I recently upgraded a machine from FC6 to F7, and I used to use a /etc/dhclient-exit-hooks script to call some iptables functions after bringing up my external interface. This used to work on FC6 as long as I setsebool -P dhcpc_disable_trans 1, but the policy in F7 no longer contains such a boolean, so dhclient-script is prevented from getattr/executing iptables. Is there a simple fix to this, or do I need to write a policy and compile it? If the latter, any pointers on what the policy file should contain?
Thanks for any help, tim
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Tim Fenn wrote:
I recently upgraded a machine from FC6 to F7, and I used to use a /etc/dhclient-exit-hooks script to call some iptables functions after bringing up my external interface. This used to work on FC6 as long as I setsebool -P dhcpc_disable_trans 1, but the policy in F7 no longer contains such a boolean, so dhclient-script is prevented from getattr/executing iptables. Is there a simple fix to this, or do I need to write a policy and compile it? If the latter, any pointers on what the policy file should contain?
Thanks for any help, tim
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You have inspired me to blog.
http://danwalsh.livejournal.com/13116.html
On Tue, 02 Oct 2007 09:05:13 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Tim Fenn wrote:
I recently upgraded a machine from FC6 to F7, and I used to use a /etc/dhclient-exit-hooks script to call some iptables functions after bringing up my external interface. This used to work on FC6 as long as I setsebool -P dhcpc_disable_trans 1, but the policy in F7 no longer contains such a boolean, so dhclient-script is prevented from getattr/executing iptables. Is there a simple fix to this, or do I need to write a policy and compile it? If the latter, any pointers on what the policy file should contain?
You have inspired me to blog.
Great horney toads, what have I done? ;)
Thanks for the feedback Dan, its always appreciated (and thanks for pointing out the error in my previous ways).
I recently dove into policy writing, but will rewrite my policy based on the domain transfer suggestion and report back once I have something working.
Regards, -Tim
On Tue, 2 Oct 2007 11:07:09 -0700 Tim Fenn fenn@stanford.edu wrote:
I recently dove into policy writing, but will rewrite my policy based on the domain transfer suggestion and report back once I have something working.
Here is the policy I cooked up:
<policy> policy_module(mydhcp,1.0.0)
######################################## # # Declarations # require { type dhcpc_t; type insmod_t; type iptables_t; class rawip_socket { read write }; }
iptables_domtrans(dhcpc_t)
#============= insmod_t ============== allow insmod_t iptables_t:rawip_socket { read write }; </policy>
Not sure if it would be best to transfer iptables_t to modutils here?
-Tim
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Tim Fenn wrote:
On Tue, 2 Oct 2007 11:07:09 -0700 Tim Fenn fenn@stanford.edu wrote:
I recently dove into policy writing, but will rewrite my policy based on the domain transfer suggestion and report back once I have something working.
Here is the policy I cooked up:
<policy> policy_module(mydhcp,1.0.0)
######################################## # # Declarations # require { type dhcpc_t; type insmod_t; type iptables_t; class rawip_socket { read write }; }
iptables_domtrans(dhcpc_t)
#============= insmod_t ============== allow insmod_t iptables_t:rawip_socket { read write };
</policy>
Not sure if it would be best to transfer iptables_t to modutils here?
-Tim
This looks like iptables is leaking a file descriptor, and the kernel is checking if insmod_t has access to it. It does not so the kernel closes it and replaces it with /dev/null. So this is not going to affect you code, but should be reported as a bug in iptables.
fcntl(fd, F_SETFD, FD_CLOEXEC)
should be closed on on open file descriptors before fork/exec.
selinux@lists.fedoraproject.org