1. Forum
  2. Usenet
  3. LINUX.DEBIAN.MAINT.FIREWA

  • using firewalld on on debian with selinux

    From Mario Koppensteiner@21:1/5 to All on Sun Jan 30 18:40:02 2022
    Hello debian-firewall List members.

    This weekend I did install an Debian GNU/Linux 11 (bullseye) system.
    This system directly connected to the internet and so I try do to
    hardening.

    I did enable selinux with the targeted policy on my Debian System. Then
    I did troubleshoot a lot to get firewalld running. I found there are
    some rules missing in the targeted policy.

    Here they are:

    # cat firewalldcustom1.te

    module firewalldcustom1 1.0;

    require {
    type firewalld_t;
    type firewalld_etc_rw_t;
    type lib_t;
    type tmpfs_t;
    type unconfined_t;
    class dir watch;
    class dir write;
    class dbus send_msg;
    class file execute;
    class file map;
    class file read;
    class file write;
    class netlink_netfilter_socket create;
    class netlink_netfilter_socket getopt;
    class netlink_netfilter_socket read;
    class netlink_netfilter_socket setopt;
    class netlink_netfilter_socket write;
    }

    #============= firewalld_t ==============
    allow firewalld_t firewalld_etc_rw_t:dir watch;
    allow firewalld_t lib_t:dir watch;
    allow firewalld_t tmpfs_t:file { execute map read write};
    allow firewalld_t tmpfs_t:dir write;
    allow firewalld_t self:netlink_netfilter_socket { create getopt read
    setopt write };
    allow firewalld_t unconfined_t:dbus send_msg;

    #

    Now I can start the firewalld. But I can't add any service. If I try to
    add a service, then I get:

    # firewall-cmd --add-service=http
    Error: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error:
    Could not process rule: No such file or directory


    JSON blob:
    {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain":
    "filter_IN_public_allow", "expr": [{"match": {"left": {"payload":
    {"protocol": "tcp", "field": "dport"}}, "op": "==", "right": 80}},
    {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right":
    {"set": ["new", "untracked"]}}}, {"accept": null}]}}}]}
    #

    If I set the selinux mode from enforcing to permissive then it is
    working as expected. So I think it is somehow related to SELinux. But I
    can't find any usefull lines in /var/log/audit/audit.log


    What can I do to solve my issue?


    sincerely yours

    Mario Koppensteiner

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)