Bug 1005589
Summary: | SELinux is preventing iptables (iptables_t) "read" to inotify (inotifyfs_t) | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Kristen <jaejah> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 5.9 | CC: | dwalsh, eparis, jaejah, mmalik | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | selinux-policy-2.4.6-347.el5 | Doc Type: | Bug Fix | ||||
Doc Text: |
Previously, SELinux prevented the iptables_t process from using the inotify utility to monitor file system activity. This update adds appropriate SELinux rules and iptables_t can use inotify as expected.
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2014-09-16 00:29:50 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1205.html |
Created attachment 795418 [details] Contents of sealert Description of problem: SELinux is preventing iptables (iptables_t) "read" to inotify (inotifyfs_t) message is found frequently/daily in /var/log/messages Version-Release number of selected component (if applicable): # rpm -qa | grep selinux selinux-policy-strict-2.4.6-338.el5 selinux-policy-2.4.6-338.el5 libselinux-utils-1.33.4-5.7.el5 libselinux-devel-1.33.4-5.7.el5 libselinux-python-1.33.4-5.7.el5 libselinux-1.33.4-5.7.el5 selinux-policy-targeted-2.4.6-338.el5 # rpm -qa | grep iptables iptables-1.3.5-9.2.el5_8 iptables-ipv6-1.3.5-9.2.el5_8 How reproducible: Every day, frequently and irregularly during the day. Steps to Reproduce: 1. Boot server 2. 3. Actual results: Frequent log messages about security blocked access to inotifyfs by iptables Expected results: To allow iptables to access inotifyfs for security purposes Additional info: At this time I have added a local policy to allow iptables access to read inotifyfs. The log entry to /var/log/messages are now gone, thus far