Hi,

I'm running SELinux in enforcing mode on fully updated CentOS-5 servers.

selinux-policy-targeted-2.4.6-279.el5_5.2.noarch

After an upgrade of selinux-policy-targeted last night I'm seeing the following AVC on several of the servers.

[root@garryowen ~]# sealert -l badcaefe-41c9-4fcc-a264-24bff72bcfd7

Summary:

SELinux is preventing iptables (iptables_t) "read write" to socket (initrc_t).

Detailed Description:

SELinux denied access requested by iptables. It is not expected that this access

is required by iptables and this access may signal an intrusion attempt. It is

also possible that the specific version or configuration of the application is

causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ

(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable

SELinux protection altogether. Disabling SELinux protection is not recommended.

Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)

against this package.

Additional Information:

Source Context system_u:system_r:iptables_t

Target Context system_u:system_r:initrc_t

Target Objects socket [ unix_dgram_socket ]

Source iptables

Source Path /sbin/iptables

Port <Unknown>

Host garryowen.x.y.z

Source RPM Packages iptables-1.3.5-5.3.el5_4.1

Target RPM Packages

Policy RPM selinux-policy-2.4.6-279.el5_5.2

Selinux Enabled True

Policy Type targeted

MLS Enabled True

Enforcing Mode Enforcing

Plugin Name catchall

Host Name garryowen.x.y.z

Platform Linux garryowen.x.y.z 2.6.18-194.17.4.el5

#1 SMP Mon Oct 25 15:50:53 EDT 2010 x86_64 x86_64

Alert Count 4

First Seen Fri Nov 12 07:58:02 2010

Last Seen Fri Nov 12 08:08:32 2010

Local ID badcaefe-41c9-4fcc-a264-24bff72bcfd7

Line Numbers

Raw Audit Messages

host=garryowen.x.y.z type=AVC msg=audit(1289549312.375:38126): avc: denied { read write } for pid=12864 comm="iptables" path="socket:[14188]" dev=sockfs ino=14188 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_dgram_socket

host=garryowen.x.y.z type=SYSCALL msg=audit(1289549312.375:38126): arch=c000003e syscall=59 success=yes exit=0 a0=b88cd30 a1=b88d5e0 a2=b883c40 a3=8 items=0 ppid=12849 pid=12864 auid=4294967295 uid=0 gid=997 euid=0 suid=0 fsuid=0 egid=997 sgid=997 fsgid=997 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null)

I can generate a local policy to allow this.

Regards,

Tony