Re: [Shorewall-users] Centos7: SELinux is preventing /usr/bin/touch from 'write' accesses on the file shorewall

Sun, 17 Dec 2017 14:00:07 -0800 

Il giorno dom, 17/12/2017 alle 13.10 -0500, Colony.three via Shorewall-
users ha scritto:
> It's not clear what you're doing here.  In several cases you have the
> output of ls -Z, without entering the command?

Now this is the output of ls -Z

    [    root@s-virt     ~]# ls -lZ  /run/lock/subsys/*
    -rw-r--r--. root root system_u:object_r:var_lock_t:s0  
/run/lock/subsys/libvirt-guests
    -rw-r--r--. root root system_u:object_r:var_lock_t:s0  
/run/lock/subsys/network
    -rw-------. root root unconfined_u:object_r:var_lock_t:s0 
/run/lock/subsys/shorewall

> Yes selinux is prohibiting from looking at {getattr}, creating
> {write}, or deleting {unlink} the shorewall lockfile.  The correct
> setting for the lockfile (and the path down to it) is: 
> system_u:object_r:var_lock_t:s0

The file has not this attribute.
And if I change it 

    [    root@s-virt     ~]# chcon system_u:object_r:var_lock_t:s0 
/run/lock/subsys/shorewall

It come back after a while.

> You don't say whether you've rebooted or not.

No I do not have reboot, I do not know whats happen if I reboot.

I have only restart the shorewall service and some time, when I do
that, I get 4 Selinux error into log.

I just want to point out that sometimes in the logs I detect these
selinux errors

    [    root@s-virt     ~]# grep -E 'denied.*shorewall' 
/var/log/audit/audit.log|tail -4
    type=AVC msg=audit(1513547387.366:1560): avc:  denied  { getattr } for  
pid=17154 comm="rm" path="/run/lock/subsys/shorewall" dev="tmpfs" ino=56603 
scontext=system_u:system_r:shorewall_t:s0 
tcontext=system_u:object_r:var_lock_t:s0 tclass=file
    type=AVC msg=audit(1513547387.366:1561): avc:  denied  { unlink } for  
pid=17154 comm="rm" name="shorewall" dev="tmpfs" ino=56603 
scontext=system_u:system_r:shorewall_t:s0 
tcontext=system_u:object_r:var_lock_t:s0 tclass=file
    type=AVC msg=audit(1513547387.758:1605): avc:  denied  { write } for  
pid=17405 comm="touch" name="shorewall" dev="tmpfs" ino=56603 
scontext=system_u:system_r:shorewall_t:s0 
tcontext=system_u:object_r:var_lock_t:s0 tclass=file
    type=AVC msg=audit(1513547387.758:1606): avc:  denied  { write } for  
pid=17405 comm="touch" name="shorewall" dev="tmpfs" ino=56603 
scontext=system_u:system_r:shorewall_t:s0 
tcontext=system_u:object_r:var_lock_t:s0 tclass=file

There is a solution that I can apply or i'ts a bug?

Thanks

-- 
Dario Lesca
(inviato dal mio Linux Fedora 27 Workstation)

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to