SELinux and Shorewall with IPSets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Problems combining these 2 to run while SELinux is in 'enforced' mode 
(policy running is the 'stock' targeted one supplied with FC13). I get 2 
audit alerts when Shorewall starts (and fails!) - see logs below. I have 
x86_64 arch machine with FC13 running. Stock Shorewall is installed. 
IPSet (xtunnels) is compiled in (though with the 'stock' rpm I am 
getting the same errors).

The problem seems to be caused by the Shorewall init script (see further 
below). The relevant part of my syslog when SELinux is in enforced mode is:

=========SELinux=Enforcing================================
Jun 26 23:18:38 dev1 shorewall[2456]: Compiling...
Jun 26 23:18:38 dev1 kernel: type=1400 audit(1277590718.634:29543): 
avc:  denied  { create } for  pid=2577 comm="ipset" 
scontext=unconfined_u:system_r:shorewall_t:s0 
tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
Jun 26 23:18:38 dev1 kernel: type=1400 audit(1277590718.637:29544): 
avc:  denied  { create } for  pid=2579 comm="ipset" 
scontext=unconfined_u:system_r:shorewall_t:s0 
tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
Jun 26 23:18:38 dev1 shorewall[2456]: Compiling /etc/shorewall/zones...
Jun 26 23:18:38 dev1 shorewall[2456]: Compiling /etc/shorewall/interfaces...
Jun 26 23:18:38 dev1 shorewall[2456]: Determining Hosts in Zones...
Jun 26 23:18:38 dev1 shorewall[2456]: Preprocessing Action Files...
Jun 26 23:18:38 dev1 shorewall[2456]:    Pre-processing 
/usr/share/shorewall/action.Drop...
Jun 26 23:18:38 dev1 shorewall[2456]:    Pre-processing 
/usr/share/shorewall/action.Reject...
Jun 26 23:18:38 dev1 shorewall[2456]: Compiling /etc/shorewall/policy...
Jun 26 23:18:38 dev1 shorewall[2456]: Compiling /etc/shorewall/blacklist...
Jun 26 23:18:38 dev1 shorewall[2456]:    ERROR: ipset names in Shorewall 
configuration files require Ipset Match in your kernel and iptables : 
/etc/shorewall/blacklist (line 11)
Jun 26 23:18:38 dev1 shorewall[2456]:    ERROR: Shorewall start failed
==========================================================

When I switch SELinux to Permissive I get two further errors:

=========SELinux=Permissive===============================
Jun 26 23:32:45 dev1 kernel: type=1400 audit(1277591565.629:29551): 
avc:  denied  { create } for  pid=3799 comm="ipset" 
scontext=unconfined_u:system_r:shorewall_t:s0 
tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
Jun 26 23:32:45 dev1 kernel: type=1400 audit(1277591565.629:29552): 
avc:  denied  { getopt } for  pid=3799 comm="ipset" lport=255 
scontext=unconfined_u:system_r:shorewall_t:s0 
tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
Jun 26 23:32:45 dev1 kernel: type=1400 audit(1277591565.629:29553): 
avc:  denied  { setopt } for  pid=3799 comm="ipset" lport=255 
scontext=unconfined_u:system_r:shorewall_t:s0 
tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/zones...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/interfaces...
Jun 26 23:32:45 dev1 shorewall[3678]: Determining Hosts in Zones...
Jun 26 23:32:45 dev1 shorewall[3678]: Preprocessing Action Files...
Jun 26 23:32:45 dev1 shorewall[3678]:    Pre-processing 
/usr/share/shorewall/action.Drop...
Jun 26 23:32:45 dev1 shorewall[3678]:    Pre-processing 
/usr/share/shorewall/action.Reject...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/policy...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/blacklist...
Jun 26 23:32:45 dev1 shorewall[3678]: Adding Anti-smurf Rules
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling TCP Flags filtering...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling Kernel Route Filtering...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling Martian Logging...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling MAC Filtration -- Phase 1...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/rules...
Jun 26 23:32:45 dev1 shorewall[3678]: Generating Transitive Closure of 
Used-action List...
Jun 26 23:32:45 dev1 shorewall[3678]: Processing 
/usr/share/shorewall/action.Reject for chain Reject...
Jun 26 23:32:45 dev1 shorewall[3678]: Processing 
/usr/share/shorewall/action.Drop for chain Drop...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling MAC Filtration -- Phase 2...
Jun 26 23:32:45 dev1 shorewall[3678]: Applying Policies...
Jun 26 23:32:45 dev1 shorewall[3678]: Generating Rule Matrix...
Jun 26 23:32:45 dev1 shorewall[3678]: Creating iptables-restore input...
Jun 26 23:32:45 dev1 shorewall[3678]: Compiling iptables-restore input 
for chains blacklst mangle:...
Jun 26 23:32:45 dev1 shorewall[3678]: Shorewall configuration compiled 
to /var/lib/shorewall/.start
Jun 26 23:32:45 dev1 shorewall[3678]: Starting Shorewall....
Jun 26 23:32:45 dev1 shorewall[3678]: Initializing...
Jun 26 23:32:46 dev1 kernel: u32 classifier
Jun 26 23:32:46 dev1 kernel: Performance counters on
Jun 26 23:32:46 dev1 kernel: input device check on
Jun 26 23:32:46 dev1 kernel: Actions configured
Jun 26 23:32:46 dev1 shorewall[3678]: Processing /etc/shorewall/init ...
Jun 26 23:32:46 dev1 shorewall[3678]: loading 
/etc/shorewall/ips/blacklist-x1.ips
Jun 26 23:32:46 dev1 shorewall[3678]: loading 
/etc/shorewall/ips/blacklist-x2.ips
Jun 26 23:32:46 dev1 shorewall[3678]: loading 
/etc/shorewall/ips/blacklist-z1.ips
Jun 26 23:32:47 dev1 shorewall[3678]: loading 
/etc/shorewall/ips/blacklist-z2.ips
Jun 26 23:32:49 dev1 shorewall[3678]: Processing /etc/shorewall/tcclear ...
Jun 26 23:32:49 dev1 shorewall[3678]: Setting up Route Filtering...
Jun 26 23:32:49 dev1 shorewall[3678]: Setting up Martian Logging...
Jun 26 23:32:49 dev1 shorewall[3678]: Setting up Proxy ARP...
Jun 26 23:32:49 dev1 shorewall[3678]: Setting up Traffic Control...
Jun 26 23:32:49 dev1 shorewall[3678]: Preparing iptables-restore input...
Jun 26 23:32:49 dev1 shorewall[3678]: Running /sbin/iptables-restore...
Jun 26 23:32:49 dev1 shorewall[3678]: IPv4 Forwarding Enabled
Jun 26 23:32:49 dev1 shorewall[3678]: Processing /etc/shorewall/start ...
Jun 26 23:32:49 dev1 shorewall[3678]: Processing /etc/shorewall/started ...
Jun 26 23:32:49 dev1 shorewall[3678]: Shorewall started
==========================================================

The problem seems to be caused by the shorewall init script, which is:

===========Shorewall init script==========================
modprobe ifb numifbs=1
ip link set dev ifb0 up

# configure the ipsets
sw_ips_mask='/etc/shorewall/ips/*.ips'
ipset_exec='/usr/sbin/ipset'
if [ "$COMMAND" = start ]; then
  $ipset_exec -F
  $ipset_exec -X
  for c in `/bin/ls $sw_ips_mask 2>/dev/null`; do
    echo loading $c
    $ipset_exec -R < $c
  done
fi
==========================================================

The above script executes /usr/sbin/ipset to create my IP Sets needed 
for running Shorewall (all IP set commands are contained in those *.ips 
files). These IP sets comprise mainly of IP subnets which are part of my 
blacklists (banned IP subnets), though they also contain some IP Port 
sets as well.

Don't know why SELinux denies "create" (and then "getopt" and "setopt") 
on a, what seems to be, raw ip socket (IPSet do not use/need one as far 
as I know!)? If I remove the IP Set part of the init script above and 
rearrange Shorewall to run without IPSets all is well, though its 
functionality is VERY limited and barely useful to me!

Two questions to the SELinux gurus on here: 1) Why am I getting these 
alerts? and 2) How can I fix the problem so that I could run both 
Shorewall and IPSets with SELinux in Enforced mode?

This is important for me as this is a production server and a lot of 
stuff runs on it and needs to be available 24/7.

Many thanks in advance!
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux