selinux is denying iptables still :(
Antonio Olivares
olivares14031 at yahoo.com
Thu Dec 4 13:56:14 UTC 2008
--- On Thu, 12/4/08, Daniel J Walsh <dwalsh at redhat.com> wrote:
> From: Daniel J Walsh <dwalsh at redhat.com>
> Subject: Re: selinux is denying iptables still :(
> To: olivares14031 at yahoo.com
> Cc: fedora-selinux-list at redhat.com
> Date: Thursday, December 4, 2008, 5:53 AM
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Antonio Olivares wrote:
> > Dear fellow selinux experts,
> >
> > selinux is still denying iptables :(
> >
> > type=1400 audit(1228351277.178:4): avc: denied {
> write } for pid=1351 comm="ip6tables-resto"
> path="/0" dev=devpts ino=2
> scontext=system_u:system_r:iptables_t:s0
> tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
> >
> > It also interferes with the booting of newer kernel
> with many messages of denying stuff with Permission denied.
> >
> > I'm just reporting this, I have this machine
> running rawhide and it was also to serve as a mini-dhcp
> server to get internet to the machines in the classroom. I
> got help from fedora-list to get the correct file and all,
> but selinux is denying this, and I have to keep trying to
> get it right, and for other people it just works .
> >
> > Thanks,
> >
> > Antonio
> >
> >
> >
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> >
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> What policy are you seeing this with?
[olivares at localhost ~]$ rpm -qa selinux-policy*
selinux-policy-3.6.1-1.fc11.noarch
selinux-policy-targeted-3.5.13-26.fc10.noarch
selinux-policy-targeted-3.6.1-1.fc11.noarch
>
> In F10 policy selinux-policy-3.5.13-26.fc10.noarch
>
> I get
>
> # audit2allow -w -i /tmp/t
> type=1400 audit(1228351277.178:4): avc: denied { write }
> for pid=1351
> comm="ip6tables-resto" path="/0"
> dev=devpts ino=2
> scontext=system_u:system_r:iptables_t:s0
> tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
>
> Was caused by:
> Unknown - would be allowed by active policy
> Possible mismatch between this policy and the one under
> which the
> audit message was generated.
>
> Possible mismatch between current in-memory boolean
> settings vs.
> permanent ones.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora -
> http://enigmail.mozdev.org
>
> iEYEARECAAYFAkk34OwACgkQrlYvE4MpobPiWwCeJ52e7Q4mPWrMFjO53//3C8g7
> ocgAoIadJvZzjbZch1mgtzqoZsIgxKZb
> =/6oT
> -----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list