selinux is denying iptables still :(

Daniel J Walsh dwalsh at redhat.com
Thu Dec 4 14:00:17 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Antonio Olivares wrote:
> --- On Thu, 12/4/08, Daniel J Walsh <dwalsh at redhat.com> wrote:
> 
>> From: Daniel J Walsh <dwalsh at redhat.com>
>> Subject: Re: selinux is denying iptables still :(
>> To: olivares14031 at yahoo.com
>> Cc: fedora-selinux-list at redhat.com
>> Date: Thursday, December 4, 2008, 5:53 AM
> Antonio Olivares wrote:
>>>> Dear fellow selinux experts,
>>>>
>>>> selinux is still denying iptables :(
>>>>
>>>> type=1400 audit(1228351277.178:4): avc:  denied  {
> write } for  pid=1351 comm="ip6tables-resto"
> path="/0" dev=devpts ino=2
> scontext=system_u:system_r:iptables_t:s0
> tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file    
>>>> It also interferes with the booting of newer kernel
> with many messages of denying stuff with Permission denied.
>>>> I'm just reporting this, I have this machine
> running rawhide and it was also to serve as a mini-dhcp
> server to get internet to the machines in the classroom.  I
> got help from fedora-list to get the correct file and all,
> but selinux is denying this, and I have to keep trying to
> get it right, and for other people it just works .  
>>>> Thanks,
>>>>
>>>> Antonio 
>>>>
>>>>
>>>>       
>>>>
>>>> --
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list at redhat.com
>>>>
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> What policy are you seeing this with?
> 
>> [olivares at localhost ~]$ rpm -qa selinux-policy*
>> selinux-policy-3.6.1-1.fc11.noarch
>> selinux-policy-targeted-3.5.13-26.fc10.noarch
>> selinux-policy-targeted-3.6.1-1.fc11.noarch
> 
> 
> In F10 policy selinux-policy-3.5.13-26.fc10.noarch
> 
> I get
> 
> # audit2allow -w -i /tmp/t
> type=1400 audit(1228351277.178:4): avc:  denied  { write }
> for  pid=1351
> comm="ip6tables-resto" path="/0"
> dev=devpts ino=2
> scontext=system_u:system_r:iptables_t:s0
> tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
> 
> 	Was caused by:
> 		Unknown - would be allowed by active policy
> 		Possible mismatch between this policy and the one under
> which the
> audit message was generated.
> 
> 		Possible mismatch between current in-memory boolean
> settings vs.
> permanent ones.
> 
> 
Ok fixed in selinux-policy-3.6.1-5.f11
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk34nEACgkQrlYvE4MpobNEYQCgsvnK/+pYP7rA+EmhFr9qiOjO
4D4AniD4aCvtf3xhNjAYBxbs67DEPrkh
=yxmY
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list