[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Selinux - iptables and other errors



Claude Jones wrote:
Here's some Selinux messages from my system log just after a system reboot about half an hour ago:

Oct 2 22:24:13 tehogee kernel: audit(1159842231.053:4): avc: denied { create } for pid=2038 comm="iptables" scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=rawip_socket Oct 2 22:24:14 tehogee kernel: audit(1159842231.053:5): avc: denied { read } for pid=2038 comm="iptables" name="modprobe" dev=proc ino=-268435399 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:sysctl_modprobe_t:s0 tclass=file Oct 2 22:24:14 tehogee kernel: audit(1159842231.053:6): avc: denied { create } for pid=2039 comm="iptables" scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=rawip_socket Oct 2 22:24:14 tehogee kernel: audit(1159842231.053:7): avc: denied { read } for pid=2039 comm="iptables" name="modprobe" dev=proc ino=-268435399 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:sysctl_modprobe_t:s0 tclass=file Oct 2 22:24:14 tehogee kernel: audit(1159842231.057:8): avc: denied { create } for pid=2041 comm="iptables" scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=rawip_socket Oct 2 22:24:15 tehogee kernel: audit(1159842231.057:9): avc: denied { read } for pid=2041 comm="iptables" name="modprobe" dev=proc ino=-268435399 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:sysctl_modprobe_t:s0 tclass=file

In a different thread today, I'm reporting some smartd errors - I wonder if there's any connection. I'm wondering what those "dev=proc ino=########## etc..." mean. Can anyone make any sense of this?
Also, during startup, I get:

This looks like dhcp is loading some iptables rules and it is not allowed to do this, it is being denied by SELinux. Is this a common setup or is this some customized.

You can boot in permissive mode and then use audit2allow -M local -i /var/log/messages to create a local policy to allow this to succeed. Follow the instructions from audit2allow to install a local policy.

eth0 is not ready
touch: cannot touch "/var/lock/firestarter" : Permission denied
fatal error: your kernel does not support iptables
Firewall ### not started
rm: cannot remove "/var/lock/firestarter" : Permission denied

Moments later, Firestarter starts up seemingly normally, and when I boot up to the desktop, eth0 is working just fine

Theories anyone?


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]