Mar 10 03:43:56 b2 setroubleshoot: SELinux is preventing /sbin/iptables-multi-1.4.7 from read access on the file . For complete SELinux messages. run sealert -l dea027a2-81dd-4394-96d4-f0d1160c9307
Mar 10 03:43:56 b2 setroubleshoot: SELinux is preventing /sbin/iptables-multi-1.4.7 from create access on the rawip_socket . For complete SELinux messages. run sealert -l 08757ff1-a08d-4c06-a08b-ff5d53712305
Mar 10 03:43:56 b2 setroubleshoot: SELinux is preventing /sbin/iptables-multi-1.4.7 from read access on the file . For complete SELinux messages. run sealert -l dea027a2-81dd-4394-96d4-f0d1160c9307
Mar 10 03:43:56 b2 setroubleshoot: SELinux is preventing /sbin/iptables-multi-1.4.7 from create access on the rawip_socket . For complete SELinux messages. run sealert -l 08757ff1-a08d-4c06-a08b-ff5d53712305
Mar 10 03:43:56 b2 setroubleshoot: SELinux is preventing /sbin/iptables-multi-1.4.7 from read access on the file . For complete SELinux messages. run sealert -l dea027a2-81dd-4394-96d4-f0d1160c9307
| Tutorial details | |
|---|---|
| Difficulty level | Intermediate |
| Root privileges | Yes |
| Requirements | restorecon |
| Est. reading time | N/A |
This is a known problem. An upgrade of existing installations of RHEL / CentOS 6.x can leave the iptables-multi and ip6tables-multi binaries with incorrect SELinux labels. This may break 3rd party applications such as fail2ban and shorewall. You will see the following messages in your /var/log/audit/audit.log
type=AVC msg=audit(1362905027.685:67620): avc: denied { create } for pid=11229 comm="iptables" scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
type=SYSCALL msg=audit(1362905027.685:67620): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=3 a2=ff a3=0 items=0 ppid=11228 pid=11229 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1877 comm="iptables" exe="/sbin/iptables-multi-1.4.7" subj=unconfined_u:system_r:shorewall_t:s0 key=(null)
type=AVC msg=audit(1362905027.685:67621): avc: denied { read } for pid=11229 comm="iptables" scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=system_u:object_r:sysctl_modprobe_t:s0 tclass=file
type=SYSCALL msg=audit(1362905027.685:67621): arch=c000003e syscall=2 success=no exit=-13 a0=3b09a05672 a1=0 a2=0 a3=0 items=0 ppid=11228 pid=11229 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1877 comm="iptables" exe="/sbin/iptables-multi-1.4.7" subj=unconfined_u:system_r:shorewall_t:s0 key=(null)
type=AVC msg=audit(1362905033.235:67622): avc: denied { create } for pid=11260 comm="iptables" scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
type=SYSCALL msg=audit(1362905033.235:67622): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=3 a2=ff a3=0 items=0 ppid=11247 pid=11260 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1877 comm="iptables" exe="/sbin/iptables-multi-1.4.7" subj=unconfined_u:system_r:shorewall_t:s0 key=(null)
type=AVC msg=audit(1362905033.236:67623): avc: denied { read } for pid=11260 comm="iptables" scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=system_u:object_r:sysctl_modprobe_t:s0 tclass=file
type=SYSCALL msg=audit(1362905033.236:67623): arch=c000003e syscall=2 success=no exit=-13 a0=3b09a05672 a1=0 a2=0 a3=0 items=0 ppid=11247 pid=11260 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1877 comm="iptables" exe="/sbin/iptables-multi-1.4.7" subj=unconfined_u:system_r:shorewall_t:s0 key=(null)
If you try to restart the shorewall service you will see the following messages:
Fig.01: Incorrect SELinux labels in may break 3rd party applications
# ls -Z /sbin/iptables-multi-1.4.7 Sample outputs:
-rwxr-xr-x. root root system_u:object_r:iptables_exec_t:s0 /sbin/iptables-multi-1.4.7
Incorrect SELinux labels for /sbin/iptables-multi-1.4.7:
# ls -Z /sbin/iptables-multi-1.4.7
Sample outputs:
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /sbin/iptables-multi-1.4.7
Solution
Type the following restorecon command to fix file(s) default SELinux security contexts:
# restorecon -R -v /sbin/
Sample outputs:
restorecon reset /sbin/ip6tables-multi-1.4.7 context system_u:object_r:bin_t:s0->system_u:object_r:iptables_exec_t:s0 restorecon reset /sbin/iptables-multi-1.4.7 context system_u:object_r:bin_t:s0->system_u:object_r:iptables_exec_t:s0
However, I recommend that you run restorecon over / (root) file system:
# restorecon -R -v /
Test it
Type the following command:
# service shorewall restart
# service shorewall status
🐧 1 comment so far... add one ↓
setroubleshoot: SELinux is preventing the squid…
How to configure pfSense as multi wan (DUAL WAN)…
Linux Restrict Execution of /usr/sbin/userhelper to…
Linux /bin/false VS /sbin/nologin: Politely Refuse a Login
iptables: Read a List of IP Address From File And Block
CentOS / RHEL: Change / Copy File SELinux Security…
CentOS / RHEL: Disable or Enable SELinux Policy Modules
| Category | List of Unix and Linux commands |
|---|---|
| Disk space analyzers | df • ncdu • pydf |
| File Management | cat • tree |
| Firewall | Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
| Network Utilities | NetHogs • dig • host • ip • nmap |
| OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
| Package Manager | apk • apt |
| Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
| Searching | grep • whereis • which |
| User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
| WireGuard VPN | Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |
restorecon -R -v /sbin/ do nothing for me .
The solution is following command
chcon system_u:object_r:iptables_exec_t:s0 /sbin/iptables-multi-1.4.7