> Date: Mon, 2 Aug 2010 00:25:35 -0400
> Subject: Re: [Fwknop-discuss] (newbie) knoptm cannot expire iptables rules
> > > Date: Sun, 25 Jul 2010 11:13:55 -0400
> > > From: mbr@cipherdyne.org
> > > To: fwknop-discuss@lists.sourceforge.net
> > > Subject: Re: [Fwknop-discuss] (newbie) knoptm cannot expire iptables rules
> > >
> > > The end result will be a tarball of the test results in the test/
> > > directory. Can you send that to me?
> >
> >
> > Sorry for the delay; it's a side project and I've been busy.
> > Please find the test output attached.
> Thanks for sending that over. It appears to me that fwknop cannot execute
> any iptables command at all. Is it possible that SELinux is deployed on
> your system, and it preventing fwknopd and knoptm from executing iptables?
> Thanks,
> --Mike

Gah!  I should've known.  It was SELinux.

However, recall my observed behavior that (once I manually added the FWKNOP_INPUT chain) fwknop could insert rules with SELinux enabled/enforcing.  The FWKNOP_INPUT chain was never created automatically.  Does the logic to create the chain depend on parsing output of iptables?

I ask because it appeared that the SELinux denials were on writing to the .iptout and .ipterr files in /var/log/fwknop:

avc: denied { write } for ... comm="iptables" path="/var/log/fwknop/fwknop.iptout" ... scontext=unconfined_u:system_r:iptables_t  tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file

Repeat the same for fwknop.ipterr, knoptm.iptout, and knoptm.ipterr.
So adding rules to the chain executes without needing to parse iptables output, but deciding whether to create the chain or which rule to remove depends on parsing -- which can't occur because iptables isn't allowed to write to /var/log/fwknop.

I hope that helps.

-- Will