Description of problem: CentOS release 5.9 (Final) Linux version 2.6.18-348.16.1.el5xen gcc version 4.1.2 20080704 (Red Hat 4.1.2-54) Summary: SELinux is preventing iptables (iptables_t) "read write" to socket (initrc_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by iptables. It is not expected that this access is required by iptables and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:iptables_t Target Context system_u:system_r:initrc_t Target Objects socket [ unix_stream_socket ] Source iptables Source Path /sbin/iptables Port <Unknown> Host <Removed> Source RPM Packages iptables-1.3.5-5.3.el5_4.1 iptables-1.3.5-9.1.el5 iptables-1.3.5-9.2.el5_8 Target RPM Packages Policy RPM selinux-policy-2.4.6-316.el5 selinux- policy-2.4.6-327.el5 selinux-policy-2.4.6-338.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall Host Name <Removed> Platform Linux <Removed> 2.6.18-348.16.1.el5xen #1 SMP Wed Aug 21 04:45:07 EDT 2013 x86_64 x86_64 Alert Count 15 First Seen Thu 22 Aug 2013 06:36:51 PM CST Last Seen Tue 27 Aug 2013 04:53:33 AM CST Local ID e280e2c4-123e-49eb-ad4f-01ce48fd3daf Line Numbers Raw Audit Messages host=<Removed> type=AVC msg=audit(1377550413.369:22360): avc: denied { read write } for pid=28616 comm="iptables" path="socket:[14814]" dev=sockfs ino=14814 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket host=<Removed> type=SYSCALL msg=audit(1377550413.369:22360): arch=c000003e syscall=59 success=yes exit=0 a0=b7bccf0 a1=b7bbf80 a2=b7bbb40 a3=8 items=0 ppid=28615 pid=28616 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null)
What does $ ps -eZ |grep initrc
Oh~Sorry.. Here is my information: [root@mail ~]# ps -eZ | grep initrc system_u:system_r:initrc_t 2679 ? 00:00:08 vmtoolsd system_u:system_r:initrc_t 3693 ? 00:00:08 fail2ban-server system_u:system_r:initrc_t 3695 ? 00:00:02 gam_server
while adding a fail2ban rule to run iptables rule, can rules be added to allow the connection to ipset to create ipsets and to add and remove elements from IPsets? I realise it may be a couple of releases off being used. https://github.com/fail2ban/fail2ban/blob/master/config/action.d/iptables-ipset-proto6.conf
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
FYI, fail2ban now has actions for firewalld (https://github.com/fail2ban/fail2ban/blob/master/config/action.d/firewallcmd-ipset.conf / https://github.com/fail2ban/fail2ban/blob/master/config/action.d/firewallcmd-new.conf ) that where included in the 0.8.12 release of fail2ban. In https://github.com/grooverdan/fail2ban/tree/firewalld.py I'm working on a python implementation and the ipset implementation (when I get it working) I'm planning on donating it to firewalld (https://fedorahosted.org/firewalld/ticket/12). If supporting a wide(r) range of selinux permissions for fail2ban isn't an option, perhaps the firewalld interface will be sufficient for RHEL. If there's directions you'd like fail2ban to take in its development to make it easier please let us know. Daniel Black fail2ban dev
We are not going to turn policies on for these services in RHEL5. You will need to add a local policy to make it working.