Bug 498358

Summary: SELinux is preventing ip6tables-resto (iptables_t) "read write" unconfined_t.
Product: [Fedora] Fedora Reporter: Dave <dcatkin>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: 10CC: dwalsh, jkubin, mgrepl, pjones
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-08-21 21:03:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dave 2009-04-30 03:34:58 UTC 
ummary:

SELinux is preventing ip6tables-resto (iptables_t) "read write" unconfined_t.

Detailed Description:

SELinux denied access requested by ip6tables-resto. It is not expected that this
access is required by ip6tables-resto and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:iptables_t:s0
Target Context                unconfined_u:unconfined_r:unconfined_t:s0
Target Objects                socket [ unix_stream_socket ]
Source                        iptables
Source Path                   /sbin/iptables
Port                          <Unknown>
Host                          home.69isfine.com
Source RPM Packages           iptables-ipv6-1.4.1.1-2.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-57.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     home.69isfine.com
Platform                      Linux home.69isfine.com
                              2.6.27.21-170.2.56.fc10.i686 #1 SMP Mon Mar 23
                              23:37:54 EDT 2009 i686 i686
Alert Count                   54
First Seen                    Wed 29 Apr 2009 08:33:59 PM PDT
Last Seen                     Wed 29 Apr 2009 08:37:50 PM PDT
Local ID                      f4851bea-d166-4ec4-8ce0-df5889f67997
Line Numbers                  

Raw Audit Messages            

node=home.69isfine.com type=AVC msg=audit(1241062670.394:404): avc:  denied  { read write } for  pid=16951 comm="ip6tables-resto" path="socket:[391123]" dev=sockfs ino=391123 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket

node=home.69isfine.com type=SYSCALL msg=audit(1241062670.394:404): arch=40000003 syscall=11 success=yes exit=0 a0=94dfda8 a1=94e0080 a2=94bb370 a3=0 items=0 ppid=16940 pid=16951 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ip6tables-resto" exe="/sbin/ip6tables-restore" subj=unconfined_u:system_r:iptables_t:s0 key=(null)
Comment 1 Daniel Walsh 2009-05-04 14:41:06 UTC 
How did you trigger this?  It looks like a leaked file descriptor potentially from konsole?  Are you using the kde konsole for terminal access?  Or did you use some gui tool to trigger this avc.

It can safely be ignored as I am sure the iptables command succeeded, and SELinux just closed the leak.