Shorewall startup issues on FC4...
Daniel J Walsh
dwalsh at redhat.com
Wed Jul 6 22:23:31 UTC 2005
Tom Lisjac wrote:
>Getting back to selinux... :)
>
>When using nat and multiple ISP providers on Shorewall 2.4.0, the
>following error is produced on boot with FC4:
>
>Cannot open "/proc/sys/net/ipv4/route/flush
>
>The box is running the latest update: selinux-policy-targeted-1.23.18-17.
>
>Adding the following to local.te will fix it... but I don't want to
>have to install policy sources on my servers like I did with FC3.:
>
>allow ifconfig_t initrc_tmp_t:file read;
>allow ifconfig_t sysctl_net_t:file write;
>allow ifconfig_t var_lib_t:file read;
>
>Best regards,
>
>-Tom
>-----------------------------------------------------------------------------
>>From /var/log/audit/audit.log:
>
>type=PATH msg=audit(1120675555.415:78677): item=0 name="/sbin/ip"
>type=AVC_PATH msg=audit(1120675555.415:78677): path="/var/lib/shorewall/nat"
>type=AVC msg=audit(1120675555.415:78677): avc: denied { read } for pid=2430
>comm="ip" name="nat" dev=hda2 ino=4406613
>scontext=system_u:system_r:ifconfig_t
>tcontext=system_u:object_r:var_lib_t tclass=file
>
>type=AVC msg=audit(1120675556.084:95462): avc: denied { write } for
>pid=2641 comm="ip" name="flush" dev=proc ino=-268435296
>scontext=system_u:system_r:ifconfig_t
>tcontext=system_u:object_r:sysctl_net_t tclass=file
>
>type=PATH msg=audit(1120675555.879:90329): item=0 name="/sbin/ip"
>type=AVC_PATH msg=audit(1120675555.879:90329):
>path="/tmp/shorewall.Gh1879/providers"
>type=AVC msg=audit(1120675555.879:90329): avc: denied { read } for pid=2588
>comm="ip" name="providers" dev=hda2 ino=3068205
>scontext=system_u:system_r:ifconfig_t
>tcontext=system_u:object_r:initrc_tmp_t tclass=file
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
Is this running from a script? Could you attach it?
--
More information about the fedora-selinux-list
mailing list