Bug 1005589 - SELinux is preventing iptables (iptables_t) "read" to inotify (inotifyfs_t)
SELinux is preventing iptables (iptables_t) "read" to inotify (inotifyfs_t)
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
Depends On:
  Show dependency treegraph
Reported: 2013-09-08 16:52 EDT by Kristen
Modified: 2014-09-15 20:29 EDT (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-347.el5
Doc Type: Bug Fix
Doc Text:
Previously, SELinux prevented the iptables_t process from using the inotify utility to monitor file system activity. This update adds appropriate SELinux rules and iptables_t can use inotify as expected.
Story Points: ---
Clone Of:
Last Closed: 2014-09-15 20:29:50 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Contents of sealert (4.71 KB, text/plain)
2013-09-08 16:52 EDT, Kristen
no flags Details

  None (edit)
Description Kristen 2013-09-08 16:52:41 EDT
Created attachment 795418 [details]
Contents of sealert

Description of problem:

SELinux is preventing iptables (iptables_t) "read" to inotify (inotifyfs_t) message is found frequently/daily in /var/log/messages 

Version-Release number of selected component (if applicable):

# rpm -qa | grep selinux

# rpm -qa | grep iptables

How reproducible:

Every day, frequently and irregularly during the day. 

Steps to Reproduce:
1. Boot server

Actual results:

Frequent log messages about security blocked access to inotifyfs by iptables

Expected results:

To allow iptables to access inotifyfs for security purposes

Additional info:

At this time I have added a local policy to allow iptables access to read inotifyfs. The log entry to /var/log/messages are now gone, thus far
Comment 1 RHEL Product and Program Management 2014-01-22 11:26:00 EST
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 5 errata-xmlrpc 2014-09-15 20:29:50 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.