iptables denied read to inotifyfs
Miroslav Grepl
mgrepl at redhat.com
Sun Dec 30 21:48:09 UTC 2012
On 12/28/2012 07:10 AM, Kristen R wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> I am finding after a reboot of my server these AVC denials:
>
> type=AVC msg=audit(1356666298.031:40): avc: denied { read } for
> pid=2837 comm="iptables" path="inotify" dev=inotifyfs ino=337
> scontext=system_u:system_r:iptables_t:s0
> tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
>
> Installed is:
> selinux-policy-2.4.6-327.el5
>
> on a CentOS 5.5 build with kernel 2.6.18-308.24.1.el5
>
> Should this be allowed?
>
> Kristen
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAlDdN94ACgkQF1wXlvLxlNh0WgCgjLBAtEjLuZyZqtxDgE0QHmPk
> /7cAoKt0Q4f+RB4AoNpC350eO0mSpaCw
> =/SJ4
> -----END PGP SIGNATURE-----
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Yes, we allow it in Fedora/RHEL6.
For now add a local policy with this rule and open a new bug for RHEL5.
# grep iptables /var/log/audit/audit.log |audit2allow -M myiptables
# semodule -i myiptables.pp
Regards,
Miroslav
More information about the selinux
mailing list