using firewalld on on debian with selinux
From
Mario Koppensteiner@21:1/5 to
All on Sun Jan 30 18:40:02 2022
Hello debian-firewall List members.
This weekend I did install an Debian GNU/Linux 11 (bullseye) system.
This system directly connected to the internet and so I try do to
hardening.
I did enable selinux with the targeted policy on my Debian System. Then
I did troubleshoot a lot to get firewalld running. I found there are
some rules missing in the targeted policy.
Here they are:
# cat firewalldcustom1.te
module firewalldcustom1 1.0;
require {
type firewalld_t;
type firewalld_etc_rw_t;
type lib_t;
type tmpfs_t;
type unconfined_t;
class dir watch;
class dir write;
class dbus send_msg;
class file execute;
class file map;
class file read;
class file write;
class netlink_netfilter_socket create;
class netlink_netfilter_socket getopt;
class netlink_netfilter_socket read;
class netlink_netfilter_socket setopt;
class netlink_netfilter_socket write;
}
#============= firewalld_t ==============
allow firewalld_t firewalld_etc_rw_t:dir watch;
allow firewalld_t lib_t:dir watch;
allow firewalld_t tmpfs_t:file { execute map read write};
allow firewalld_t tmpfs_t:dir write;
allow firewalld_t self:netlink_netfilter_socket { create getopt read
setopt write };
allow firewalld_t unconfined_t:dbus send_msg;
#
Now I can start the firewalld. But I can't add any service. If I try to
add a service, then I get:
# firewall-cmd --add-service=http
Error: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error:
Could not process rule: No such file or directory
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain":
"filter_IN_public_allow", "expr": [{"match": {"left": {"payload":
{"protocol": "tcp", "field": "dport"}}, "op": "==", "right": 80}},
{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right":
{"set": ["new", "untracked"]}}}, {"accept": null}]}}}]}
#
If I set the selinux mode from enforcing to permissive then it is
working as expected. So I think it is somehow related to SELinux. But I
can't find any usefull lines in /var/log/audit/audit.log
What can I do to solve my issue?
sincerely yours
Mario Koppensteiner
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)