bugzilla-daemon at bugzilla.netfilter.org
2012-Nov-19 04:19 UTC
[Bug 802] New: Lack of error feedback on SELinux denial
http://bugzilla.netfilter.org/show_bug.cgi?id=802
Summary: Lack of error feedback on SELinux denial
Product: ipset
Version: unspecified
Platform: x86_64
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P5
Component: default
AssignedTo: netfilter-buglog at lists.netfilter.org
ReportedBy: bochecha at fedoraproject.org
Estimated Hours: 0.0
I recently had a bug report submitted for my ipset package in Fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=873925
The problem was caused by the SELinux policy being too strict, which was fixed
since then.
However, figuring out the problem was made harder because ipset was not
returning any error message, it just failed silently.
It would be nice if ipset could have let the user know it couldn't execute
the
request properly.
For example, other tools will usually output a "permission denied"
error
message when being blocked by SELinux.
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.
bugzilla-daemon at bugzilla.netfilter.org
2012-Nov-20 20:27 UTC
[Bug 802] Lack of error feedback on SELinux denial
http://bugzilla.netfilter.org/show_bug.cgi?id=802
Jozsef Kadlecsik <kadlec at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |kadlec at netfilter.org
--- Comment #1 from Jozsef Kadlecsik <kadlec at netfilter.org> 2012-11-20
21:27:29 CET ---
As far as I see, both the libmnl library and ipset itself check the error codes
of the function calls in question. As I do not have SELinux installed and
configured, could you somehow provide more data? For example replace ipset with
a script which calls the real ipset wrapped in strace.
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.
Possibly Parallel Threads
- [Bug 880] New: ipset doesn't refresh the timeout for an existing entry when the table is FULL.
- [Bug 749] New: Optionally disable building the kernel module.
- [Bug 856] New: configure is checking kernel stuff even when the kmod build was disabled
- [Bug 788] New: Allow saving to/restoring from a file without shell redirection
- [Bug 719] New: ipset restore fails randomly