Dear All,
I could find no reference to SELinux in the documentation to this,
hopefully it helps others.
When I added ipset into the mix and played around from the command
line, everything worked as expected. However during boot, shorewall
complains:
00:36:00 ERROR: ipset names in Shorewall configuration files require
Ipset Match in your kernel and iptables /etc/shorewall/rules (line 39)
And immediately after boot a shorewall start is totally successful.
This is a SELinux enforcement issue in my case:
type=AVC msg=audit(1404632169.296:45): avc: denied { create } for
pid=2761 comm="ipset" scontext=system_u:system_r:shorewall_t:s0
tcontext=system_u:system_r:shorewall_t:s0 tclass=netlink_socket
type=SYSCALL msg=audit(1404632169.296:45): arch=c000003e syscall=41
success=no exit=-13 a0=10 a1=3 a2=c a3=7fff5f7f9590 items=0 ppid=2760
pid=2761 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipset"
exe="/usr/sbin/ipset" subj=system_u:system_r:shorewall_t:s0 key=(null)
type=AVC msg=audit(1404632169.299:46): avc: denied { create } for
pid=2763 comm="ipset" scontext=system_u:system_r:shorewall_t:s0
tcontext=system_u:system_r:shorewall_t:s0 tclass=netlink_socket
type=SYSCALL msg=audit(1404632169.299:46): arch=c000003e syscall=41
success=no exit=-13 a0=10 a1=3 a2=c a3=7ffffe3fc1c0 items=0 ppid=2762
pid=2763 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipset"
exe="/usr/sbin/ipset" subj=system_u:system_r:shorewall_t:s0 key=(null)
type=AVC msg=audit(1404632169.301:47): avc: denied { create } for
pid=2765 comm="ipset" scontext=system_u:system_r:shorewall_t:s0
tcontext=system_u:system_r:shorewall_t:s0 tclass=netlink_socket
type=SYSCALL msg=audit(1404632169.301:47): arch=c000003e syscall=41
success=no exit=-13 a0=10 a1=3 a2=c a3=7fff63d428e0 items=0 ppid=2764
pid=2765 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipset"
exe="/usr/sbin/ipset" subj=system_u:system_r:shorewall_t:s0 key=(null)
type=AVC msg=audit(1404632169.402:61): avc: denied { create } for
pid=2810 comm="ipset" scontext=system_u:system_r:shorewall_t:s0
tcontext=system_u:system_r:shorewall_t:s0 tclass=netlink_socket
type=SYSCALL msg=audit(1404632169.402:61): arch=c000003e syscall=41
success=no exit=-13 a0=10 a1=3 a2=c a3=7fff51509c50 items=0 ppid=2809
pid=2810 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipset"
exe="/usr/sbin/ipset" subj=system_u:system_r:shorewall_t:s0 key=(null)
type=AVC msg=audit(1404632169.405:62): avc: denied { create } for
pid=2812 comm="ipset" scontext=system_u:system_r:shorewall_t:s0
tcontext=system_u:system_r:shorewall_t:s0 tclass=netlink_socket
type=SYSCALL msg=audit(1404632169.405:62): arch=c000003e syscall=41
success=no exit=-13 a0=10 a1=3 a2=c a3=7fffc9256d20 items=0 ppid=2811
pid=2812 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipset"
exe="/usr/sbin/ipset" subj=system_u:system_r:shorewall_t:s0 key=(null)
type=AVC msg=audit(1404635091.599:45): avc: denied { create } for
pid=2761 comm="ipset" scontext=system_u:system_r:shorewall_t:s0
tcontext=system_u:system_r:shorewall_t:s0 tclass=netlink_socke
which may be resolved with:
semanage fcontext -a -t iptables_exec_t /path/to/ipset
restorecon -v /path/to/ipset
(you'll need policycoreutils-python installed)
documented at:
https://lists.fedoraproject.org/pipermail/selinux/2010-June/012680.html
Regards - lee
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft