Selinux - iptables and other errors

Daniel J Walsh dwalsh at redhat.com
Tue Oct 3 20:31:20 UTC 2006 

Claude Jones wrote:
> Here's some Selinux messages from my system log just after a 
> system reboot about half an hour ago:
>
> Oct  2 22:24:13 tehogee kernel: audit(1159842231.053:4): avc:  
> denied  { create } for  pid=2038 comm="iptables" 
> scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:system_r:dhcpc_t:s0 tclass=rawip_socket
> Oct  2 22:24:14 tehogee kernel: audit(1159842231.053:5): avc:  
> denied  { read } for  pid=2038 comm="iptables" name="modprobe" 
> dev=proc ino=-268435399 scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:object_r:sysctl_modprobe_t:s0 tclass=file
> Oct  2 22:24:14 tehogee kernel: audit(1159842231.053:6): avc:  
> denied  { create } for  pid=2039 comm="iptables" 
> scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:system_r:dhcpc_t:s0 tclass=rawip_socket
> Oct  2 22:24:14 tehogee kernel: audit(1159842231.053:7): avc:  
> denied  { read } for  pid=2039 comm="iptables" name="modprobe" 
> dev=proc ino=-268435399 scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:object_r:sysctl_modprobe_t:s0 tclass=file
> Oct  2 22:24:14 tehogee kernel: audit(1159842231.057:8): avc:  
> denied  { create } for  pid=2041 comm="iptables" 
> scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:system_r:dhcpc_t:s0 tclass=rawip_socket
> Oct  2 22:24:15 tehogee kernel: audit(1159842231.057:9): avc:  
> denied  { read } for  pid=2041 comm="iptables" name="modprobe" 
> dev=proc ino=-268435399 scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:object_r:sysctl_modprobe_t:s0 tclass=file
>
> In a different thread today, I'm reporting some smartd errors - I 
> wonder if there's any connection. I'm wondering what 
> those "dev=proc ino=########## etc..." mean. Can anyone make any 
> sense of this? 
>
> Also, during startup, I get:
>
>   
This looks like dhcp is loading some iptables rules and it is not 
allowed to do this, it is being denied by SELinux.  Is this a common 
setup or is this some customized.

You can boot in permissive mode and then use audit2allow -M local -i 
/var/log/messages to create
a local policy to allow this to succeed.  Follow the instructions from 
audit2allow to install a local policy.

> eth0 is not ready
> touch: cannot touch "/var/lock/firestarter" : Permission denied
> fatal error: your kernel does not support iptables
> Firewall ### not started
> rm: cannot remove "/var/lock/firestarter" : Permission denied
>
> Moments later, Firestarter starts up seemingly normally, and when 
> I boot up to the desktop, eth0 is working just fine
>
> Theories anyone?
>

More information about the fedora-list mailing list