Hey folks- I am setting up a shorewall6-only config to firewall my HE tunnel. The system is a CentOS 6.0 VM (running on Hyper-V but that''s not the problem here.) Shorewall6 runs just fine when I "su" and then launch it manually with "shorewall6 start" - no problems, everything behaves exactly as intended, and all the firewall behavior is exactly as I want it to be. So with all that initial config taken care of (much experimentation required) I moved on to trying to get it to start at boot automatically. However, when I try to launch it instead by putting shorewall6 start into /etc/rc.d/rc.local, it fails, and the log only shows me this: [root@ipv6tunl log]# more shorewall6-init.log Jul 30 23:38:10 Processing /etc/shorewall6/params ... Jul 30 23:38:10 ERROR: Processing of /etc/shorewall6/params failed And that''s it - nothing else in the log. I tried changing the start line to do tracing to /tmp/trace, but the trace came up empty, so at the moment I am clueless as to why it won''t start properly at boot time. FYI, the reason I''m starting it this way rather than by chkconfig is so that I can force a few ip commands to complete first to configure the HE 6in4 tunnel first before starting the firewall that relies on the tunnel being running. Totally open to suggestions, or what more troubleshooting/logging I can provide - NOT a Linux expert, but learning fast. Thanks- Andy ------------------------------------------------------------------------------ Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don''t ask for help often. Plus, you''ll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey
On Sun, 2011-07-31 at 06:48 +0000, Andrew Silverman wrote:> I am setting up a shorewall6-only config to firewall my HE tunnel. The system is a CentOS 6.0 VM (running on Hyper-V but that''s not the problem here.) > > Shorewall6 runs just fine when I "su" and then launch it manually with "shorewall6 start" - no problems, everything behaves exactly as intended, and all the firewall behavior is exactly as I want it to be. So with all that initial config taken care of (much experimentation required) I moved on to trying to get it to start at boot automatically. > > However, when I try to launch it instead by putting shorewall6 start into /etc/rc.d/rc.local, it fails, and the log only shows me this: > > [root@ipv6tunl log]# more shorewall6-init.log > Jul 30 23:38:10 Processing /etc/shorewall6/params ... > Jul 30 23:38:10 ERROR: Processing of /etc/shorewall6/params failed > > And that''s it - nothing else in the log. I tried changing the start line to do tracing to /tmp/trace, but the trace came up empty, so at the moment I am clueless as to why it won''t start properly at boot time. > > FYI, the reason I''m starting it this way rather than by chkconfig is so that I can force a few ip commands to complete first to configure the HE 6in4 tunnel first before starting the firewall that relies on the tunnel being running. > > Totally open to suggestions, or what more troubleshooting/logging I can provide - NOT a Linux expert, but learning fast.What are the contents of /etc/shorewall6/params? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don''t ask for help often. Plus, you''ll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey
On Sun, 2011-07-31 at 06:35 -0700, Tom Eastep wrote:> On Sun, 2011-07-31 at 06:48 +0000, Andrew Silverman wrote: > > > I am setting up a shorewall6-only config to firewall my HE tunnel. The system is a CentOS 6.0 VM (running on Hyper-V but that''s not the problem here.) > > > > Shorewall6 runs just fine when I "su" and then launch it manually with "shorewall6 start" - no problems, everything behaves exactly as intended, and all the firewall behavior is exactly as I want it to be. So with all that initial config taken care of (much experimentation required) I moved on to trying to get it to start at boot automatically. > > > > However, when I try to launch it instead by putting shorewall6 start into /etc/rc.d/rc.local, it fails, and the log only shows me this: > > > > [root@ipv6tunl log]# more shorewall6-init.log > > Jul 30 23:38:10 Processing /etc/shorewall6/params ... > > Jul 30 23:38:10 ERROR: Processing of /etc/shorewall6/params failed > > > > And that''s it - nothing else in the log. I tried changing the start line to do tracing to /tmp/trace, but the trace came up empty, so at the moment I am clueless as to why it won''t start properly at boot time. > > > > FYI, the reason I''m starting it this way rather than by chkconfig is so that I can force a few ip commands to complete first to configure the HE 6in4 tunnel first before starting the firewall that relies on the tunnel being running. > > > > Totally open to suggestions, or what more troubleshooting/logging I can provide - NOT a Linux expert, but learning fast. > > What are the contents of /etc/shorewall6/params? >Also, which version of Shorewall6 are you running? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don''t ask for help often. Plus, you''ll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey
On Sun, 2011-07-31 at 06:48 -0700, Tom Eastep wrote:> On Sun, 2011-07-31 at 06:35 -0700, Tom Eastep wrote: > > On Sun, 2011-07-31 at 06:48 +0000, Andrew Silverman wrote: > > > > > I am setting up a shorewall6-only config to firewall my HE tunnel. The system is a CentOS 6.0 VM (running on Hyper-V but that''s not the problem here.) > > > > > > Shorewall6 runs just fine when I "su" and then launch it manually with "shorewall6 start" - no problems, everything behaves exactly as intended, and all the firewall behavior is exactly as I want it to be. So with all that initial config taken care of (much experimentation required) I moved on to trying to get it to start at boot automatically. > > > > > > However, when I try to launch it instead by putting shorewall6 start into /etc/rc.d/rc.local, it fails, and the log only shows me this: > > > > > > [root@ipv6tunl log]# more shorewall6-init.log > > > Jul 30 23:38:10 Processing /etc/shorewall6/params ... > > > Jul 30 23:38:10 ERROR: Processing of /etc/shorewall6/params failed > > > > > > And that''s it - nothing else in the log. I tried changing the start line to do tracing to /tmp/trace, but the trace came up empty, so at the moment I am clueless as to why it won''t start properly at boot time. > > > > > > FYI, the reason I''m starting it this way rather than by chkconfig is so that I can force a few ip commands to complete first to configure the HE 6in4 tunnel first before starting the firewall that relies on the tunnel being running. > > > > > > Totally open to suggestions, or what more troubleshooting/logging I can provide - NOT a Linux expert, but learning fast. > > > > What are the contents of /etc/shorewall6/params? > > > > Also, which version of Shorewall6 are you running?I''ve reproduced the problem. It is an SELinux issue whereby a script in /etc/init.d is not permitted to execute /usr/share/shorewall/getparams. You can reproduce the failure by simply typing: /etc/init.d/shorewall6 start Hopefully someone with more SELinux foo than I have (which is none) can give you advice. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don''t ask for help often. Plus, you''ll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey
Well, thanks for identifying the problem at least! - I''ll do some digging on the web and see if anything presents itself, but otherwise hopefully someone on the list will have a clue. Do you have any particular suggestions for a workaround? All I really need is to make sure I can get the tunnel params configured before shorewall6 launches... I first tried to do this by creating a script to run from init.d with chkconfig before shorewall6 launches, but it seems to have the same problem there and moving it to rc.local didn''t cure it - initially I thought it was a chkconfig load ordering problem. So I guess now the problem is how to launch it at all without doing it interactively from a su prompt? Not that it matters at this point, but there''s nothing at all in the params file other than the comments lines, I didn''t edit it, and I''m running the latest 4.4.21-1 build. (Just for completeness'' sake.) ________________________________________ From: Tom Eastep [teastep@shorewall.net] Sent: Sunday, July 31, 2011 9:03 AM To: Shorewall Users Subject: Re: [Shorewall-users] Newb setup problem: On Sun, 2011-07-31 at 06:48 -0700, Tom Eastep wrote:> On Sun, 2011-07-31 at 06:35 -0700, Tom Eastep wrote: > > On Sun, 2011-07-31 at 06:48 +0000, Andrew Silverman wrote: > > > > > I am setting up a shorewall6-only config to firewall my HE tunnel. The system is a CentOS 6.0 VM (running on Hyper-V but that''s not the problem here.) > > > > > > Shorewall6 runs just fine when I "su" and then launch it manually with "shorewall6 start" - no problems, everything behaves exactly as intended, and all the firewall behavior is exactly as I want it to be. So with all that initial config taken care of (much experimentation required) I moved on to trying to get it to start at boot automatically. > > > > > > However, when I try to launch it instead by putting shorewall6 start into /etc/rc.d/rc.local, it fails, and the log only shows me this: > > > > > > [root@ipv6tunl log]# more shorewall6-init.log > > > Jul 30 23:38:10 Processing /etc/shorewall6/params ... > > > Jul 30 23:38:10 ERROR: Processing of /etc/shorewall6/params failed > > > > > > And that''s it - nothing else in the log. I tried changing the start line to do tracing to /tmp/trace, but the trace came up empty, so at the moment I am clueless as to why it won''t start properly at boot time. > > > > > > FYI, the reason I''m starting it this way rather than by chkconfig is so that I can force a few ip commands to complete first to configure the HE 6in4 tunnel first before starting the firewall that relies on the tunnel being running. > > > > > > Totally open to suggestions, or what more troubleshooting/logging I can provide - NOT a Linux expert, but learning fast. > > > > What are the contents of /etc/shorewall6/params? > > > > Also, which version of Shorewall6 are you running?I''ve reproduced the problem. It is an SELinux issue whereby a script in /etc/init.d is not permitted to execute /usr/share/shorewall/getparams. You can reproduce the failure by simply typing: /etc/init.d/shorewall6 start Hopefully someone with more SELinux foo than I have (which is none) can give you advice. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don''t ask for help often. Plus, you''ll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey
On Jul 31, 2011, at 9:52 AM, Andrew Silverman wrote:> Well, thanks for identifying the problem at least! - I''ll do some digging on the web and see if anything presents itself, but otherwise hopefully someone on the list will have a clue. Do you have any particular suggestions for a workaround? >Set AUTOMAKE=Yes in shorewall6.conf. So long as your current compiled script is up to date when you re-boot, Shorewall6 will start at boot. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don''t ask for help often. Plus, you''ll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey
I figured out how to fix it the "right" way. :-) There''s a great walkthrough of analysis tools for SELinux audit logs and how to create new permissions policies from them here: http://wiki.centos.org/HowTos/SELinux#head-aa437f65e1c7873cddbafd9e9a73bbf9d102c072 After that, it was cookbook. Had to do it once for Shorewall6, which worked on the first try, and then again for radvd - it was making some system call that its default policy wasn''t covering for some reason. It all starts on boot normally now without workarounds... thanks for the pointer in the right direction earlier, at 9am today I didn''t even know what SELinux was, and now I have some of the fu. :-) Thanks again, Andy ________________________________________ From: Tom Eastep [teastep@shorewall.net] Sent: Sunday, July 31, 2011 10:00 AM To: Shorewall Users Subject: Re: [Shorewall-users] Newb setup problem: On Jul 31, 2011, at 9:52 AM, Andrew Silverman wrote:> Well, thanks for identifying the problem at least! - I''ll do some digging on the web and see if anything presents itself, but otherwise hopefully someone on the list will have a clue. Do you have any particular suggestions for a workaround? >Set AUTOMAKE=Yes in shorewall6.conf. So long as your current compiled script is up to date when you re-boot, Shorewall6 will start at boot. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don''t ask for help often. Plus, you''ll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don''t ask for help often. Plus, you''ll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey
On Jul 31, 2011, at 11:14 AM, Andrew Silverman wrote:> I figured out how to fix it the "right" way. :-) > > There''s a great walkthrough of analysis tools for SELinux audit logs and how to create new permissions policies from them here: http://wiki.centos.org/HowTos/SELinux#head-aa437f65e1c7873cddbafd9e9a73bbf9d102c072 > > After that, it was cookbook. Had to do it once for Shorewall6, which worked on the first try, and then again for radvd - it was making some system call that its default policy wasn''t covering for some reason.It would be great if you would share exactly what you did so everyone who encounters this problem doesn''t have to go through the learning curve that you did. Thanks, -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don''t ask for help often. Plus, you''ll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey
Yeah, definitely, later tonight if I have a few minutes I''ll write up the exact steps. I imagine once you have the policy package you could probably install it automatically in future builds for distros with SELinux enabled. Andy On Jul 31, 2011, at 4:36 PM, "Tom Eastep" <teastep@shorewall.net> wrote:> > On Jul 31, 2011, at 11:14 AM, Andrew Silverman wrote: > >> I figured out how to fix it the "right" way. :-) >> >> There''s a great walkthrough of analysis tools for SELinux audit logs and how to create new permissions policies from them here: http://wiki.centos.org/HowTos/SELinux#head-aa437f65e1c7873cddbafd9e9a73bbf9d102c072 >> >> After that, it was cookbook. Had to do it once for Shorewall6, which worked on the first try, and then again for radvd - it was making some system call that its default policy wasn''t covering for some reason. > > > It would be great if you would share exactly what you did so everyone who encounters this problem doesn''t have to go through the learning curve that you did. > > Thanks, > -Tom > > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > Got Input? Slashdot Needs You. > Take our quick survey online. Come on, we don''t ask for help often. > Plus, you''ll get a chance to win $100 to spend on ThinkGeek. > http://p.sf.net/sfu/slashdot-survey > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don''t ask for help often. Plus, you''ll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey
Ok, so here''s the detailed version of the fix for getting shorewall6
running
at boot time on an SELinux machine. (This is probably equally valid for
shorewall IPv4 too, but I''m using it only for IPv6 at the moment...)
This
is on a vanilla CentOS 6.0 setup.
The problem (restated):
- My IPv6 config requires running a few lines to set up the Hurricane
Electric 6in4 tunnel after NetworkManager brings up the interfaces, pretty
much straight out of the HE "example" configs, e.g. (addresses
obscured for
obvious reasons)
ip tunnel add he-ipv6 mode sit remote xx.xx.xx.xx local xx.xx.xx.xx ttl
255
ip addr add 2001:xxx:a:xxx::2/64 dev he-ipv6
ip addr add 2001:xxx:b:5fd::1/64 dev eth1
ip route add ::/0 dev he-ipv6
These lines were added to /etc/rc.d/rc.local so that they would be run after
all the other init scripts are completed. This gets the tunnel going and
assigns the proper static addresses and routes to the LAN side physical
interface and to the tunnel pseudo-interface.
Now the problem is that after those lines, I want to do:
/sbin/shorewall6 start (to start the firewall)
radvd (to start the router advertisement daemon.)
Looking in the boot logs, I could see that shorewall6 was failing to start
after trying to read the /etc/shorewall6/params file, and then radvd fails
to start because it sees IPv6 forwarding has not been enabled. But running
them both from a su prompt worked fine. I had a suspicion that this was
some sort of permissions problem as a result, but I''m really barely
even a
linux noob let alone guru. Tom was kind enough to repro this and identify
it as an SELinux permissions problem - so I ran with the ball and did some
digging and experimentation and in an hour or two had it solved. The exact
steps were pretty much called out here:
http://wiki.centos.org/HowTos/SELinux. This article is well worth a read.
The easiest solution would of course be just to disable SELinux security
altogether, which can be done by a trivial edit to the /etc/selinux/config
file, SELINUX=DISABLED. But this defeats the purpose of ensuring that the
system is better protected from a variety of security weaknesses. Instead,
what you do is change that line to SELINUX=PERMISSIVE and then reboot.
SELinux will then allow things that would ordinarily be denied to succeed,
but logs are written that can be further analyzed in a very simple fashion.
- Install the setroubleshoot package if it''s not on your system
already.
Then reboot so that the proper logs are written out.
- Run the GUI tool or "sealert -a /var/log/audit/audit.log >
/path/to/mylogfile.txt" as root.
This parses the /var/log/audit/audit.log file into human readable form and
shows you what''s failing.
In this particular case, two problems turn up:
1) shorewall6 is not permitted to access the files in the /etc paths when
running from your init scripts.
2) radvd is making some system call that isn''t expected, from the boot
logs
I think it was trying to access radvd.pid and failing.
Luckily the process of creating new security policy to allow the specific
failures is fairly automated via the audit2allow tool and the semodule tool.
First:
grep shorewall /var/audit/audit.log | audit2allow -m shorewall6 >
shorewall6.te
You can view the resulting shorewall6.te file to see what changes are
required to the existing security policy and decide whether they''re OK.
In
this case they''re not really controversial, it''s just expected
file access.
To then create a compiled security policy that can be installed to the
system re-run it with the capital M option instead and no output
redirection, like this:
grep shorewall /var/audit/audit.log | audit2allow -M shorewall6
This creates a shorewall6.pp file which is then installed to the system with
the command:
semodule -i shorewall6
This command takes longer than expected but if it returns without errors,
the shorewall problem is now fixed.
You can then redo this process, grepping for radvd instead. Because radvd
seems to install its own SELinux policies when the package is installed (so
why isn''t this error found?) I created an "radvd2" policy
instead, because
when I called the policy package "radvd" I was getting some weird
errors on
the final step where it tries to install the policy, possibly because a
policy by that same name already exists and it was having trouble merging
the two or something.
After installing the two new security policies, make sure you re-edit the
/etc/selinux/config file to turn enforcing mode back on, then reboot again.
If all is well, you should be able to do "shorewall6 status" after
boot and
see that it''s now running, and similarly "ps -e | grep radvd"
should show
that radvd is now running as well. Problem solved!
Thanks Tom for the pointer in the right direction...
Andy
------------------------------------------------------------------------------
Got Input? Slashdot Needs You.
Take our quick survey online. Come on, we don''t ask for help often.
Plus, you''ll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey
On Mon, 2011-08-01 at 09:40 -0700, Andrew Silverman wrote:> Ok, so here''s the detailed version of the fix for getting shorewall6 running > at boot time on an SELinux machine. (This is probably equally valid for > shorewall IPv4 too, but I''m using it only for IPv6 at the moment...) This > is on a vanilla CentOS 6.0 setup.Thanks, Andy!> > The problem (restated): > - My IPv6 config requires running a few lines to set up the Hurricane > Electric 6in4 tunnel after NetworkManager brings up the interfaces, pretty > much straight out of the HE "example" configs, e.g. (addresses obscured for > obvious reasons) > ip tunnel add he-ipv6 mode sit remote xx.xx.xx.xx local xx.xx.xx.xx ttl > 255 > ip addr add 2001:xxx:a:xxx::2/64 dev he-ipv6 > ip addr add 2001:xxx:b:5fd::1/64 dev eth1 > ip route add ::/0 dev he-ipv6 > > These lines were added to /etc/rc.d/rc.local so that they would be run after > all the other init scripts are completed. This gets the tunnel going and > assigns the proper static addresses and routes to the LAN side physical > interface and to the tunnel pseudo-interface. > > Now the problem is that after those lines, I want to do: > /sbin/shorewall6 start (to start the firewall) > radvd (to start the router advertisement daemon.) > > Looking in the boot logs, I could see that shorewall6 was failing to start > after trying to read the /etc/shorewall6/params file, and then radvd fails > to start because it sees IPv6 forwarding has not been enabled. But running > them both from a su prompt worked fine. I had a suspicion that this was > some sort of permissions problem as a result, but I''m really barely even a > linux noob let alone guru. Tom was kind enough to repro this and identify > it as an SELinux permissions problem - so I ran with the ball and did some > digging and experimentation and in an hour or two had it solved.The failure doesn''t require the use of /etc/rc.d/rc.local; it will happen with a standard Shorewall installation.> The exact > steps were pretty much called out here: > http://wiki.centos.org/HowTos/SELinux. This article is well worth a read. >> > Luckily the process of creating new security policy to allow the specific > failures is fairly automated via the audit2allow tool and the semodule tool. > First: > grep shorewall /var/audit/audit.log | audit2allow -m shorewall6 > > shorewall6.teThat should be /var/log/audit/audit.log.> > You can view the resulting shorewall6.te file to see what changes are > required to the existing security policy and decide whether they''re OK. In > this case they''re not really controversial, it''s just expected file access. > To then create a compiled security policy that can be installed to the > system re-run it with the capital M option instead and no output > redirection, like this: > grep shorewall /var/audit/audit.log | audit2allow -M shorewall6Ditto.> > This creates a shorewall6.pp file which is then installed to the system with > the command: > semodule -i shorewall6 > > This command takes longer than expected but if it returns without errors, > the shorewall problem is now fixed. >> > Thanks Tom for the pointer in the right direction... >You are most welcome, Andy. And thanks again, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1
Thanks for fixing my path typos. :-) -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Monday, August 01, 2011 11:32 AM To: Shorewall Users Subject: Re: [Shorewall-users] Newb setup problem: On Mon, 2011-08-01 at 09:40 -0700, Andrew Silverman wrote:> Ok, so here''s the detailed version of the fix for getting shorewall6 > running at boot time on an SELinux machine. (This is probably equally > valid for shorewall IPv4 too, but I''m using it only for IPv6 at the > moment...) This is on a vanilla CentOS 6.0 setup.Thanks, Andy!> > The problem (restated): > - My IPv6 config requires running a few lines to set up the Hurricane > Electric 6in4 tunnel after NetworkManager brings up the interfaces, > pretty much straight out of the HE "example" configs, e.g. (addresses > obscured for obvious reasons) > ip tunnel add he-ipv6 mode sit remote xx.xx.xx.xx local > xx.xx.xx.xx ttl > 255 > ip addr add 2001:xxx:a:xxx::2/64 dev he-ipv6 > ip addr add 2001:xxx:b:5fd::1/64 dev eth1 > ip route add ::/0 dev he-ipv6 > > These lines were added to /etc/rc.d/rc.local so that they would be run > after all the other init scripts are completed. This gets the tunnel > going and assigns the proper static addresses and routes to the LAN > side physical interface and to the tunnel pseudo-interface. > > Now the problem is that after those lines, I want to do: > /sbin/shorewall6 start (to start the firewall) > radvd (to start the router advertisement daemon.) > > Looking in the boot logs, I could see that shorewall6 was failing to > start after trying to read the /etc/shorewall6/params file, and then > radvd fails to start because it sees IPv6 forwarding has not been > enabled. But running them both from a su prompt worked fine. I had a > suspicion that this was some sort of permissions problem as a result, > but I''m really barely even a linux noob let alone guru. Tom was kind > enough to repro this and identify it as an SELinux permissions problem > - so I ran with the ball and did some digging and experimentation and in an hour or two had it solved.The failure doesn''t require the use of /etc/rc.d/rc.local; it will happen with a standard Shorewall installation.> The exact > steps were pretty much called out here: > http://wiki.centos.org/HowTos/SELinux. This article is well worth a read. >> > Luckily the process of creating new security policy to allow the > specific failures is fairly automated via the audit2allow tool and the semodule tool. > First: > grep shorewall /var/audit/audit.log | audit2allow -m shorewall6 > > shorewall6.teThat should be /var/log/audit/audit.log.> > You can view the resulting shorewall6.te file to see what changes are > required to the existing security policy and decide whether they''re > OK. In this case they''re not really controversial, it''s just expected file access. > To then create a compiled security policy that can be installed to the > system re-run it with the capital M option instead and no output > redirection, like this: > grep shorewall /var/audit/audit.log | audit2allow -M shorewall6Ditto.> > This creates a shorewall6.pp file which is then installed to the > system with the command: > semodule -i shorewall6 > > This command takes longer than expected but if it returns without > errors, the shorewall problem is now fixed. >> > Thanks Tom for the pointer in the right direction... >You are most welcome, Andy. And thanks again, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1