[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

using firewalld on on debian with selinux

Hello debian-firewall List members.
This weekend I did install an Debian GNU/Linux 11 (bullseye) system. This system directly connected to the internet and so I try do to hardening.
I did enable selinux with the targeted policy on my Debian System. Then I did troubleshoot a lot to get firewalld running. I found there are some rules missing in the targeted policy. 

Here they are:

# cat firewalldcustom1.te

module firewalldcustom1 1.0;

require {
        type firewalld_t;
        type firewalld_etc_rw_t;
        type lib_t;
        type tmpfs_t;
        type unconfined_t;
        class dir watch;
        class dir write;
        class dbus send_msg;
        class file execute;
        class file map;
        class file read;
        class file write;
        class netlink_netfilter_socket create;
        class netlink_netfilter_socket getopt;
        class netlink_netfilter_socket read;
        class netlink_netfilter_socket setopt;
        class netlink_netfilter_socket write;
}

#============= firewalld_t ==============
allow firewalld_t firewalld_etc_rw_t:dir watch;
allow firewalld_t lib_t:dir watch;
allow firewalld_t tmpfs_t:file { execute map read write};
allow firewalld_t tmpfs_t:dir write;
allow firewalld_t self:netlink_netfilter_socket { create getopt read setopt write }; 
allow firewalld_t unconfined_t:dbus send_msg;

#
Now I can start the firewalld. But I can't add any service. If I try to add a service, then I get: 

# firewall-cmd --add-service=http
Error: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory 


JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public_allow", "expr": [{"match": {"left": {"payload": {"protocol": "tcp", "field": "dport"}}, "op": "==", "right": 80}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}]} 
#
If I set the selinux mode from enforcing to permissive then it is working as expected. So I think it is somehow related to SELinux. But I can't find any usefull lines in /var/log/audit/audit.log 


What can I do to solve my issue?


sincerely yours

Mario Koppensteiner
Reply to: