I am running Fedora Core 4 with SELinux enabled. When I start Shorewall with SELinux enabled I get an error Cannot open /proc/sys/net/ipv4/route/flush It does not appear to be a major issue. Just that shorewall is unable to flush the firewall rules before starting. I can get around it by stoping SELinux and then reneabling it after I restart shorewall. Curious how you guys are working with it. Have you taken the time to modify the SELinus policy to allow shorewall to flush the firewall or are you just ignoring the error. If there is already a thread on this I appologize. I could''t find it. Nathan ------------------------------------------------------- This SF.Net email is sponsored by the ''Do More With Dual!'' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar
On 7/11/05, ngehman@aimint.net <ngehman@aimint.net> wrote:> When I start Shorewall with SELinux enabled I get an error > Cannot open /proc/sys/net/ipv4/route/flush> Curious how you guys are working with it. Have you taken > the time to modify the SELinus policy to allow shorewall > to flush the firewall or are you just ignoring the error.This seems to be an issue with temporary files that are created when using nat, providers and possibly other shorewall features. I''ve submitted this problem to the fedora-selinux list. They''re waiting for me to extract the problem lines from the Shorewall scripts so they can address the underlying cause. If you don''t want to manually toggle selinux when starting shorewall, you can add an exemption via local.te. Unfortunately this requires the policy sources to be present on the machine. The best solution will be to get the native policy fixed... and the Fedora-selinux developers seem to be willing to do that. I''ll keep the list informed of any developments. -Tom ------------------------------------------------------- This SF.Net email is sponsored by the ''Do More With Dual!'' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar
Thanks, I will just start and stop the SELinux until the fix is out. It is a server so I don''t reboot it very often. Nathan On Mon, 11 Jul 2005 12:57:21 -0600 Tom Lisjac <netdxr@gmail.com> wrote:> On 7/11/05, ngehman@aimint.net <ngehman@aimint.net> >wrote: > >> When I start Shorewall with SELinux enabled I get an >>error >> Cannot open /proc/sys/net/ipv4/route/flush > >> Curious how you guys are working with it. Have you >>taken >> the time to modify the SELinus policy to allow shorewall >> to flush the firewall or are you just ignoring the >>error. > > This seems to be an issue with temporary files that are >created when > using nat, providers and possibly other shorewall >features. I''ve > submitted this problem to the fedora-selinux list. >They''re waiting for > me to extract the problem lines from the Shorewall >scripts so they can > address the underlying cause. > > If you don''t want to manually toggle selinux when >starting shorewall, > you can add an exemption via local.te. Unfortunately >this requires the > policy sources to be present on the machine. The best >solution will be > to get the native policy fixed... and the Fedora-selinux >developers > seem to be willing to do that. I''ll keep the list >informed of any > developments. > > -Tom > > > ------------------------------------------------------- > This SF.Net email is sponsored by the ''Do More With >Dual!'' webinar happening > July 14 at 8am PDT/11am EDT. We invite you to explore >the latest in dual > core and dual graphics technology at this free one hour >event hosted by HP, > AMD, and NVIDIA. To register visit >http://www.hp.com/go/dualwebinar > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------- This SF.Net email is sponsored by the ''Do More With Dual!'' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar
Any updates/developement on this? I have been off list for a while and browsed through. Didn''t notice any but thought I''d check in case I missed it. Nathan On Mon, 11 Jul 2005 12:57:21 -0600 Tom Lisjac <netdxr@gmail.com> wrote:> On 7/11/05, ngehman@aimint.net <ngehman@aimint.net> >wrote: > >> When I start Shorewall with SELinux enabled I get an >>error >> Cannot open /proc/sys/net/ipv4/route/flush > >> Curious how you guys are working with it. Have you >>taken >> the time to modify the SELinus policy to allow shorewall >> to flush the firewall or are you just ignoring the >>error. > > This seems to be an issue with temporary files that are >created when > using nat, providers and possibly other shorewall >features. I''ve > submitted this problem to the fedora-selinux list. >They''re waiting for > me to extract the problem lines from the Shorewall >scripts so they can > address the underlying cause. > > If you don''t want to manually toggle selinux when >starting shorewall, > you can add an exemption via local.te. Unfortunately >this requires the > policy sources to be present on the machine. The best >solution will be > to get the native policy fixed... and the Fedora-selinux >developers > seem to be willing to do that. I''ll keep the list >informed of any > developments. > > -Tom > > > ------------------------------------------------------- > This SF.Net email is sponsored by the ''Do More With >Dual!'' webinar happening > July 14 at 8am PDT/11am EDT. We invite you to explore >the latest in dual > core and dual graphics technology at this free one hour >event hosted by HP, > AMD, and NVIDIA. To register visit >http://www.hp.com/go/dualwebinar > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
On 9/2/05, ngehman@aimint.net <ngehman@aimint.net> wrote:> > Any updates/developement on this? I have been off list > for a while and browsed through. Didn''t notice any but > thought I''d check in case I missed it. > > On Mon, 11 Jul 2005 12:57:21 -0600 > Tom Lisjac <netdxr@gmail.com> wrote: > > On 7/11/05, ngehman@aimint.net <ngehman@aimint.net> > >wrote: > > > >> When I start Shorewall with SELinux enabled I get an > >>error > >> Cannot open /proc/sys/net/ipv4/route/flush> This seems to be an issue with temporary files that are > >created when > > using nat, providers and possibly other shorewall > >features. I''ve > > submitted this problem to the fedora-selinux list.I''ve only seen this problem come up at boot time when Shorewall is executed in the initrc_t domain. Restarting as root with the targeted policy doesn''t present the error... so in the grand scheme of things, it dropped off my list of immediate concerns. The folks on the SELinux list have had their hands full with a lot of other serious FC4 issues, so I''ve held off re-submitting this one. -Tom