> -------- Original Message --------
> Subject: Re: [Shorewall-users] Centos7: SELinux is preventing /usr/bin/touch
> from 'write' accesses on the file shorewall
> Local Time: December 17, 2017 1:58 PM
> UTC Time: December 17, 2017 9:58 PM
> From: d.le...@solinos.it
> To: shorewall-users@lists.sourceforge.net
>
> Il giorno dom, 17/12/2017 alle 13.10 -0500, Colony.three via Shorewall-
> users ha scritto:
>
>> It's not clear what you're doing here. In several cases you have the
>> output of ls -Z, without entering the command?
>>
>> Now this is the output of ls -Z
>>
>> [ root@s-virt ~]# ls -lZ /run/lock/subsys/*
>> -rw-r--r--. root root system_u:object_r:var_lock_t:s0
>> /run/lock/subsys/libvirt-guests
>> -rw-r--r--. root root system_u:object_r:var_lock_t:s0
>> /run/lock/subsys/network
>> -rw-------. root root unconfined_u:object_r:var_lock_t:s0
>> /run/lock/subsys/shorewall
>>
>> Yes selinux is prohibiting from looking at {getattr}, creating
>> {write}, or deleting {unlink} the shorewall lockfile. The correct
>> setting for the lockfile (and the path down to it) is:
>> system_u:object_r:var_lock_t:s0
>>
>> The file has not this attribute.
>> And if I change it
>>
>> [ root@s-virt ~]# chcon system_u:object_r:var_lock_t:s0
>> /run/lock/subsys/shorewall
>>
>> It come back after a while.
>>
>> You don't say whether you've rebooted or not.
>>
>> No I do not have reboot, I do not know whats happen if I reboot.
>>
>> I have only restart the shorewall service and some time, when I do
>> that, I get 4 Selinux error into log.
>>
>> I just want to point out that sometimes in the logs I detect these
>> selinux errors
>>
>> [ root@s-virt ~]# grep -E 'denied.*shorewall' /var/log/audit/audit.log|tail
>> -4
>> type=AVC msg=audit(1513547387.366:1560): avc: denied { getattr } for
>> pid=17154 comm="rm" path="/run/lock/subsys/shorewall" dev="tmpfs" ino=56603
>> scontext=system_u:system_r:shorewall_t:s0
>> tcontext=system_u:object_r:var_lock_t:s0 tclass=file
>> type=AVC msg=audit(1513547387.366:1561): avc: denied { unlink } for
>> pid=17154 comm="rm" name="shorewall" dev="tmpfs" ino=56603
>> scontext=system_u:system_r:shorewall_t:s0
>> tcontext=system_u:object_r:var_lock_t:s0 tclass=file
>> type=AVC msg=audit(1513547387.758:1605): avc: denied { write } for pid=17405
>> comm="touch" name="shorewall" dev="tmpfs" ino=56603
>> scontext=system_u:system_r:shorewall_t:s0
>> tcontext=system_u:object_r:var_lock_t:s0 tclass=file
>> type=AVC msg=audit(1513547387.758:1606): avc: denied { write } for pid=17405
>> comm="touch" name="shorewall" dev="tmpfs" ino=56603
>> scontext=system_u:system_r:shorewall_t:s0
>> tcontext=system_u:object_r:var_lock_t:s0 tclass=file
>>
>> There is a solution that I can apply or i'ts a bug?
>>
>> Thanks
I guess that this is an important server, but you must be able to reboot.
The problem comes back after a bit? It's doubtful that it's a bug with RHEL.
I suspect that you've made changes in the system without rebooting.
As to selinux errors, there are several ways to approach them, and lots of ways
to do it wrong. And lots of selinux errors are harmless and would take weeks
of study to change. The best thing is to start with a baseline by rebooting.
Be sure that you have good backups.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
