RHEL / CentOS: SELinux Is Preventing /sbin/iptables-multi-1.4.7 From Read Access On The File/rawip_socket

last updated in Categories ,

I upgraded my system to RHEL/CentOS v6.4 and I am getting the following error for 3rd party packages such as Shorewall and fail2ban:

Mar 10 03:43:56 b2 setroubleshoot: SELinux is preventing /sbin/iptables-multi-1.4.7 from read access on the file . For complete SELinux messages. run sealert -l dea027a2-81dd-4394-96d4-f0d1160c9307
Mar 10 03:43:56 b2 setroubleshoot: SELinux is preventing /sbin/iptables-multi-1.4.7 from create access on the rawip_socket . For complete SELinux messages. run sealert -l 08757ff1-a08d-4c06-a08b-ff5d53712305
Mar 10 03:43:56 b2 setroubleshoot: SELinux is preventing /sbin/iptables-multi-1.4.7 from read access on the file . For complete SELinux messages. run sealert -l dea027a2-81dd-4394-96d4-f0d1160c9307
Mar 10 03:43:56 b2 setroubleshoot: SELinux is preventing /sbin/iptables-multi-1.4.7 from create access on the rawip_socket . For complete SELinux messages. run sealert -l 08757ff1-a08d-4c06-a08b-ff5d53712305
Mar 10 03:43:56 b2 setroubleshoot: SELinux is preventing /sbin/iptables-multi-1.4.7 from read access on the file . For complete SELinux messages. run sealert -l dea027a2-81dd-4394-96d4-f0d1160c9307

How do I fix this problem?

This is a known problem. An upgrade of existing installations of RHEL / CentOS 6.x can leave the iptables-multi and ip6tables-multi binaries with incorrect SELinux labels. This may break 3rd party applications such as fail2ban and shorewall. You will see the following messages in your /var/log/audit/audit.log

type=AVC msg=audit(1362905027.685:67620): avc:  denied  { create } for  pid=11229 comm="iptables" scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
type=SYSCALL msg=audit(1362905027.685:67620): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=3 a2=ff a3=0 items=0 ppid=11228 pid=11229 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1877 comm="iptables" exe="/sbin/iptables-multi-1.4.7" subj=unconfined_u:system_r:shorewall_t:s0 key=(null)
type=AVC msg=audit(1362905027.685:67621): avc:  denied  { read } for  pid=11229 comm="iptables" scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=system_u:object_r:sysctl_modprobe_t:s0 tclass=file
type=SYSCALL msg=audit(1362905027.685:67621): arch=c000003e syscall=2 success=no exit=-13 a0=3b09a05672 a1=0 a2=0 a3=0 items=0 ppid=11228 pid=11229 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1877 comm="iptables" exe="/sbin/iptables-multi-1.4.7" subj=unconfined_u:system_r:shorewall_t:s0 key=(null)
type=AVC msg=audit(1362905033.235:67622): avc:  denied  { create } for  pid=11260 comm="iptables" scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket
type=SYSCALL msg=audit(1362905033.235:67622): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=3 a2=ff a3=0 items=0 ppid=11247 pid=11260 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1877 comm="iptables" exe="/sbin/iptables-multi-1.4.7" subj=unconfined_u:system_r:shorewall_t:s0 key=(null)
type=AVC msg=audit(1362905033.236:67623): avc:  denied  { read } for  pid=11260 comm="iptables" scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=system_u:object_r:sysctl_modprobe_t:s0 tclass=file
type=SYSCALL msg=audit(1362905033.236:67623): arch=c000003e syscall=2 success=no exit=-13 a0=3b09a05672 a1=0 a2=0 a3=0 items=0 ppid=11247 pid=11260 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1877 comm="iptables" exe="/sbin/iptables-multi-1.4.7" subj=unconfined_u:system_r:shorewall_t:s0 key=(null)

If you try to restart the shorewall service you will see the following messages:

Fig.01: Incorrect SELinux labels in may break 3rd party applications
Fig.01: Incorrect SELinux labels in may break 3rd party applications

Correct SELinux labels for /sbin/iptables-multi-1.4.7:
# ls -Z /sbin/iptables-multi-1.4.7
Sample outputs:

-rwxr-xr-x. root root system_u:object_r:iptables_exec_t:s0 /sbin/iptables-multi-1.4.7

Incorrect SELinux labels for /sbin/iptables-multi-1.4.7:
# ls -Z /sbin/iptables-multi-1.4.7
Sample outputs:

-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /sbin/iptables-multi-1.4.7

Solution

Type the following restorecon command to fix file(s) default SELinux security contexts:
# restorecon -R -v /sbin/
Sample outputs:

restorecon reset /sbin/ip6tables-multi-1.4.7 context system_u:object_r:bin_t:s0->system_u:object_r:iptables_exec_t:s0
restorecon reset /sbin/iptables-multi-1.4.7 context system_u:object_r:bin_t:s0->system_u:object_r:iptables_exec_t:s0

However, I recommend that you run restorecon over / (root) file system:
# restorecon -R -v /

Test it

Type the following command:
# service shorewall restart
# service shorewall status

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

1 comment

  1. restorecon -R -v /sbin/ do nothing for me .
    The solution is following command
    chcon system_u:object_r:iptables_exec_t:s0 /sbin/iptables-multi-1.4.7

    Have a question? Post it on our forum!

Tagged as: Tags , , , ,