Bug 216072 - SELinux is preventing /sbin/iptables (iptables_t) "use" to /dev/null (pppd_t).
Summary: SELinux is preventing /sbin/iptables (iptables_t) "use" to /dev/null (pppd_t).
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 6
Hardware: i386
OS: Linux
medium
high
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-11-17 04:13 UTC by David Mohring
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version: Current
Clone Of:
Environment:
Last Closed: 2007-09-12 17:08:12 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description David Mohring 2006-11-17 04:13:48 UTC 
Description of problem:


Version-Release number of selected component (if applicable):

Affected RPM Packagesiptables-1.3.5-1.2.1 
Policy RPM   selinux-policy-2.4.3-2.fc6

( Selinux EnabledTrue
Policy Type  targeted
MLS Enabled  TrueEnforcing 
Mode Enforcing )

How reproducible:

Very

Steps to Reproduce:
1. xDSL connection times out
2. xDSL reconnections
3. iptables reloaded for new ppp connection
  
Actual results:
 
avc: denied { use } for comm='"iptables"' dev='tmpfs' egid='0' euid='0'
exe='"/sbin/iptables"' exit='0' fsgid='0' fsuid='0' gid='0' items='0'
name='"null"' path='"/dev/null"' pid='19669'
scontext=system_u:system_r:iptables_t:s0 sgid='0'
subj='system_u:system_r:iptables_t:s0' suid='0' tclass='fd'
tcontext=system_u:system_r:pppd_t:s0 tty='(none)' uid='0' 

Repeated until I run 
# restorecon -v /dev/null 

Expected results:

No SELinux conflict

Additional info:

I'm using firestarter-1.0.3-14.fc6 from extras, but manually restarting iptables
 produces the same error messages.
Comment 1 Daniel Walsh 2006-11-17 18:10:06 UTC 
Fixed in selinux-policy-2.4.5-1
Comment 2 Ronald Pacheco 2007-06-28 12:30:41 UTC 
*** Bug 223289 has been marked as a duplicate of this bug. ***
Comment 3 Daniel Walsh 2007-09-12 17:08:12 UTC 
Moving modified bugs to closed
Note You need to log in before you can comment on or make changes to this bug.