" path="/run/lock/subsys/shorewall" dev="tmpfs" ino=192726
>> scontext=system_u:system_r:shorewall_t:s0
>> tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
>> type=AVC msg=audit(1513260511.403:13268): avc: denied { unlink } for
>> pid=29332 comm="rm" name="shorewall" dev="tmpfs" ino=192726
>> scontext=system_u:system_r:shorewall_t:s0
>> tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
>> type=AVC msg=audit(1513260511.846:13312): avc: denied { write } for
>> pid=29584 comm="touch" name="shorewall" dev="tmpfs" ino=192726
>> scontext=system_u:system_r:shorewall_t:s0
>> tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
>> type=AVC msg=audit(1513260511.846:13313): avc: denied { write } for
>> pid=29584 comm="touch" name="shorewall" dev="tmpfs" ino=192726
>> scontext=system_u:system_r:shorewall_t:s0
>> tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
>> type=AVC msg=audit(1513260551.697:13321): avc: denied { getattr } for
>> pid=29928 comm="rm" path="/run/lock/subsys/shorewall" dev="tmpfs" ino=192726
>> scontext=system_u:system_r:shorewall_t:s0
>> tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
>> type=AVC msg=audit(1513260551.697:13322): avc: denied { unlink } for
>> pid=29928 comm="rm" name="shorewall" dev="tmpfs" ino=192726
>> scontext=system_u:system_r:shorewall_t:s0
>> tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
>> type=AVC msg=audit(1513260552.125:13366): avc: denied { write } for
>> pid=30181 comm="touch" name="shorewall" dev="tmpfs" ino=192726
>> scontext=system_u:system_r:shorewall_t:s0
>> tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
>> type=AVC msg=audit(1513260552.125:13367): avc: denied { write } for
>> pid=30181 comm="touch" name="shorewall" dev="tmpfs" ino=192726
>> scontext=system_u:system_r:shorewall_t:s0
>> tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
>>
>> If I use old "service shorewall restart" or new "systemctl restart
>> shorewall.service" the error some time (not always) occur
>>
>> If i restart shorewall via "shorewall -q restart" this error seem do
>> not occur
>>
>> Thanks
>>
>> Dario
>>
>> On 12/15/2017 9:56 AM, cac...@quantum-sci.com wrote:
>>
>>> /run is cleared on every boot so a restorecon wouldn't last. If a reboot
>>> doesn't fix it, it's likely a problem in a script of
>>> the repo.
>>> OP doesn't say how he's pulling these messages, but I can't find them in
>>> CentOS7.
>>> On 12/15/2017 03:12 AM, Bill Shirley wrote:
>>>
>>>> Perhaps /run/lock/subsys/shorewall has become mis-labeled? (Fedora 25):
>>>> drwxr-xr-x. 45 root root system_u:object_r:var_run_t:s0 1280 Dec 13 09:53
>>>> /run
>>>> drwxr-xr-x. 6 root root system_u:object_r:var_lock_t:s0 120 Dec 7 01:10
>>>> /run/lock
>>>> drwxr-xr-x. 2 root root system_u:object_r:var_lock_t:s0 120 Dec 7 17:01
>>>> /run/lock/subsys
>>>> -rw-------. 1 root root unconfined_u:object_r:var_lock_t:s0 0 Dec 7 17:00
>>>> /run/lock/subsys/shorewall
>>>> Have you tried running restorecon on the file?
>>>> Bill
>>>> On 12/15/2017 5:18 AM, Dario Lesca wrote:
>>>>
>>>>> How to resolve this issue?
>>>>>
>>>>> dic 14 15:09:12 s-virt.to.loc setroubleshoot[29931]: failed to retrieve
>>>>> rpm info for /run/lock/subsys/shorewall
>>>>> dic 14 15:09:12 s-virt.to.loc setroubleshoot[29931]: SELinux is
>>>>> preventing /usr/bin/rm from getattr access on the file
>>>>>
>>>>> /run/lock/subsys/shorewall. For complete SELinux messages run: sealert -l
>>>>> 0c3dda49-0ea8-49ab-9dbd-6a7c3d40e4a1
>>>>> dic 14 15:09:12 s-virt.to.loc python[29931]: SELinux is preventing
>>>>> /usr/bin/rm from getattr access on the file
>>>>> /run/lock/subsys/shorewall.
>>>>> ...
>>>>> dic 14 15:09:12 s-virt.to.loc setroubleshoot[29931]: SELinux is
>>>>> preventing /usr/bin/touch from write access on the file
>>>>> shorewall. For complete SELinux messages run: sealert -l
>>>>> e1a41afa-da77-4c29-ae1e-782146cb825a
>>>>> dic 14 15:09:12 s-virt.to.loc python[29931]: SELinux is preventing
>>>>> /usr/bin/touch from write access on the file shorewall.
>>>>>
>>>>> although apparently everything works well
>>>>>
>>>>> Many thanks
>>>>>
>>>>> --
>>>>> Dario Lesca
>>>>> (inviato dal mio Linux Fedora 27 Workstation)
>>>>>
>>>>> ---------------------------------------------------------------
>>>>>
>>>>> Check out the vibrant tech community on one of the world's most
>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>> ---------------------------------------------------------------
>>>>>
>>>>> Shorewall-users mailing list
>>>>> Shorewall-users@lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>>>
>>>> ---------------------------------------------------------------
>>>>
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>> ---------------------------------------------------------------
>>>>
>>>> Shorewall-users mailing list
>>>> Shorewall-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>>
>>> ---------------------------------------------------------------
>>>
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> ---------------------------------------------------------------
>>>
>>> Shorewall-users mailing list
>>> Shorewall-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>
>> ---------------------------------------------------------------
>>
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> ---------------------------------------------------------------
>>
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>> --
>> Dario Lesca
>> (inviato dal mio Linux Fedora 27 Workstation)
>
> ---------------------------------------------------------------
>
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ---------------------------------------------------------------
>
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
