--- On Thu, 12/11/08, Paul Howarth <paul(a)city-fan.org> wrote:
From: Paul Howarth <paul(a)city-fan.org>
Subject: Re: iptables denied by selinux
To: olivares14031(a)yahoo.com, "Fedora SELinux support list"
<fedora-selinux-list(a)redhat.com>
Date: Thursday, December 11, 2008, 1:38 AM
Antonio Olivares wrote:
> Dear all,
>
> I have still yet to make the dhcpd server work because
of selinux. I have been patient, but I am getting
frustrated :(
>
> [olivares@localhost ~]$ dmesg | grep avc
> type=1400 audit(1228956840.530:4): avc: denied {
write } for pid=1499 comm="ip6tables-resto"
path="/0" dev=devpts ino=2
scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
> [olivares@localhost ~]$
>
> I have already ran touch /.autorelabel; reboot and all
of the other denials have been cleared but this one. I am
not yet taking selinux off or getting that desparate,
because when I booted in enforcing=0 mode for other
troubles, the dhcpd server still did not work, but the
iptables message was still there :(
>
> Please advice me, I do not want to throw the towel
yet!
Why do you think the DHCP server problem is SELinux
related? The AVC here appears to be from starting the
ip6tables service, and you say that the DCHP server still
doesn't work in permissive mode...
What, if any, messages do you see in /var/log/messages from
dhcpd?
Paul.
Well I overlooked the 6 in ip6tables-resto and blamed it on selinux. Mr. Walsh added it
to the policy to fix the other selinux error, but the machines on the DHCP server get
ip's, dns and all and cannot surf so I easily blamed it on selinux. Sorry for that.
What else could be interfering here?
Here's output of tail -f /var/log/messages:
Dec 11 07:01:32 localhost dhcpd: DHCPDISCOVER from 00:d0:b7:c1:09:58 via eth1
Dec 11 07:01:33 localhost dhcpd: DHCPOFFER on 192.168.0.2 to 00:d0:b7:c1:09:58
(6355-hthhzebqqx) via eth1
Dec 11 07:01:33 localhost dhcpd: Wrote 3 leases to leases file.
Dec 11 07:01:33 localhost dhcpd: DHCPREQUEST for 192.168.0.2 (192.168.0.1) from
00:d0:b7:c1:09:58 (6355-hthhzebqqx) via eth1
Dec 11 07:01:33 localhost dhcpd: DHCPACK on 192.168.0.2 to 00:d0:b7:c1:09:58
(6355-hthhzebqqx) via eth1
Dec 11 07:02:34 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
Dec 11 07:02:34 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via eth1
Dec 11 07:02:37 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
Dec 11 07:02:37 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via eth1
Dec 11 07:02:53 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
Dec 11 07:02:53 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via eth1
Dec 11 07:02:57 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
Dec 11 07:02:57 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via eth1
Dec 11 07:04:09 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
Dec 11 07:04:09 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via eth1
Dec 11 07:04:13 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
Dec 11 07:04:13 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via eth1
Dec 11 07:04:21 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
Dec 11 07:04:21 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via eth1
Dec 11 07:04:25 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
Dec 11 07:04:25 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via eth1
Sorry but I overlooked the 6 in the selinux denied avc. Does it make a difference with
the server?
Thanks,
Antonio