Bercovici Manuel wrote:
> Am instalat pe un calculator Fedora Core 8 pentru a-l folosi pe post de
> router. Primesc insa eroarea:
>
> SummarySELinux is preventing /sbin/iptables-save (iptables_t) "write" to
> /etc/sysconfig/iptables (etc_t).
>
> Detailed DescriptionSELinux is preventing /sbin/iptables-save (iptables_t)
> "write" to /etc/sysconfig/iptables (etc_t). The SELinux type etc_t, is a
> generic type for all files in the directory and very few processes (SELinux
> Domains) are allowed to write to this SELinux type. This type of denial usual
> indicates a mislabeled file. By default a file created in a directory has the
> gets the context of the parent directory, but SELinux policy has rules about
> the creation of directories, that say if a process running in one SELinux
> Domain (D1) creates a file in a directory with a particular SELinux File
> Context (F1) the file gets a different File Context (F2). The policy usually
> allows the SELinux Domain (D1) the ability to write or append on (F2). But if
> for some reason a file (/etc/sysconfig/iptables) was created with the wrong
> context, this domain will be denied. The usual solution to this problem is to
> reset the file context on the target file, restorecon
> -v /etc/sysconfig/iptables. If the file context does not change from etc_t,
> then this is probably a bug in policy. Please file a bug report against the
> selinux-policy package. If it does change, you can try your application again
> to see if it works. The file context could have been mislabeled by editing
> the file or moving the file from a different directory, if the file keeps
> getting mislabeled, check the init scripts to see if they are doing something
> to mislabel the file.Allowing AccessYou can attempt to fix file context by
> executing restorecon -v /etc/sysconfig/iptablesThe following command will
> allow this access:restorecon /etc/sysconfig/iptables
>
> Additional InformationSource Context:
> system_u:system_r:iptables_t:s0-s0:c0.c1023Target Context:
> system_u:object_r:etc_t:s0Target Objects: /etc/sysconfig/iptables [ file
> ]Affected RPM Packages: iptables-1.3.8-5.fc8 [application]Policy RPM:
> selinux-policy-3.0.8-44.fc8Selinux Enabled: TruePolicy Type: targetedMLS
> Enabled: TrueEnforcing Mode: EnforcingPlugin Name:
> plugins.mislabeled_fileHost Name: ciordas0.roPlatform: Linux ciordas0.ro
> 2.6.23.1-42.fc8 #1 SMP Tue Oct 30 13:55:12 EDT 2007 i686 i686Alert Count:
> 13First Seen: Tue 27 Oct 2009 09:30:49 AM EETLast Seen: Tue 27 Oct 2009
> 12:36:39 PM EETLocal ID: ed71f937-8bc6-43a4-aa7d-e1b4ada396b8Line Numbers:
>
>
> Raw Audit Messages :avc: denied { write } for comm=iptables-save dev=dm-0
> egid=0 euid=0 exe=/sbin/iptables-save exit=0 fsgid=0 fsuid=0 gid=0 items=0
> path=/etc/sysconfig/iptables pid=28524
> scontext=system_u:system_r:iptables_t:s0-s0:c0.c1023 sgid=0
> subj=system_u:system_r:iptables_t:s0-s0:c0.c1023 suid=0 tclass=file
> tcontext=system_u:object_r:etc_t:s0 tty=pts1 uid=0
>
> Cum se poate remedia eroarea?
>
> Multumesc!
incearca un relabel (touch /.autorelabel && reboot)
daca nu merge, urmeaza procedura descrisa la
http://wiki.centos.org/HowTos/SELinux pt a-ti genera un policy custom.
In mod normal insa dupa relabel nu ar trebui sa mai apara astfel de mesaje.
_______________________________________________
RLUG mailing list
[email protected]
http://lists.lug.ro/mailman/listinfo/rlug
