Re: AVC Denied Dhcp and Iptables.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



piotreek wrote:
Hi guys i found some strange messages in my logs. It seams that selinux is blocking a dhcp an Iptables. I found similar post on group about DHCP but my messages are different.I am using FC7 latest policy update didn't resolve the problem.
P.S I am using firestater as my firewall.
I believe you will need to write custom policy to make this work. You can simply add these rules using audit2allow.

# grep dhcpc /var/log/audit/audit.log | audit2allow -M mydhcpc

# semodule -i mydhcpc.pp

Having dhcpc allowed to turn on/off firewall rules is of debatable security risk.
Have a look

Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:4): avc: denied { execute } for pid=1775 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:5): avc: denied { getattr } for pid=1775 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:6): avc: denied { getattr } for pid=1775 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:7): avc: denied { execute } for pid=1776 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:8): avc: denied { getattr } for pid=1776 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:9): avc: denied { getattr } for pid=1776 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:10): avc: denied { execute } for pid=1778 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:11): avc: denied { getattr } for pid=1778 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:12): avc: denied { getattr } for pid=1778 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.975:13): audit_pid=1863 old=0 by auid=4294967295 subj=system_u:system_r:auditd_t:s0
Greatings Peter
------------------------------------------------------------------------

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux