selinux is denying iptables still :(
Daniel J Walsh
dwalsh at redhat.com
Thu Dec 4 13:53:48 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Antonio Olivares wrote:
> Dear fellow selinux experts,
>
> selinux is still denying iptables :(
>
> type=1400 audit(1228351277.178:4): avc: denied { write } for pid=1351 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
>
> It also interferes with the booting of newer kernel with many messages of denying stuff with Permission denied.
>
> I'm just reporting this, I have this machine running rawhide and it was also to serve as a mini-dhcp server to get internet to the machines in the classroom. I got help from fedora-list to get the correct file and all, but selinux is denying this, and I have to keep trying to get it right, and for other people it just works .
>
> Thanks,
>
> Antonio
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
What policy are you seeing this with?
In F10 policy selinux-policy-3.5.13-26.fc10.noarch
I get
# audit2allow -w -i /tmp/t
type=1400 audit(1228351277.178:4): avc: denied { write } for pid=1351
comm="ip6tables-resto" path="/0" dev=devpts ino=2
scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the
audit message was generated.
Possible mismatch between current in-memory boolean settings vs.
permanent ones.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkk34OwACgkQrlYvE4MpobPiWwCeJ52e7Q4mPWrMFjO53//3C8g7
ocgAoIadJvZzjbZch1mgtzqoZsIgxKZb
=/6oT
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list