iptables denials on Centos

Daniel J Walsh dwalsh at redhat.com
Tue Dec 2 20:56:05 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tony Molloy wrote:
> Hi,
> 
> I'm running several fully updated CentOS 5.2 servers and am trying to get all 
> the SELinux denials sorted out.
> 
> Here are two of the ones that I've got left. I can generate local policy to 
> allow these but is that the best way. The full sealert messages have been 
> cut.
> 
> 
> 1.  SELinux is preventing iptables (iptables_t) "read write" to socket
>      (initrc_t). For complete SELinux messages. run sealert -l
>      80760bb0-da8f-4fe8-855a-1cfc5789a597
> 
This is most likely a leaked file descriptor from the tool that is
launching iptables, you can safely add this
> [root at garryowen ~]# sealert -l 80760bb0-da8f-4fe8-855a-1cfc5789a597
> 
> Summary:
> 
> SELinux is preventing iptables (iptables_t) "read write" to socket (initrc_t).
> 
> Detailed Description:
> 
> SELinux denied access requested by iptables. It is not expected that this 
>    ...
> 
> Allowing Access:
> You can generate a local policy module to allow this access - see FAQ
>    ...
> 
> Additional Information:
> 
> Source Context                system_u:system_r:iptables_t
> Target Context                system_u:system_r:initrc_t
> Target Objects                socket [ packet_socket ]
> Source                        iptables
> Source Path                   /sbin/iptables
> Port                          <Unknown>
> Host                          garryowen.xx.xx.xx
> Source RPM Packages           iptables-1.3.5-4.el5
> Target RPM Packages           
> Policy RPM                    selinux-policy-2.4.6-137.1.el5
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Permissive
> Plugin Name                   catchall
> Host Name                     garryowen.xx.xx.xx
> Platform                      Linux garryowen.xx.xx.xx 2.6.18-92.1.18.el5
> 
> Raw Audit Messages            
> 
> host=garryowen.xx.xx.xx type=AVC msg=audit(1227684250.838:20268): avc:  denied  
> { read write } for  pid=22829 comm="iptables" path="socket:[18015]" 
> dev=sockfs ino=18015 scontext=system_u:system_r:iptables_t:s0 
> tcontext=system_u:system_r:initrc_t:s0 tclass=packet_socket
> 
> host=garryowen.xx.xx.xx type=SYSCALL msg=audit(1227684250.838:20268): 
> arch=40000003 syscall=11 success=yes exit=0 a0=9c95470 a1=9c956f8 a2=9c95610 
> a3=40 items=0 ppid=5571 pid=22829 auid=4294967295 uid=0 gid=0 euid=0 suid=0 
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" 
> exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null)
> 
> 
> 2. SELinux is preventing iptables (iptables_t) "read" to pipe (crond_t). For
>     complete SELinux messages. run sealert -l
>     879c2152-44ee-4594-96c6-96716fda722b
> 
> [root at garryowen ~]#  sealert -l 879c2152-44ee-4594-96c6-96716fda722b
> 
> Summary:
> 
> SELinux is preventing iptables (iptables_t) "read" to pipe (crond_t).
> 
> Detailed Description:
> 
> SELinux denied access requested by iptables. It is not expected that this 
>    ...
> 
> Allowing Access:
> 
> You can generate a local policy module to allow this access - see FAQ
>    ...
> 
> Additional Information:
> 
> Source Context                root:system_r:iptables_t
> Target Context                system_u:system_r:crond_t:SystemLow-SystemHigh
> Target Objects                pipe [ fifo_file ]
> Source                        iptables
> Source Path                   /sbin/iptables
> Port                          <Unknown>
> Host                          garryowen.xx.xx.xx
> Source RPM Packages           iptables-1.3.5-4.el5
> Target RPM Packages           
> Policy RPM                    selinux-policy-2.4.6-137.1.el5
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Permissive
> Plugin Name                   catchall
> Host Name                     garryowen.xx.xx.xx
> Platform                      Linux garryowen.xx.xx.xx 2.6.18-92.1.18.el5
> 
> Raw Audit Messages            
> 
> host=garryowen.xx.xx.xx type=AVC msg=audit(1228007101.709:31231): avc:  denied  
> { read } for  pid=14428 comm="iptables" path="pipe:[1462004]" dev=pipefs 
> ino=1462004 scontext=root:system_r:iptables_t:s0 
> tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
> 
> host=garryowen.xx.xx.xx type=AVC msg=audit(1228007101.709:31231): avc:  denied  
> { write } for  pid=14428 comm="iptables" path="pipe:[1462005]" dev=pipefs 
> ino=1462005 scontext=root:system_r:iptables_t:s0 
> tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
> 
> host=garryowen.xx.xx.xx type=SYSCALL msg=audit(1228007101.709:31231): 
> arch=40000003 syscall=11 success=yes exit=0 a0=9985ab8 a1=9985698 a2=996d5d0 
> a3=0 items=0 ppid=14416 pid=14428 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 
> egid=0 sgid=0 fsgid=0 tty=(none) ses=5147 comm="iptables" 
> exe="/sbin/iptables" subj=root:system_r:iptables_t:s0 key=(null)
> 
> 
> Thanks,
> 
> Tony
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

This is also a leaked file descriptor which can be added.


You should grab the latest preview selinux-policy
selinux-policy-2.4.6-197.el5
for RHEL5.3 and try it out, it has lots of fixes.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk1oOUACgkQrlYvE4MpobM5+ACglHd6Oiag5uR7maY9CpDSNJMd
UCEAnRtRSwjGNA5cEkNK3sLavhSrWrZa
=zWKP
-----END PGP SIGNATURE-----




More information about the fedora-selinux-list mailing list