<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 07/12/2013 06:26 PM, Andy Ruch
wrote:<br>
</div>
<blockquote
cite="mid:1373646391.53288.YahooMailNeo@web163401.mail.gq1.yahoo.com"
type="cite">
<div style="color:#000; background-color:#fff; font-family:times
new roman, new york, times, serif;font-size:12pt">
<div>Hello,</div>
<div><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 16px; font-family:
times new roman,new york,times,serif; background-color:
transparent; font-style: normal;">I'm implementing a custom
policy based on ref policy for RHEL 6.3. I'm receiving the AVC
below when the system boots. Should I allow this? I was able
to find this related posting
(<a class="moz-txt-link-freetext" href="https://bugzilla.redhat.com/show_bug.cgi?id=431562">https://bugzilla.redhat.com/show_bug.cgi?id=431562</a>) but it
was for an old version of iptables. Maybe ebtables has the
same type of bug?<br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 16px; font-family:
times new roman,new york,times,serif; background-color:
transparent; font-style: normal;"><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 16px; font-family:
times new roman,new york,times,serif; background-color:
transparent; font-style: normal;">type=PATH
msg=audit(07/12/2013 13:15:40.172:185) : item=1 name=(null)
inode=4912 dev=08:02 mode=file,755 ouid=root ogid=root
rdev=00:00 obj=system_u:object_r:ld_so_t:s0 <br>
type=PATH msg=audit(07/12/2013 13:15:40.172:185) : item=0
name=/sbin/modprobe inode=12835 dev=08:02 mode=file,755
ouid=root ogid=root rdev=00:00
obj=system_u:object_r:insmod_exec_t:s0 <br>
type=CWD msg=audit(07/12/2013 13:15:40.172:185) : cwd=/ <br>
type=EXECVE msg=audit(07/12/2013 13:15:40.172:185) : argc=2
a0=/sbin/modprobe a1=ebtables <br>
type=SYSCALL msg=audit(07/12/2013 13:15:40.172:185) :
arch=x86_64 syscall=execve success=yes exit=0 a0=1078740
a1=7fffb5126460 a2=7fffb51266b0 a3=7fffb51261e0 items=2
ppid=2109 pid=2110 auid=unset uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
ses=unset comm=modprobe exe=/sbin/modprobe
subj=system_u:system_r:insmod_t:s0-s0:c0.c1023 key=modules <br>
type=AVC msg=audit(07/12/2013 13:15:40.172:185) : avc:
denied { read write } for pid=2110 comm=modprobe
path=socket:[16196] dev=sockfs ino=16196
scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=system_u:system_r:iptables_t:s0-s0:c0.c1023
tclass=rawip_socket </div>
<div style="color: rgb(0, 0, 0); font-size: 16px; font-family:
times new roman,new york,times,serif; background-color:
transparent; font-style: normal;"><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 16px; font-family:
times new roman,new york,times,serif; background-color:
transparent; font-style: normal;">Thanks,</div>
<div style="color: rgb(0, 0, 0); font-size: 16px; font-family:
times new roman,new york,times,serif; background-color:
transparent; font-style: normal;">Andy Ruch<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
selinux mailing list
<a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</blockquote>
Yes, this is a leak. Basically you can add dontaudit rules.<br>
<br>
require{<br>
type iptables_t;<br>
type insmod_t;<br>
}<br>
<br>
dontaudit insmod_t iptables_t:rawip_socket { read write };<br>
<br>
<br>
to your policy. We have dontaudit rules in Fedora.<br>
<br>
Regards,<br>
Miroslav<br>
</body>
</html>