SELinux and Shorewall with IPSets

Stephen Smalley sds at tycho.nsa.gov
Mon Jun 28 18:40:34 UTC 2010 

On Sun, 2010-06-27 at 13:37 +0100, Mr Dash Four wrote:
> Problems combining these 2 to run while SELinux is in 'enforced' mode 
> (policy running is the 'stock' targeted one supplied with FC13). I get 2 
> audit alerts when Shorewall starts (and fails!) - see logs below. I have 
> x86_64 arch machine with FC13 running. Stock Shorewall is installed. 
> IPSet (xtunnels) is compiled in (though with the 'stock' rpm I am 
> getting the same errors).
> 
> The problem seems to be caused by the Shorewall init script (see further 
> below). The relevant part of my syslog when SELinux is in enforced mode is:
> 
> =========SELinux=Enforcing================================
> Jun 26 23:18:38 dev1 shorewall[2456]: Compiling...
> Jun 26 23:18:38 dev1 kernel: type=1400 audit(1277590718.634:29543): 
> avc:  denied  { create } for  pid=2577 comm="ipset" 
> scontext=unconfined_u:system_r:shorewall_t:s0 
> tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
> Jun 26 23:18:38 dev1 kernel: type=1400 audit(1277590718.637:29544): 
> avc:  denied  { create } for  pid=2579 comm="ipset" 
> scontext=unconfined_u:system_r:shorewall_t:s0 
> tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
> Jun 26 23:18:38 dev1 shorewall[2456]: Compiling /etc/shorewall/zones...
> Jun 26 23:18:38 dev1 shorewall[2456]: Compiling /etc/shorewall/interfaces...
> Jun 26 23:18:38 dev1 shorewall[2456]: Determining Hosts in Zones...
> Jun 26 23:18:38 dev1 shorewall[2456]: Preprocessing Action Files...
> Jun 26 23:18:38 dev1 shorewall[2456]:    Pre-processing 
> /usr/share/shorewall/action.Drop...
> Jun 26 23:18:38 dev1 shorewall[2456]:    Pre-processing 
> /usr/share/shorewall/action.Reject...
> Jun 26 23:18:38 dev1 shorewall[2456]: Compiling /etc/shorewall/policy...
> Jun 26 23:18:38 dev1 shorewall[2456]: Compiling /etc/shorewall/blacklist...
> Jun 26 23:18:38 dev1 shorewall[2456]:    ERROR: ipset names in Shorewall 
> configuration files require Ipset Match in your kernel and iptables : 
> /etc/shorewall/blacklist (line 11)
> Jun 26 23:18:38 dev1 shorewall[2456]:    ERROR: Shorewall start failed
> ==========================================================
> 
> When I switch SELinux to Permissive I get two further errors:
> 
> =========SELinux=Permissive===============================
> Jun 26 23:32:45 dev1 kernel: type=1400 audit(1277591565.629:29551): 
> avc:  denied  { create } for  pid=3799 comm="ipset" 
> scontext=unconfined_u:system_r:shorewall_t:s0 
> tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
> Jun 26 23:32:45 dev1 kernel: type=1400 audit(1277591565.629:29552): 
> avc:  denied  { getopt } for  pid=3799 comm="ipset" lport=255 
> scontext=unconfined_u:system_r:shorewall_t:s0 
> tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
> Jun 26 23:32:45 dev1 kernel: type=1400 audit(1277591565.629:29553): 
> avc:  denied  { setopt } for  pid=3799 comm="ipset" lport=255 
> scontext=unconfined_u:system_r:shorewall_t:s0 
> tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
> Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/zones...
> Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/interfaces...
> Jun 26 23:32:45 dev1 shorewall[3678]: Determining Hosts in Zones...
> Jun 26 23:32:45 dev1 shorewall[3678]: Preprocessing Action Files...
> Jun 26 23:32:45 dev1 shorewall[3678]:    Pre-processing 
> /usr/share/shorewall/action.Drop...
> Jun 26 23:32:45 dev1 shorewall[3678]:    Pre-processing 
> /usr/share/shorewall/action.Reject...
> Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/policy...
> Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/blacklist...
> Jun 26 23:32:45 dev1 shorewall[3678]: Adding Anti-smurf Rules
> Jun 26 23:32:45 dev1 shorewall[3678]: Compiling TCP Flags filtering...
> Jun 26 23:32:45 dev1 shorewall[3678]: Compiling Kernel Route Filtering...
> Jun 26 23:32:45 dev1 shorewall[3678]: Compiling Martian Logging...
> Jun 26 23:32:45 dev1 shorewall[3678]: Compiling MAC Filtration -- Phase 1...
> Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/rules...
> Jun 26 23:32:45 dev1 shorewall[3678]: Generating Transitive Closure of 
> Used-action List...
> Jun 26 23:32:45 dev1 shorewall[3678]: Processing 
> /usr/share/shorewall/action.Reject for chain Reject...
> Jun 26 23:32:45 dev1 shorewall[3678]: Processing 
> /usr/share/shorewall/action.Drop for chain Drop...
> Jun 26 23:32:45 dev1 shorewall[3678]: Compiling MAC Filtration -- Phase 2...
> Jun 26 23:32:45 dev1 shorewall[3678]: Applying Policies...
> Jun 26 23:32:45 dev1 shorewall[3678]: Generating Rule Matrix...
> Jun 26 23:32:45 dev1 shorewall[3678]: Creating iptables-restore input...
> Jun 26 23:32:45 dev1 shorewall[3678]: Compiling iptables-restore input 
> for chains blacklst mangle:...
> Jun 26 23:32:45 dev1 shorewall[3678]: Shorewall configuration compiled 
> to /var/lib/shorewall/.start
> Jun 26 23:32:45 dev1 shorewall[3678]: Starting Shorewall....
> Jun 26 23:32:45 dev1 shorewall[3678]: Initializing...
> Jun 26 23:32:46 dev1 kernel: u32 classifier
> Jun 26 23:32:46 dev1 kernel: Performance counters on
> Jun 26 23:32:46 dev1 kernel: input device check on
> Jun 26 23:32:46 dev1 kernel: Actions configured
> Jun 26 23:32:46 dev1 shorewall[3678]: Processing /etc/shorewall/init ...
> Jun 26 23:32:46 dev1 shorewall[3678]: loading 
> /etc/shorewall/ips/blacklist-x1.ips
> Jun 26 23:32:46 dev1 shorewall[3678]: loading 
> /etc/shorewall/ips/blacklist-x2.ips
> Jun 26 23:32:46 dev1 shorewall[3678]: loading 
> /etc/shorewall/ips/blacklist-z1.ips
> Jun 26 23:32:47 dev1 shorewall[3678]: loading 
> /etc/shorewall/ips/blacklist-z2.ips
> Jun 26 23:32:49 dev1 shorewall[3678]: Processing /etc/shorewall/tcclear ...
> Jun 26 23:32:49 dev1 shorewall[3678]: Setting up Route Filtering...
> Jun 26 23:32:49 dev1 shorewall[3678]: Setting up Martian Logging...
> Jun 26 23:32:49 dev1 shorewall[3678]: Setting up Proxy ARP...
> Jun 26 23:32:49 dev1 shorewall[3678]: Setting up Traffic Control...
> Jun 26 23:32:49 dev1 shorewall[3678]: Preparing iptables-restore input...
> Jun 26 23:32:49 dev1 shorewall[3678]: Running /sbin/iptables-restore...
> Jun 26 23:32:49 dev1 shorewall[3678]: IPv4 Forwarding Enabled
> Jun 26 23:32:49 dev1 shorewall[3678]: Processing /etc/shorewall/start ...
> Jun 26 23:32:49 dev1 shorewall[3678]: Processing /etc/shorewall/started ...
> Jun 26 23:32:49 dev1 shorewall[3678]: Shorewall started
> ==========================================================
> 
> The problem seems to be caused by the shorewall init script, which is:
> 
> ===========Shorewall init script==========================
> modprobe ifb numifbs=1
> ip link set dev ifb0 up
> 
> # configure the ipsets
> sw_ips_mask='/etc/shorewall/ips/*.ips'
> ipset_exec='/usr/sbin/ipset'
> if [ "$COMMAND" = start ]; then
>   $ipset_exec -F
>   $ipset_exec -X
>   for c in `/bin/ls $sw_ips_mask 2>/dev/null`; do
>     echo loading $c
>     $ipset_exec -R < $c
>   done
> fi
> ==========================================================
> 
> The above script executes /usr/sbin/ipset to create my IP Sets needed 
> for running Shorewall (all IP set commands are contained in those *.ips 
> files). These IP sets comprise mainly of IP subnets which are part of my 
> blacklists (banned IP subnets), though they also contain some IP Port 
> sets as well.
> 
> Don't know why SELinux denies "create" (and then "getopt" and "setopt") 
> on a, what seems to be, raw ip socket (IPSet do not use/need one as far 
> as I know!)? If I remove the IP Set part of the init script above and 
> rearrange Shorewall to run without IPSets all is well, though its 
> functionality is VERY limited and barely useful to me!
> 
> Two questions to the SELinux gurus on here: 1) Why am I getting these 
> alerts? and 2) How can I fix the problem so that I could run both 
> Shorewall and IPSets with SELinux in Enforced mode?
> 
> This is important for me as this is a production server and a lot of 
> stuff runs on it and needs to be available 24/7.

ipset does appear to create and use a raw IP socket based on a quick
look at its source code.  You could have also confirmed that by
strace'ing it or enabling syscall audit.

ipset isn't part of Fedora, right?  You just built and installed it from
source?

I think it might be easiest to just label it the same as iptables and
then shorewall will transition to iptables_t which already has raw IP
socket access as well as other related permissions.  That will be better
too in that you don't need to directly allow shorewall or anything else
it runs in-domain to have those permissions.

semanage fcontext -a -t iptables_exec_t /path/to/ipset
restorecon -v /path/to/ipset

-- 
Stephen Smalley
National Security Agency

More information about the selinux mailing list