Il giorno dom, 17/12/2017 alle 13.10 -0500, Colony.three via Shorewall-
users ha scritto:
> It's not clear what you're doing here. In several cases you have the
> output of ls -Z, without entering the command?
Now this is the output of ls -Z
[ root@s-virt ~]# ls -lZ /run/lock/subsys/*
-rw-r--r--. root root system_u:object_r:var_lock_t:s0
/run/lock/subsys/libvirt-guests
-rw-r--r--. root root system_u:object_r:var_lock_t:s0
/run/lock/subsys/network
-rw-------. root root unconfined_u:object_r:var_lock_t:s0
/run/lock/subsys/shorewall
> Yes selinux is prohibiting from looking at {getattr}, creating
> {write}, or deleting {unlink} the shorewall lockfile. The correct
> setting for the lockfile (and the path down to it) is:
> system_u:object_r:var_lock_t:s0
The file has not this attribute.
And if I change it
[ root@s-virt ~]# chcon system_u:object_r:var_lock_t:s0
/run/lock/subsys/shorewall
It come back after a while.
> You don't say whether you've rebooted or not.
No I do not have reboot, I do not know whats happen if I reboot.
I have only restart the shorewall service and some time, when I do
that, I get 4 Selinux error into log.
I just want to point out that sometimes in the logs I detect these
selinux errors
[ root@s-virt ~]# grep -E 'denied.*shorewall'
/var/log/audit/audit.log|tail -4
type=AVC msg=audit(1513547387.366:1560): avc: denied { getattr } for
pid=17154 comm="rm" path="/run/lock/subsys/shorewall" dev="tmpfs" ino=56603
scontext=system_u:system_r:shorewall_t:s0
tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1513547387.366:1561): avc: denied { unlink } for
pid=17154 comm="rm" name="shorewall" dev="tmpfs" ino=56603
scontext=system_u:system_r:shorewall_t:s0
tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1513547387.758:1605): avc: denied { write } for
pid=17405 comm="touch" name="shorewall" dev="tmpfs" ino=56603
scontext=system_u:system_r:shorewall_t:s0
tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1513547387.758:1606): avc: denied { write } for
pid=17405 comm="touch" name="shorewall" dev="tmpfs" ino=56603
scontext=system_u:system_r:shorewall_t:s0
tcontext=system_u:object_r:var_lock_t:s0 tclass=file
There is a solution that I can apply or i'ts a bug?
Thanks
--
Dario Lesca
(inviato dal mio Linux Fedora 27 Workstation)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
