Re: [Fwknop-discuss] (newbie) knoptm cannot expire iptables rules
Brought to you by:
mbr
Menu
▾
▴
Re: [Fwknop-discuss] (newbie) knoptm cannot expire iptables rules
|
From: Michael R. <mb...@ci...> - 2010-08-05 04:26:39
|
On Aug 04, 2010, William Price wrote:
>
> > Date: Mon, 2 Aug 2010 00:25:35 -0400
> > Subject: Re: [Fwknop-discuss] (newbie) knoptm cannot expire iptables rules
> >
> > > > Date: Sun, 25 Jul 2010 11:13:55 -0400
> > > > From: mb...@ci...
> > > > To: fwk...@li...
> > > > Subject: Re: [Fwknop-discuss] (newbie) knoptm cannot expire iptables rules
> > > >
> > > > The end result will be a tarball of the test results in the test/
> > > > directory. Can you send that to me?
> > >
> > >
> > > Sorry for the delay; it's a side project and I've been busy.
> > > Please find the test output attached.
> >
> > Thanks for sending that over. It appears to me that fwknop cannot execute
> > any iptables command at all. Is it possible that SELinux is deployed on
> > your system, and it preventing fwknopd and knoptm from executing iptables?
> >
> > Thanks,
> >
> > --Mike
>
>
> Gah! I should've known. It was SELinux.
>
> However, recall my observed behavior that (once I manually added the FWKNOP_INPUT chain) fwknop could insert rules with SELinux enabled/enforcing. The FWKNOP_INPUT chain was never created automatically. Does the logic to create the chain depend on parsing output of iptables?
Yes, indeed the logic does depend on parsing iptables output in the perl fwknop
implementation. There is a check to see if the FWKNOP_INPUT chain exists, and
if the command to test this (just listing the rules) is met with stuff on stderr,
then fwknopd assumes that it needs to create the chain.
> I ask because it appeared that the SELinux denials were on writing to the .iptout and .ipterr files in /var/log/fwknop:
>
>
> avc: denied { write } for ... comm="iptables" path="/var/log/fwknop/fwknop.iptout" ... scontext=unconfined_u:system_r:iptables_t tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file
>
> Repeat the same for fwknop.ipterr, knoptm.iptout, and knoptm.ipterr.
> So adding rules to the chain executes without needing to parse iptables output, but deciding whether to create the chain or which rule to remove depends on parsing -- which can't occur because iptables isn't allowed to write to /var/log/fwknop.
>
> I hope that helps.
This sounds like the correct diagnosis. If you get things working on your
Fedora system, would you be willing to contribute an SELinux policy? There
is an SELinux policy for psad, but not yet for fwknop:
http://trac.cipherdyne.org/trac/psad/browser/psad/trunk/selinux
Thanks,
--Mike
> -- Will
>
>
> ------------------------------------------------------------------------------
> The Palm PDK Hot Apps Program offers developers who use the
> Plug-In Development Kit to bring their C/C++ apps to Palm for a share
> of $1 Million in cash or HP Products. Visit us here for more details:
> http://p.sf.net/sfu/dev2dev-palm
> _______________________________________________
> Fwknop-discuss mailing list
> Fwk...@li...
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
|