Hi,
I'm running several fully updated CentOS 5.2 servers and am trying to get all
the SELinux denials sorted out.
Here are two of the ones that I've got left. I can generate local policy to
allow these but is that the best way. The full sealert messages have been
cut.
1. SELinux is preventing iptables (iptables_t) "read write" to socket
(initrc_t). For complete SELinux messages. run sealert -l
80760bb0-da8f-4fe8-855a-1cfc5789a597
[root@garryowen ~]# sealert -l 80760bb0-da8f-4fe8-855a-1cfc5789a597
Summary:
SELinux is preventing iptables (iptables_t) "read write" to socket (initrc_t).
Detailed Description:
SELinux denied access requested by iptables. It is not expected that this
...
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
...
Additional Information:
Source Context system_u:system_r:iptables_t
Target Context system_u:system_r:initrc_t
Target Objects socket [ packet_socket ]
Source iptables
Source Path /sbin/iptables
Port <Unknown>
Host garryowen.xx.xx.xx
Source RPM Packages iptables-1.3.5-4.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall
Host Name garryowen.xx.xx.xx
Platform Linux garryowen.xx.xx.xx 2.6.18-92.1.18.el5
Raw Audit Messages
host=garryowen.xx.xx.xx type=AVC msg=audit(1227684250.838:20268): avc: denied
{ read write } for pid=22829 comm="iptables" path="socket:[18015]"
dev=sockfs ino=18015 scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=packet_socket
host=garryowen.xx.xx.xx type=SYSCALL msg=audit(1227684250.838:20268):
arch=40000003 syscall=11 success=yes exit=0 a0=9c95470 a1=9c956f8 a2=9c95610
a3=40 items=0 ppid=5571 pid=22829 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables"
exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null)
2. SELinux is preventing iptables (iptables_t) "read" to pipe (crond_t). For
complete SELinux messages. run sealert -l
879c2152-44ee-4594-96c6-96716fda722b
[root@garryowen ~]# sealert -l 879c2152-44ee-4594-96c6-96716fda722b
Summary:
SELinux is preventing iptables (iptables_t) "read" to pipe (crond_t).
Detailed Description:
SELinux denied access requested by iptables. It is not expected that this
...
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
...
Additional Information:
Source Context root:system_r:iptables_t
Target Context system_u:system_r:crond_t:SystemLow-SystemHigh
Target Objects pipe [ fifo_file ]
Source iptables
Source Path /sbin/iptables
Port <Unknown>
Host garryowen.xx.xx.xx
Source RPM Packages iptables-1.3.5-4.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall
Host Name garryowen.xx.xx.xx
Platform Linux garryowen.xx.xx.xx 2.6.18-92.1.18.el5
Raw Audit Messages
host=garryowen.xx.xx.xx type=AVC msg=audit(1228007101.709:31231): avc: denied
{ read } for pid=14428 comm="iptables" path="pipe:[1462004]" dev=pipefs
ino=1462004 scontext=root:system_r:iptables_t:s0
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
host=garryowen.xx.xx.xx type=AVC msg=audit(1228007101.709:31231): avc: denied
{ write } for pid=14428 comm="iptables" path="pipe:[1462005]" dev=pipefs
ino=1462005 scontext=root:system_r:iptables_t:s0
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
host=garryowen.xx.xx.xx type=SYSCALL msg=audit(1228007101.709:31231):
arch=40000003 syscall=11 success=yes exit=0 a0=9985ab8 a1=9985698 a2=996d5d0
a3=0 items=0 ppid=14416 pid=14428 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=5147 comm="iptables"
exe="/sbin/iptables" subj=root:system_r:iptables_t:s0 key=(null)
Thanks,
Tony
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
