Bug 1001406 - SELinux is preventing iptables (iptables_t) "read write" to socket (initrc_t)
SELinux is preventing iptables (iptables_t) "read write" to socket (initrc_t)
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.9
x86_64 Linux
unspecified Severity high
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-26 21:58 EDT by jessicahu
Modified: 2014-03-24 09:51 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-03-24 09:51:23 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description jessicahu 2013-08-26 21:58:08 EDT
Description of problem:

CentOS release 5.9 (Final)
Linux version 2.6.18-348.16.1.el5xen
gcc version 4.1.2 20080704 (Red Hat 4.1.2-54)


Summary:

SELinux is preventing iptables (iptables_t) "read write" to socket (initrc_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by iptables. It is not expected that this access
is required by iptables and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:iptables_t
Target Context                system_u:system_r:initrc_t
Target Objects                socket [ unix_stream_socket ]
Source                        iptables
Source Path                   /sbin/iptables
Port                          <Unknown>
Host                          <Removed>
Source RPM Packages           iptables-1.3.5-5.3.el5_4.1 iptables-1.3.5-9.1.el5
                              iptables-1.3.5-9.2.el5_8
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-316.el5 selinux-
                              policy-2.4.6-327.el5 selinux-policy-2.4.6-338.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     <Removed>
Platform                      Linux <Removed> 2.6.18-348.16.1.el5xen
                              #1 SMP Wed Aug 21 04:45:07 EDT 2013 x86_64 x86_64
Alert Count                   15
First Seen                    Thu 22 Aug 2013 06:36:51 PM CST
Last Seen                     Tue 27 Aug 2013 04:53:33 AM CST
Local ID                      e280e2c4-123e-49eb-ad4f-01ce48fd3daf
Line Numbers                  

Raw Audit Messages            

host=<Removed> type=AVC msg=audit(1377550413.369:22360): avc:  denied  { read write } for  pid=28616 comm="iptables" path="socket:[14814]" dev=sockfs ino=14814 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket

host=<Removed> type=SYSCALL msg=audit(1377550413.369:22360): arch=c000003e syscall=59 success=yes exit=0 a0=b7bccf0 a1=b7bbf80 a2=b7bbb40 a3=8 items=0 ppid=28615 pid=28616 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null)
Comment 1 Miroslav Grepl 2013-08-29 03:56:15 EDT
What does

$ ps -eZ |grep initrc
Comment 2 jessicahu 2013-08-29 07:24:46 EDT
Oh~Sorry..
Here is my information:

[root@mail ~]# ps -eZ | grep initrc
system_u:system_r:initrc_t       2679 ?        00:00:08 vmtoolsd
system_u:system_r:initrc_t       3693 ?        00:00:08 fail2ban-server
system_u:system_r:initrc_t       3695 ?        00:00:02 gam_server
Comment 3 Daniel Black 2013-10-14 08:40:25 EDT
while adding a fail2ban rule to run iptables rule, can rules be added to allow the connection to ipset to create ipsets and to add and remove elements from IPsets? I realise it may be a couple of releases off being used.

https://github.com/fail2ban/fail2ban/blob/master/config/action.d/iptables-ipset-proto6.conf
Comment 4 RHEL Product and Program Management 2014-01-22 11:26:33 EST
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 5 Daniel Black 2014-01-22 15:50:06 EST
FYI, fail2ban now has actions for firewalld (https://github.com/fail2ban/fail2ban/blob/master/config/action.d/firewallcmd-ipset.conf / https://github.com/fail2ban/fail2ban/blob/master/config/action.d/firewallcmd-new.conf ) that where included in the 0.8.12 release of fail2ban. In https://github.com/grooverdan/fail2ban/tree/firewalld.py I'm working on a python implementation and the ipset implementation (when I get it working) I'm planning on donating it to firewalld (https://fedorahosted.org/firewalld/ticket/12).

If supporting a wide(r) range of selinux permissions for fail2ban isn't an option, perhaps the firewalld interface will be sufficient for RHEL.

If there's directions you'd like fail2ban to take in its development to make it easier please let us know.

Daniel Black
fail2ban dev
Comment 6 Miroslav Grepl 2014-03-24 09:51:23 EDT
We are not going to turn policies on for these services in RHEL5. You will need to add a local policy to make it working.

Note You need to log in before you can comment on or make changes to this bug.