I've got a fairly stock Centos 5.7 install, and I'm trying to mark some packets, but it isn't working..
[code]# iptables -t mangle -A INPUT -j SECMARK --selctx system_u:object_r:my_packet_t:s0
iptables v1.3.5: Unknown arg `--selctx'
Try `iptables -h' or 'iptables --help' for more information.
# iptables -t mangle -A OUTPUT -j SECMARK
iptables v1.3.5: Couldn't load target `SECMARK':/lib64/iptables/libipt_SECMARK.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
[/code]
I guess I just need to yum install something, but what?
some info:
[code]
# uname -a
Linux vweb01 2.6.18-274.el5 #1 SMP Fri Jul 22 04:43:29 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
# egrep -i 'secmark|selinux|sepro' /boot/conf*
CONFIG_NETWORK_SECMARK=y
CONFIG_NETFILTER_XT_TARGET_SECMARK=m
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
CONFIG_IP_NF_CONNTRACK_SECMARK=y
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y
# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
# od -c /selinux/compat_net
0000000 0
0000001
# locate -i secmark
/lib/modules/2.6.18-274.el5/kernel/net/netfilter/xt_CONNSECMARK.ko
/lib/modules/2.6.18-274.el5/kernel/net/netfilter/xt_SECMARK.ko
[/code]
I'm a SELinux n00b, and a bit rusty on the Linux front, but I know my way around unix-like OSes. Any pointers?
SELinux/Iptables SECMARK problem
SELinux/Iptables SECMARK problem
SECMARK doesn't appear to be in the copy of iptables that ships with CentOS 5 but is in CentOS 6.
Re: SELinux/Iptables SECMARK problem
From what I can see the kernel side is there, just not the tiny bit that lets iptables talk to it.