Selinux - iptables and other errors
Daniel J Walsh
dwalsh at redhat.com
Tue Oct 3 20:31:20 UTC 2006
Claude Jones wrote:
> Here's some Selinux messages from my system log just after a
> system reboot about half an hour ago:
>
> Oct 2 22:24:13 tehogee kernel: audit(1159842231.053:4): avc:
> denied { create } for pid=2038 comm="iptables"
> scontext=system_u:system_r:dhcpc_t:s0
> tcontext=system_u:system_r:dhcpc_t:s0 tclass=rawip_socket
> Oct 2 22:24:14 tehogee kernel: audit(1159842231.053:5): avc:
> denied { read } for pid=2038 comm="iptables" name="modprobe"
> dev=proc ino=-268435399 scontext=system_u:system_r:dhcpc_t:s0
> tcontext=system_u:object_r:sysctl_modprobe_t:s0 tclass=file
> Oct 2 22:24:14 tehogee kernel: audit(1159842231.053:6): avc:
> denied { create } for pid=2039 comm="iptables"
> scontext=system_u:system_r:dhcpc_t:s0
> tcontext=system_u:system_r:dhcpc_t:s0 tclass=rawip_socket
> Oct 2 22:24:14 tehogee kernel: audit(1159842231.053:7): avc:
> denied { read } for pid=2039 comm="iptables" name="modprobe"
> dev=proc ino=-268435399 scontext=system_u:system_r:dhcpc_t:s0
> tcontext=system_u:object_r:sysctl_modprobe_t:s0 tclass=file
> Oct 2 22:24:14 tehogee kernel: audit(1159842231.057:8): avc:
> denied { create } for pid=2041 comm="iptables"
> scontext=system_u:system_r:dhcpc_t:s0
> tcontext=system_u:system_r:dhcpc_t:s0 tclass=rawip_socket
> Oct 2 22:24:15 tehogee kernel: audit(1159842231.057:9): avc:
> denied { read } for pid=2041 comm="iptables" name="modprobe"
> dev=proc ino=-268435399 scontext=system_u:system_r:dhcpc_t:s0
> tcontext=system_u:object_r:sysctl_modprobe_t:s0 tclass=file
>
> In a different thread today, I'm reporting some smartd errors - I
> wonder if there's any connection. I'm wondering what
> those "dev=proc ino=########## etc..." mean. Can anyone make any
> sense of this?
>
> Also, during startup, I get:
>
>
This looks like dhcp is loading some iptables rules and it is not
allowed to do this, it is being denied by SELinux. Is this a common
setup or is this some customized.
You can boot in permissive mode and then use audit2allow -M local -i
/var/log/messages to create
a local policy to allow this to succeed. Follow the instructions from
audit2allow to install a local policy.
> eth0 is not ready
> touch: cannot touch "/var/lock/firestarter" : Permission denied
> fatal error: your kernel does not support iptables
> Firewall ### not started
> rm: cannot remove "/var/lock/firestarter" : Permission denied
>
> Moments later, Firestarter starts up seemingly normally, and when
> I boot up to the desktop, eth0 is working just fine
>
> Theories anyone?
>
More information about the fedora-list
mailing list