[0:root@elmo shorewall6]$ rpm -qf `which audit2allow`
policycoreutils-python-2.3-18.fc22.x86_64
Create a selinux policy to allow this. Set selinux to permissive mode:
setenforce 0
then run the command that generates the log messages:
shorewall start
then set selinux back to active mode:
setenforce 1
Now, generate a new policy:
grep shorewall /var/log/audit/audit.log | audit2allow -M my_shorewall
then install it:
semodule -i my_shorewall.pp
Now run the shorewall command again and check the log file.
Bill
On 12/17/2017 4:58 PM, Dario Lesca wrote:
Il giorno dom, 17/12/2017 alle 13.10 -0500, Colony.three via Shorewall-
users ha scritto:
It's not clear what you're doing here. In several cases you have the
output of ls -Z, without entering the command?
Now this is the output of ls -Z
[ root@s-virt ~]# ls -lZ /run/lock/subsys/*
-rw-r--r--. root root system_u:object_r:var_lock_t:s0
/run/lock/subsys/libvirt-guests
-rw-r--r--. root root system_u:object_r:var_lock_t:s0
/run/lock/subsys/network
-rw-------. root root unconfined_u:object_r:var_lock_t:s0
/run/lock/subsys/shorewall
Yes selinux is prohibiting from looking at {getattr}, creating
{write}, or deleting {unlink} the shorewall lockfile. The correct
setting for the lockfile (and the path down to it) is:
system_u:object_r:var_lock_t:s0
The file has not this attribute.
And if I change it
[ root@s-virt ~]# chcon system_u:object_r:var_lock_t:s0
/run/lock/subsys/shorewall
It come back after a while.
You don't say whether you've rebooted or not.
No I do not have reboot, I do not know whats happen if I reboot.
I have only restart the shorewall service and some time, when I do
that, I get 4 Selinux error into log.
I just want to point out that sometimes in the logs I detect these
selinux errors
[ root@s-virt ~]# grep -E 'denied.*shorewall'
/var/log/audit/audit.log|tail -4
type=AVC msg=audit(1513547387.366:1560): avc: denied { getattr } for pid=17154 comm="rm"
path="/run/lock/subsys/shorewall" dev="tmpfs" ino=56603
scontext=system_u:system_r:shorewall_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1513547387.366:1561): avc: denied { unlink } for pid=17154 comm="rm"
name="shorewall" dev="tmpfs" ino=56603 scontext=system_u:system_r:shorewall_t:s0
tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1513547387.758:1605): avc: denied { write } for pid=17405 comm="touch"
name="shorewall" dev="tmpfs" ino=56603 scontext=system_u:system_r:shorewall_t:s0
tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1513547387.758:1606): avc: denied { write } for pid=17405 comm="touch"
name="shorewall" dev="tmpfs" ino=56603 scontext=system_u:system_r:shorewall_t:s0
tcontext=system_u:object_r:var_lock_t:s0 tclass=file
There is a solution that I can apply or i'ts a bug?
Thanks
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
