-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/12/2010 04:25 AM, Tony Molloy wrote: > > Hi, > > I'm running SELinux in enforcing mode on fully updated CentOS-5 servers. > selinux-policy-targeted-2.4.6-279.el5_5.2.noarch > > After an upgrade of selinux-policy-targeted last night I'm seeing the > following AVC on several of the servers. > > [root@garryowen ~]# sealert -l badcaefe-41c9-4fcc-a264-24bff72bcfd7 > > Summary: > > SELinux is preventing iptables (iptables_t) "read write" to socket (initrc_t). > > Detailed Description: > > SELinux denied access requested by iptables. It is not expected that this > access > is required by iptables and this access may signal an intrusion attempt. It is > also possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:iptables_t > Target Context system_u:system_r:initrc_t > Target Objects socket [ unix_dgram_socket ] > Source iptables > Source Path /sbin/iptables > Port <Unknown> > Host garryowen.x.y.z > Source RPM Packages iptables-1.3.5-5.3.el5_4.1 > Target RPM Packages > Policy RPM selinux-policy-2.4.6-279.el5_5.2 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name garryowen.x.y.z > Platform Linux garryowen.x.y.z 2.6.18-194.17.4.el5 > #1 SMP Mon Oct 25 15:50:53 EDT 2010 x86_64 > x86_64 > Alert Count 4 > First Seen Fri Nov 12 07:58:02 2010 > Last Seen Fri Nov 12 08:08:32 2010 > Local ID badcaefe-41c9-4fcc-a264-24bff72bcfd7 > Line Numbers > > Raw Audit Messages > > host=garryowen.x.y.z type=AVC msg=audit(1289549312.375:38126): avc: denied { > read write } for pid=12864 comm="iptables" path="socket:[14188]" dev=sockfs > ino=14188 scontext=system_u:system_r:iptables_t:s0 > tcontext=system_u:system_r:initrc_t:s0 tclass=unix_dgram_socket > > host=garryowen.x.y.z type=SYSCALL msg=audit(1289549312.375:38126): > arch=c000003e syscall=59 success=yes exit=0 a0=b88cd30 a1=b88d5e0 a2=b883c40 > a3=8 items=0 ppid=12849 pid=12864 auid=4294967295 uid=0 gid=997 euid=0 suid=0 > fsuid=0 egid=997 sgid=997 fsgid=997 tty=(none) ses=4294967295 comm="iptables" > exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null) > > I can generate a local policy to allow this. > > Regards, > > Tony > > > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux This is a leaked file descriptor from the tool running as initrc_t. ps -eZ | grep initrc_t. You can safely add a allow rule for this. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzdSSgACgkQrlYvE4MpobMdBQCgrWt9sVdSKcTrjxzMf8m180PS lScAnj1OIgpUou4zd9nOVh1eKDznNHTT =Q0Yp -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
