iptables denials on Centos
Daniel J Walsh
dwalsh at redhat.com
Tue Dec 2 20:56:05 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tony Molloy wrote:
> Hi,
>
> I'm running several fully updated CentOS 5.2 servers and am trying to get all
> the SELinux denials sorted out.
>
> Here are two of the ones that I've got left. I can generate local policy to
> allow these but is that the best way. The full sealert messages have been
> cut.
>
>
> 1. SELinux is preventing iptables (iptables_t) "read write" to socket
> (initrc_t). For complete SELinux messages. run sealert -l
> 80760bb0-da8f-4fe8-855a-1cfc5789a597
>
This is most likely a leaked file descriptor from the tool that is
launching iptables, you can safely add this
> [root at garryowen ~]# sealert -l 80760bb0-da8f-4fe8-855a-1cfc5789a597
>
> Summary:
>
> SELinux is preventing iptables (iptables_t) "read write" to socket (initrc_t).
>
> Detailed Description:
>
> SELinux denied access requested by iptables. It is not expected that this
> ...
>
> Allowing Access:
> You can generate a local policy module to allow this access - see FAQ
> ...
>
> Additional Information:
>
> Source Context system_u:system_r:iptables_t
> Target Context system_u:system_r:initrc_t
> Target Objects socket [ packet_socket ]
> Source iptables
> Source Path /sbin/iptables
> Port <Unknown>
> Host garryowen.xx.xx.xx
> Source RPM Packages iptables-1.3.5-4.el5
> Target RPM Packages
> Policy RPM selinux-policy-2.4.6-137.1.el5
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Permissive
> Plugin Name catchall
> Host Name garryowen.xx.xx.xx
> Platform Linux garryowen.xx.xx.xx 2.6.18-92.1.18.el5
>
> Raw Audit Messages
>
> host=garryowen.xx.xx.xx type=AVC msg=audit(1227684250.838:20268): avc: denied
> { read write } for pid=22829 comm="iptables" path="socket:[18015]"
> dev=sockfs ino=18015 scontext=system_u:system_r:iptables_t:s0
> tcontext=system_u:system_r:initrc_t:s0 tclass=packet_socket
>
> host=garryowen.xx.xx.xx type=SYSCALL msg=audit(1227684250.838:20268):
> arch=40000003 syscall=11 success=yes exit=0 a0=9c95470 a1=9c956f8 a2=9c95610
> a3=40 items=0 ppid=5571 pid=22829 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables"
> exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null)
>
>
> 2. SELinux is preventing iptables (iptables_t) "read" to pipe (crond_t). For
> complete SELinux messages. run sealert -l
> 879c2152-44ee-4594-96c6-96716fda722b
>
> [root at garryowen ~]# sealert -l 879c2152-44ee-4594-96c6-96716fda722b
>
> Summary:
>
> SELinux is preventing iptables (iptables_t) "read" to pipe (crond_t).
>
> Detailed Description:
>
> SELinux denied access requested by iptables. It is not expected that this
> ...
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> ...
>
> Additional Information:
>
> Source Context root:system_r:iptables_t
> Target Context system_u:system_r:crond_t:SystemLow-SystemHigh
> Target Objects pipe [ fifo_file ]
> Source iptables
> Source Path /sbin/iptables
> Port <Unknown>
> Host garryowen.xx.xx.xx
> Source RPM Packages iptables-1.3.5-4.el5
> Target RPM Packages
> Policy RPM selinux-policy-2.4.6-137.1.el5
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Permissive
> Plugin Name catchall
> Host Name garryowen.xx.xx.xx
> Platform Linux garryowen.xx.xx.xx 2.6.18-92.1.18.el5
>
> Raw Audit Messages
>
> host=garryowen.xx.xx.xx type=AVC msg=audit(1228007101.709:31231): avc: denied
> { read } for pid=14428 comm="iptables" path="pipe:[1462004]" dev=pipefs
> ino=1462004 scontext=root:system_r:iptables_t:s0
> tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
>
> host=garryowen.xx.xx.xx type=AVC msg=audit(1228007101.709:31231): avc: denied
> { write } for pid=14428 comm="iptables" path="pipe:[1462005]" dev=pipefs
> ino=1462005 scontext=root:system_r:iptables_t:s0
> tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
>
> host=garryowen.xx.xx.xx type=SYSCALL msg=audit(1228007101.709:31231):
> arch=40000003 syscall=11 success=yes exit=0 a0=9985ab8 a1=9985698 a2=996d5d0
> a3=0 items=0 ppid=14416 pid=14428 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=5147 comm="iptables"
> exe="/sbin/iptables" subj=root:system_r:iptables_t:s0 key=(null)
>
>
> Thanks,
>
> Tony
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This is also a leaked file descriptor which can be added.
You should grab the latest preview selinux-policy
selinux-policy-2.4.6-197.el5
for RHEL5.3 and try it out, it has lots of fixes.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkk1oOUACgkQrlYvE4MpobM5+ACglHd6Oiag5uR7maY9CpDSNJMd
UCEAnRtRSwjGNA5cEkNK3sLavhSrWrZa
=zWKP
-----END PGP SIGNATURE-----
More information about the selinux
mailing list