Re: selinux is denying iptables still :(

Antonio Olivares <olivares14031@xxxxxxxxx> · Thu, 4 Dec 2008 05:56:14 -0800 (PST)



--- On Thu, 12/4/08, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:

> From: Daniel J Walsh <dwalsh@xxxxxxxxxx>
> Subject: Re: selinux is denying iptables still :(
> To: olivares14031@xxxxxxxxx
> Cc: fedora-selinux-list@xxxxxxxxxx
> Date: Thursday, December 4, 2008, 5:53 AM
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Antonio Olivares wrote:
> > Dear fellow selinux experts,
> > 
> > selinux is still denying iptables :(
> > 
> > type=1400 audit(1228351277.178:4): avc:  denied  {
> write } for  pid=1351 comm="ip6tables-resto"
> path="/0" dev=devpts ino=2
> scontext=system_u:system_r:iptables_t:s0
> tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file    
> > 
> > It also interferes with the booting of newer kernel
> with many messages of denying stuff with Permission denied.
> > 
> > I'm just reporting this, I have this machine
> running rawhide and it was also to serve as a mini-dhcp
> server to get internet to the machines in the classroom.  I
> got help from fedora-list to get the correct file and all,
> but selinux is denying this, and I have to keep trying to
> get it right, and for other people it just works .  
> > 
> > Thanks,
> > 
> > Antonio 
> > 
> > 
> >       
> > 
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@xxxxxxxxxx
> >
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> What policy are you seeing this with?

[olivares@localhost ~]$ rpm -qa selinux-policy*
selinux-policy-3.6.1-1.fc11.noarch
selinux-policy-targeted-3.5.13-26.fc10.noarch
selinux-policy-targeted-3.6.1-1.fc11.noarch


> 
> In F10 policy selinux-policy-3.5.13-26.fc10.noarch
> 
> I get
> 
> # audit2allow -w -i /tmp/t
> type=1400 audit(1228351277.178:4): avc:  denied  { write }
> for  pid=1351
> comm="ip6tables-resto" path="/0"
> dev=devpts ino=2
> scontext=system_u:system_r:iptables_t:s0
> tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
> 
> 	Was caused by:
> 		Unknown - would be allowed by active policy
> 		Possible mismatch between this policy and the one under
> which the
> audit message was generated.
> 
> 		Possible mismatch between current in-memory boolean
> settings vs.
> permanent ones.
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora -
> http://enigmail.mozdev.org
> 
> iEYEARECAAYFAkk34OwACgkQrlYvE4MpobPiWwCeJ52e7Q4mPWrMFjO53//3C8g7
> ocgAoIadJvZzjbZch1mgtzqoZsIgxKZb
> =/6oT
> -----END PGP SIGNATURE-----


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list