Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
using firewalld on on debian with selinux
46 views
Skip to first unread message
Mario Koppensteiner
Jan 30, 2022, 12:40:05 PM1/30/22
to
Hello debian-firewall List members.
This weekend I did install an Debian GNU/Linux 11 (bullseye) system.
This system directly connected to the internet and so I try do to
hardening.
I did enable selinux with the targeted policy on my Debian System. Then
I did troubleshoot a lot to get firewalld running. I found there are
some rules missing in the targeted policy.
Here they are:
# cat firewalldcustom1.te
module firewalldcustom1 1.0;
require {
type firewalld_t;
type firewalld_etc_rw_t;
type lib_t;
type tmpfs_t;
type unconfined_t;
class dir watch;
class dir write;
class dbus send_msg;
class file execute;
class file map;
class file read;
class file write;
class netlink_netfilter_socket create;
class netlink_netfilter_socket getopt;
class netlink_netfilter_socket read;
class netlink_netfilter_socket setopt;
class netlink_netfilter_socket write;
}
#============= firewalld_t ==============
allow firewalld_t firewalld_etc_rw_t:dir watch;
allow firewalld_t lib_t:dir watch;
allow firewalld_t tmpfs_t:file { execute map read write};
allow firewalld_t tmpfs_t:dir write;
allow firewalld_t self:netlink_netfilter_socket { create getopt read
setopt write };
allow firewalld_t unconfined_t:dbus send_msg;
#
Now I can start the firewalld. But I can't add any service. If I try to
add a service, then I get:
# firewall-cmd --add-service=http
Error: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error:
Could not process rule: No such file or directory
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"rule":
{"family": "inet", "table": "firewalld", "chain":
"filter_IN_public_allow", "expr": [{"match": {"left": {"payload":
{"protocol": "tcp", "field": "dport"}}, "op": "==", "right": 80}},
{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right":
{"set": ["new", "untracked"]}}}, {"accept": null}]}}}]}
#
If I set the selinux mode from enforcing to permissive then it is
working as expected. So I think it is somehow related to SELinux. But I
can't find any usefull lines in /var/log/audit/audit.log
What can I do to solve my issue?
sincerely yours
Mario Koppensteiner
This weekend I did install an Debian GNU/Linux 11 (bullseye) system.
This system directly connected to the internet and so I try do to
hardening.
I did enable selinux with the targeted policy on my Debian System. Then
I did troubleshoot a lot to get firewalld running. I found there are
some rules missing in the targeted policy.
Here they are:
# cat firewalldcustom1.te
module firewalldcustom1 1.0;
require {
type firewalld_t;
type firewalld_etc_rw_t;
type lib_t;
type tmpfs_t;
type unconfined_t;
class dir watch;
class dir write;
class dbus send_msg;
class file execute;
class file map;
class file read;
class file write;
class netlink_netfilter_socket create;
class netlink_netfilter_socket getopt;
class netlink_netfilter_socket read;
class netlink_netfilter_socket setopt;
class netlink_netfilter_socket write;
}
#============= firewalld_t ==============
allow firewalld_t firewalld_etc_rw_t:dir watch;
allow firewalld_t lib_t:dir watch;
allow firewalld_t tmpfs_t:file { execute map read write};
allow firewalld_t tmpfs_t:dir write;
allow firewalld_t self:netlink_netfilter_socket { create getopt read
setopt write };
allow firewalld_t unconfined_t:dbus send_msg;
#
Now I can start the firewalld. But I can't add any service. If I try to
add a service, then I get:
# firewall-cmd --add-service=http
Error: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error:
Could not process rule: No such file or directory
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"rule":
{"family": "inet", "table": "firewalld", "chain":
"filter_IN_public_allow", "expr": [{"match": {"left": {"payload":
{"protocol": "tcp", "field": "dport"}}, "op": "==", "right": 80}},
{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right":
{"set": ["new", "untracked"]}}}, {"accept": null}]}}}]}
#
If I set the selinux mode from enforcing to permissive then it is
working as expected. So I think it is somehow related to SELinux. But I
can't find any usefull lines in /var/log/audit/audit.log
What can I do to solve my issue?
sincerely yours
Mario Koppensteiner
0 new messages