Bug 1373220
| Summary: | avc denial: comm="iptables.init" name="plymouth" | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Petr Sklenar <psklenar> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.3 | CC: | feehans, lvrabec, matt.castelein, mgrepl, mmalik, plautrba, pvrabec, ssekidde, zpytela |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-175.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-04-10 12:22:45 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1420851 | ||
We're getting similar errors. Note that this is on a CentOS 7.3.1611 system, so I probably shouldn't report here. But I have also opened a bug with CentOS: https://bugs.centos.org/view.php?id=12648 Here are the errors we get: type=AVC msg=audit(1484222790.149:1385018): avc: denied { setattr } for pid=10803 comm="chmod" name="iptables.save" dev="dm-0" ino=35288115 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=file type=AVC msg=audit(1484222790.150:1385019): avc: denied { execute } for pid=10790 comm="iptables.init" name="plymouth" dev="dm-0" ino=67870175 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:plymouth_exec_t:s0 tclass=file type=AVC msg=audit(1484222790.221:1385042): avc: denied { unlink } for pid=10860 comm="rm" name="ip6tables" dev="tmpfs" ino=17162 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1484222790.240:1385045): avc: denied { read } for pid=10862 comm="ip6tables.init" name="modprobe.d" dev="dm-0" ino=34095125 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir For us this happens only on reboot and it is consistently reproducible. It started on the first reboot after updating to 7.3.1611. the legacy commands iptables.init and ip6tables.init are part of the iptables-services-1.4.21-17.el7.x86_64 package they are sourcing /etc/init.d/functions which executes plymouth commands similar to bz1419957 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0763 |
Description of problem: there is avc denial during starting iptables , but its there rarely. Version-Release number of selected component (if applicable): iptables-1.4.21-17.el7.s390x selinux-policy-3.13.1-96.el7.noarch How reproducible: rarely Steps to Reproduce: 1. start iptables + ip6tables + firewalld Actual results: time->Sun Sep 4 01:34:54 2016 type=SYSCALL msg=audit(1472949294.909:1707): arch=80000016 syscall=300 success=no exit=-13 a0=ffffffffffffff9c a1=90ea45b0 a2=1 a3=200 items=0 ppid=1 pid=45704 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables.init" exe="/usr/bin/bash" subj=system_u:system_r:iptables_t:s0 key=(null) type=AVC msg=audit(1472949294.909:1707): avc: denied { execute } for pid=45704 comm="iptables.init" name="plymouth" dev="dm-0" ino=613888 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:plymouth_exec_t:s0 tclass=file Fail: AVC messages found. Expected results: no denial Additional info: