SELinux and Shorewall with IPSets

Mr Dash Four mr.dash.four at googlemail.com
Tue Jun 29 21:56:19 UTC 2010 

> So I'm curious as to why this isn't working for you.  Did the restorecon
> command in fact change the label of the program to iptables_exec_t?  Did
> you get the same AVC message as before?
>   
OK, I did the following after "semanage fcontext -a -t iptables_exec_t 
/usr/sbin/ipset" and "restorecon -v /usr/sbin/ipset":

[root at dev1 ~]# sesearch --type -s shorewall_t -t iptables_exec_t
Found 1 semantic te rules:
   type_transition shorewall_t iptables_exec_t : process iptables_t;

[root at dev1 ~]# ls -lasZ /usr/sbin/ipset
-rwxr-xr-x. root root system_u:object_r:iptables_exec_t:s0 /usr/sbin/ipset

[root at dev1 ~]# service shorewall start
Starting Shorewall:                                        [FAILED]

==============syslog========================================================
Jun 29 22:42:01 dev1 shorewall[2667]: Compiling...
Jun 29 22:42:02 dev1 kernel: type=1400 audit(1277847722.204:30394): 
avc:  denied  { create } for  pid=2790 comm="ipset" 
scontext=unconfined_u:system_r:shorewall_t:s0 
tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
Jun 29 22:42:02 dev1 kernel: type=1400 audit(1277847722.207:30395): 
avc:  denied  { create } for  pid=2792 comm="ipset" 
scontext=unconfined_u:system_r:shorewall_t:s0 
tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
Jun 29 22:42:02 dev1 shorewall[2667]: Compiling /etc/shorewall/zones...
Jun 29 22:42:02 dev1 shorewall[2667]: Compiling /etc/shorewall/interfaces...
Jun 29 22:42:02 dev1 shorewall[2667]: Determining Hosts in Zones...
Jun 29 22:42:02 dev1 shorewall[2667]: Preprocessing Action Files...
Jun 29 22:42:02 dev1 shorewall[2667]:    Pre-processing 
/usr/share/shorewall/action.Drop...
Jun 29 22:42:02 dev1 shorewall[2667]:    Pre-processing 
/usr/share/shorewall/action.Reject...
Jun 29 22:42:02 dev1 shorewall[2667]: Compiling /etc/shorewall/policy...
Jun 29 22:42:02 dev1 shorewall[2667]: Compiling /etc/shorewall/blacklist...
Jun 29 22:42:02 dev1 shorewall[2667]:    ERROR: ipset names in Shorewall 
configuration files require Ipset Match in your kernel and iptables : 
/etc/shorewall/blacklist (line 11)
Jun 29 22:42:02 dev1 shorewall[2667]:    ERROR:Shorewall start failed
================================================================================


So, as you can see it clearly does NOT work for some reason! Applying my 
own/patched policy module (myshorewall.pp) does the trick. Any suggestions?

More information about the selinux mailing list