iptables AVC

Tony Molloy <tony.molloy@xxxxx> · Fri, 12 Nov 2010 09:25:33 +0000

Hi,

I'm running SELinux in enforcing mode on fully updated CentOS-5 servers.
selinux-policy-targeted-2.4.6-279.el5_5.2.noarch

After an upgrade of selinux-policy-targeted last night I'm seeing the following AVC on several of the servers.

[root@garryowen ~]# sealert -l badcaefe-41c9-4fcc-a264-24bff72bcfd7

Summary:

SELinux is preventing iptables (iptables_t) "read write" to socket (initrc_t).

Detailed Description:

SELinux denied access requested by iptables. It is not expected that this access
is required by iptables and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:iptables_t
Target Context                system_u:system_r:initrc_t
Target Objects                socket [ unix_dgram_socket ]
Source                        iptables
Source Path                   /sbin/iptables
Port                          <Unknown>
Host                          garryowen.x.y.z
Source RPM Packages           iptables-1.3.5-5.3.el5_4.1
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-279.el5_5.2
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     garryowen.x.y.z
Platform                      Linux garryowen.x.y.z 2.6.18-194.17.4.el5
                              #1 SMP Mon Oct 25 15:50:53 EDT 2010 x86_64 x86_64
Alert Count                   4
First Seen                    Fri Nov 12 07:58:02 2010
Last Seen                     Fri Nov 12 08:08:32 2010
Local ID                      badcaefe-41c9-4fcc-a264-24bff72bcfd7
Line Numbers                  

Raw Audit Messages            

host=garryowen.x.y.z type=AVC msg=audit(1289549312.375:38126): avc:  denied  { read write } for  pid=12864 comm="iptables" path="socket:[14188]" dev=sockfs ino=14188 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_dgram_socket

host=garryowen.x.y.z type=SYSCALL msg=audit(1289549312.375:38126): arch=c000003e syscall=59 success=yes exit=0 a0=b88cd30 a1=b88d5e0 a2=b883c40 a3=8 items=0 ppid=12849 pid=12864 auid=4294967295 uid=0 gid=997 euid=0 suid=0 fsuid=0 egid=997 sgid=997 fsgid=997 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null)

I can generate a local policy to allow this.

Regards,

Tony
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux