When using nat and the new 2.4.0 providers functionality, the
following error is produced on boot with FC4:
Cannot open "/proc/sys/net/ipv4/route/flush
The box is running the latest update: selinux-policy-targeted-1.23.18-17
>From /var/log/audit/audit.log:
type=PATH msg=audit(1120675555.415:78677): item=0 name="/sbin/ip"
type=AVC_PATH msg=audit(1120675555.415:78677):
path="/var/lib/shorewall/nat"
type=AVC msg=audit(1120675555.415:78677): avc: denied { read } for pid=2430
comm="ip" name="nat" dev=hda2 ino=4406613
scontext=system_u:system_r:ifconfig_t
tcontext=system_u:object_r:var_lib_t tclass=file
type=AVC msg=audit(1120675556.084:95462): avc: denied { write } for
pid=2641 comm="ip" name="flush" dev=proc ino=-268435296
scontext=system_u:system_r:ifconfig_t
tcontext=system_u:object_r:sysctl_net_t tclass=file
type=PATH msg=audit(1120675555.879:90329): item=0 name="/sbin/ip"
type=AVC_PATH msg=audit(1120675555.879:90329):
path="/tmp/shorewall.Gh1879/providers"
type=AVC msg=audit(1120675555.879:90329): avc: denied { read } for pid=2588
comm="ip" name="providers" dev=hda2 ino=3068205
scontext=system_u:system_r:ifconfig_t
tcontext=system_u:object_r:initrc_tmp_t tclass=file
Adding the following to the local.te will fix this, but I''d rather not
alter the provided policy:
allow ifconfig_t initrc_tmp_t:file read;
allow ifconfig_t sysctl_net_t:file write;
allow ifconfig_t var_lib_t:file read;
If there are any selinux policy gurus on the list, can you suggest a
secure code fix or workaround? If not, I''ll post this to the
fedora-selinux mailing list and see if anyone there can shed some
light on this.
Best regards,
-Tom