Getting back to selinux... :)
When using nat and multiple ISP providers on Shorewall 2.4.0, the
following error is produced on boot with FC4:
Cannot open "/proc/sys/net/ipv4/route/flush
The box is running the latest update: selinux-policy-targeted-1.23.18-17.
Adding the following to local.te will fix it... but I don't want to
have to install policy sources on my servers like I did with FC3.:
allow ifconfig_t initrc_tmp_t:file read;
allow ifconfig_t sysctl_net_t:file write;
allow ifconfig_t var_lib_t:file read;
Best regards,
-Tom
-----------------------------------------------------------------------------
>From /var/log/audit/audit.log:
type=PATH msg=audit(1120675555.415:78677): item=0 name="/sbin/ip"
type=AVC_PATH msg=audit(1120675555.415:78677): path="/var/lib/shorewall/nat"
type=AVC msg=audit(1120675555.415:78677): avc: denied { read } for pid=2430
comm="ip" name="nat" dev=hda2 ino=4406613
scontext=system_u:system_r:ifconfig_t
tcontext=system_u:object_r:var_lib_t tclass=file
type=AVC msg=audit(1120675556.084:95462): avc: denied { write } for
pid=2641 comm="ip" name="flush" dev=proc ino=-268435296
scontext=system_u:system_r:ifconfig_t
tcontext=system_u:object_r:sysctl_net_t tclass=file
type=PATH msg=audit(1120675555.879:90329): item=0 name="/sbin/ip"
type=AVC_PATH msg=audit(1120675555.879:90329):
path="/tmp/shorewall.Gh1879/providers"
type=AVC msg=audit(1120675555.879:90329): avc: denied { read } for pid=2588
comm="ip" name="providers" dev=hda2 ino=3068205
scontext=system_u:system_r:ifconfig_t
tcontext=system_u:object_r:initrc_tmp_t tclass=file
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
