-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/12/2010 04:25 AM, Tony Molloy wrote:
Hi,
I'm running SELinux in enforcing mode on fully updated CentOS-5 servers.
selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
After an upgrade of selinux-policy-targeted last night I'm seeing the
following AVC on several of the servers.
[root@garryowen ~]# sealert -l badcaefe-41c9-4fcc-a264-24bff72bcfd7
Summary:
SELinux is preventing iptables (iptables_t) "read write" to socket (initrc_t).
Detailed Description:
SELinux denied access requested by iptables. It is not expected that this
access
is required by iptables and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:iptables_t
Target Context system_u:system_r:initrc_t
Target Objects socket [ unix_dgram_socket ]
Source iptables
Source Path /sbin/iptables
Port <Unknown>
Host garryowen.x.y.z
Source RPM Packages iptables-1.3.5-5.3.el5_4.1
Target RPM Packages
Policy RPM selinux-policy-2.4.6-279.el5_5.2
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name garryowen.x.y.z
Platform Linux garryowen.x.y.z 2.6.18-194.17.4.el5
#1 SMP Mon Oct 25 15:50:53 EDT 2010 x86_64
x86_64
Alert Count 4
First Seen Fri Nov 12 07:58:02 2010
Last Seen Fri Nov 12 08:08:32 2010
Local ID badcaefe-41c9-4fcc-a264-24bff72bcfd7
Line Numbers
Raw Audit Messages
host=garryowen.x.y.z type=AVC msg=audit(1289549312.375:38126): avc: denied {
read write } for pid=12864 comm="iptables" path="socket:[14188]"
dev=sockfs
ino=14188 scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=unix_dgram_socket
host=garryowen.x.y.z type=SYSCALL msg=audit(1289549312.375:38126):
arch=c000003e syscall=59 success=yes exit=0 a0=b88cd30 a1=b88d5e0 a2=b883c40
a3=8 items=0 ppid=12849 pid=12864 auid=4294967295 uid=0 gid=997 euid=0 suid=0
fsuid=0 egid=997 sgid=997 fsgid=997 tty=(none) ses=4294967295 comm="iptables"
exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null)
I can generate a local policy to allow this.
Regards,
Tony
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
This is a leaked file descriptor from the tool running as initrc_t.
ps -eZ | grep initrc_t.
You can safely add a allow rule for this.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAkzdSSgACgkQrlYvE4MpobMdBQCgrWt9sVdSKcTrjxzMf8m180PS
lScAnj1OIgpUou4zd9nOVh1eKDznNHTT
=Q0Yp
-----END PGP SIGNATURE-----