AVC Denied Dhcp and Iptables.
Daniel J Walsh
dwalsh at redhat.com
Mon Jun 11 17:41:33 UTC 2007
piotreek wrote:
> Hi guys i found some strange messages in my logs. It seams that
> selinux is blocking a dhcp an Iptables.
> I found similar post on group about DHCP but my messages are
> different.I am using FC7 latest policy update didn't resolve the problem.
> P.S I am using firestater as my firewall.
I believe you will need to write custom policy to make this work. You
can simply add these rules using audit2allow.
# grep dhcpc /var/log/audit/audit.log | audit2allow -M mydhcpc
# semodule -i mydhcpc.pp
Having dhcpc allowed to turn on/off firewall rules is of debatable
security risk.
> Have a look
>
> Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:4): avc: denied
> { execute } for pid=1775 comm="sh" name="iptables" dev=sdb1
> ino=3793910 scontext=system_u:system_r:dhcpc_t:s0
> tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
> Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:5): avc: denied
> { getattr } for pid=1775 comm="sh" name="iptables" dev=sdb1
> ino=3793910 scontext=system_u:system_r:dhcpc_t:s0
> tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
> Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:6): avc: denied
> { getattr } for pid=1775 comm="sh" name="iptables" dev=sdb1
> ino=3793910 scontext=system_u:system_r:dhcpc_t:s0
> tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
> Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:7): avc: denied
> { execute } for pid=1776 comm="sh" name="iptables" dev=sdb1
> ino=3793910 scontext=system_u:system_r:dhcpc_t:s0
> tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
> Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:8): avc: denied
> { getattr } for pid=1776 comm="sh" name="iptables" dev=sdb1
> ino=3793910 scontext=system_u:system_r:dhcpc_t:s0
> tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
> Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:9): avc: denied
> { getattr } for pid=1776 comm="sh" name="iptables" dev=sdb1
> ino=3793910 scontext=system_u:system_r:dhcpc_t:s0
> tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
> Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:10): avc: denied
> { execute } for pid=1778 comm="sh" name="iptables" dev=sdb1
> ino=3793910 scontext=system_u:system_r:dhcpc_t:s0
> tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
> Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:11): avc: denied
> { getattr } for pid=1778 comm="sh" name="iptables" dev=sdb1
> ino=3793910 scontext=system_u:system_r:dhcpc_t:s0
> tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
> Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:12): avc: denied
> { getattr } for pid=1778 comm="sh" name="iptables" dev=sdb1
> ino=3793910 scontext=system_u:system_r:dhcpc_t:s0
> tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
> Jun 7 08:08:54 c79-70 kernel: audit(1181196527.975:13):
> audit_pid=1863 old=0 by auid=4294967295 subj=system_u:system_r:auditd_t:s0
> Greatings Peter
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list