iptables denials on Centos
Tony Molloy
tony.molloy at ul.ie
Tue Dec 2 09:39:16 UTC 2008
Hi,
I'm running several fully updated CentOS 5.2 servers and am trying to get all
the SELinux denials sorted out.
Here are two of the ones that I've got left. I can generate local policy to
allow these but is that the best way. The full sealert messages have been
cut.
1. SELinux is preventing iptables (iptables_t) "read write" to socket
(initrc_t). For complete SELinux messages. run sealert -l
80760bb0-da8f-4fe8-855a-1cfc5789a597
[root at garryowen ~]# sealert -l 80760bb0-da8f-4fe8-855a-1cfc5789a597
Summary:
SELinux is preventing iptables (iptables_t) "read write" to socket (initrc_t).
Detailed Description:
SELinux denied access requested by iptables. It is not expected that this
...
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
...
Additional Information:
Source Context system_u:system_r:iptables_t
Target Context system_u:system_r:initrc_t
Target Objects socket [ packet_socket ]
Source iptables
Source Path /sbin/iptables
Port <Unknown>
Host garryowen.xx.xx.xx
Source RPM Packages iptables-1.3.5-4.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall
Host Name garryowen.xx.xx.xx
Platform Linux garryowen.xx.xx.xx 2.6.18-92.1.18.el5
Raw Audit Messages
host=garryowen.xx.xx.xx type=AVC msg=audit(1227684250.838:20268): avc: denied
{ read write } for pid=22829 comm="iptables" path="socket:[18015]"
dev=sockfs ino=18015 scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=packet_socket
host=garryowen.xx.xx.xx type=SYSCALL msg=audit(1227684250.838:20268):
arch=40000003 syscall=11 success=yes exit=0 a0=9c95470 a1=9c956f8 a2=9c95610
a3=40 items=0 ppid=5571 pid=22829 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables"
exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null)
2. SELinux is preventing iptables (iptables_t) "read" to pipe (crond_t). For
complete SELinux messages. run sealert -l
879c2152-44ee-4594-96c6-96716fda722b
[root at garryowen ~]# sealert -l 879c2152-44ee-4594-96c6-96716fda722b
Summary:
SELinux is preventing iptables (iptables_t) "read" to pipe (crond_t).
Detailed Description:
SELinux denied access requested by iptables. It is not expected that this
...
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
...
Additional Information:
Source Context root:system_r:iptables_t
Target Context system_u:system_r:crond_t:SystemLow-SystemHigh
Target Objects pipe [ fifo_file ]
Source iptables
Source Path /sbin/iptables
Port <Unknown>
Host garryowen.xx.xx.xx
Source RPM Packages iptables-1.3.5-4.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall
Host Name garryowen.xx.xx.xx
Platform Linux garryowen.xx.xx.xx 2.6.18-92.1.18.el5
Raw Audit Messages
host=garryowen.xx.xx.xx type=AVC msg=audit(1228007101.709:31231): avc: denied
{ read } for pid=14428 comm="iptables" path="pipe:[1462004]" dev=pipefs
ino=1462004 scontext=root:system_r:iptables_t:s0
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
host=garryowen.xx.xx.xx type=AVC msg=audit(1228007101.709:31231): avc: denied
{ write } for pid=14428 comm="iptables" path="pipe:[1462005]" dev=pipefs
ino=1462005 scontext=root:system_r:iptables_t:s0
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
host=garryowen.xx.xx.xx type=SYSCALL msg=audit(1228007101.709:31231):
arch=40000003 syscall=11 success=yes exit=0 a0=9985ab8 a1=9985698 a2=996d5d0
a3=0 items=0 ppid=14416 pid=14428 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=5147 comm="iptables"
exe="/sbin/iptables" subj=root:system_r:iptables_t:s0 key=(null)
Thanks,
Tony
More information about the fedora-selinux-list
mailing list