Bug 1005589
| Summary: | SELinux is preventing iptables (iptables_t) "read" to inotify (inotifyfs_t) | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Kristen <jaejah> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 5.9 | CC: | dwalsh, eparis, jaejah, mmalik | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | selinux-policy-2.4.6-347.el5 | Doc Type: | Bug Fix | ||||
| Doc Text: |
Previously, SELinux prevented the iptables_t process from using the inotify utility to monitor file system activity. This update adds appropriate SELinux rules and iptables_t can use inotify as expected.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-09-16 00:29:50 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1205.html |
Created attachment 795418 [details] Contents of sealert Description of problem: SELinux is preventing iptables (iptables_t) "read" to inotify (inotifyfs_t) message is found frequently/daily in /var/log/messages Version-Release number of selected component (if applicable): # rpm -qa | grep selinux selinux-policy-strict-2.4.6-338.el5 selinux-policy-2.4.6-338.el5 libselinux-utils-1.33.4-5.7.el5 libselinux-devel-1.33.4-5.7.el5 libselinux-python-1.33.4-5.7.el5 libselinux-1.33.4-5.7.el5 selinux-policy-targeted-2.4.6-338.el5 # rpm -qa | grep iptables iptables-1.3.5-9.2.el5_8 iptables-ipv6-1.3.5-9.2.el5_8 How reproducible: Every day, frequently and irregularly during the day. Steps to Reproduce: 1. Boot server 2. 3. Actual results: Frequent log messages about security blocked access to inotifyfs by iptables Expected results: To allow iptables to access inotifyfs for security purposes Additional info: At this time I have added a local policy to allow iptables access to read inotifyfs. The log entry to /var/log/messages are now gone, thus far