Package: selinux-policy-default
Version: 2:0.2.20100524-7+squeeze1
Severity: normal
File: /usr/share/selinux/default/shorewall.pp
I installed the shorewall.pp module and relabelled the system, but I noticed
that shorewall has problems during startup.
While it doesn't seem to run properly during startup (which actually displays
the 'echo_notdone()' function from the init script), I can however run it just
fine with `run_init /etc/init.d/shorewall start` and verify the rules are in
place via `iptables -L`.
I noticed that the avc errors seem to outputting all the various systems of
shorewall to the same file, but this is only a guess (since shorewall has
support for tc, ipv6, etc, built in).
As far as my setup, I am using just the "shorewall" package atm, not the
shorewall-perl version yet (which may have similar issues).
sestatus -v output:
-------------------
# sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: default
Process contexts:
Current context: staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
Init context: system_u:system_r:init_t:s0
File contexts:
Controlling term: staff_u:object_r:user_devpts_t:s0
/etc/passwd system_u:object_r:etc_t:s0
/etc/shadow system_u:object_r:shadow_t:s0
/bin/bash system_u:object_r:shell_exec_t:s0
/bin/login system_u:object_r:login_exec_t:s0
/bin/sh system_u:object_r:bin_t:s0 ->
system_u:object_r:shell_exec_t:s0
/sbin/agetty system_u:object_r:getty_exec_t:s0
/sbin/init system_u:object_r:init_exec_t:s0
/lib/libc.so.6 system_u:object_r:lib_t:s0 ->
system_u:object_r:lib_t:s0
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 ->
system_u:object_r:ld_so_t:s0
/var/log/dmesg output:
----------------------
[ 17.567170] SELinux: initialized (dev dm-3, type ext4), uses xattr
[ 19.734966] type=1400 audit(1333944806.232:5): avc: denied {
getattr } for pid=1291 comm="shorewall" path="/bin/hostname" dev=dm-1
ino=524320 scontext=system_u:system_r:shorewall_t:s0
tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
[ 19.809588] ADDRCONF(NETDEV_UP): eth0: link is not ready
[ 19.812635] e100: eth0 NIC Link is Up 100 Mbps Full Duplex
[ 19.820830] ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ 19.884709] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 20.910551] Netfilter messages via NETLINK v0.30.
[ 20.959645] nf_conntrack version 0.5.0 (16384 buckets, 65536 max)
[ 20.960113] CONFIG_NF_CT_ACCT is deprecated and will be removed
soon. Please use
[ 20.960117] nf_conntrack.acct=1 kernel parameter, acct=1
nf_conntrack module option or
[ 20.960120] sysctl net.netfilter.nf_conntrack_acct=1 to enable it.
[ 21.153336] NF_TPROXY: Transparent proxy support initialized, version 4.1.0
[ 21.153341] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.
[ 21.185798] ctnetlink v0.93: registering with nfnetlink.
[ 21.313934] ClusterIP Version 0.8 loaded successfully
[ 21.431457] type=1400 audit(1333944807.928:6): avc: denied {
append } for pid=1392 comm="iptables"
path="/var/log/shorewall-init.log" dev=dm-3 ino=1048648
scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:object_r:shorewall_log_t:s0 tclass=file
[ 21.431481] type=1400 audit(1333944807.928:7): avc: denied {
append } for pid=1392 comm="iptables"
path="/var/log/shorewall-init.log" dev=dm-3 ino=1048648
scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:object_r:shorewall_log_t:s0 tclass=file
[ 21.796983] xt_time: kernel timezone is -0000
[ 22.380995] type=1400 audit(1333944808.880:8): avc: denied {
signal } for pid=1538 comm="sh"
scontext=system_u:system_r:shorewall_t:s0
tcontext=system_u:system_r:shorewall_t:s0 tclass=process
-- System Information:
Debian Release: 6.0.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Versions of packages selinux-policy-default depends on:
ii libpam-modules 1.1.1-6.1+squeeze1 Pluggable Authentication Modules f
ii libselinux1 2.0.96-1 SELinux runtime shared libraries
ii libsepol1 2.0.41-1 SELinux library for manipulating b
ii policycoreutils 2.0.82-3 SELinux core policy utilities
ii python 2.6.6-3+squeeze6 interactive high-level object-orie
Versions of packages selinux-policy-default recommends:
ii checkpolicy 2.0.22-1 SELinux policy compiler
ii setools 3.3.6.ds-7.2+b1 tools for Security Enhanced Linux
Versions of packages selinux-policy-default suggests:
ii logcheck 1.3.13 mails anomalies in the system logf
ii syslog-summary 1.14-2 summarize the contents of a syslog
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
