Description of problem: Running iptables gives the following avc error: audit(1167186952.297:105): avc: denied { search } for pid=9262 comm="iptables-restor" name="nscd" dev=hda7 ino=584937 scontext=user_u:system_r:iptables_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=dir My guess is that this occurs when iptables looks up chains that have a machine name rather than ip address as the source or destination addresses. I would think that this should be allowed: Solution would be to allow something like the following: require { class dir search; type iptables_t; type nscd_var_run_t; role system_r; }; allow iptables_t nscd_var_run_t:dir search;
Fixed in selinux-policy-2.4.6-20
When are these versions of selinux-policy going to be pushed to the 'updates' server? Currently 'updates' seems stuck at version 2.4.6-13 and even 'testing' is only up to '2.4.6-17' Thanks
'2.4.6-17 should be released and '2.4.6-23 is in going into testing today.
Closed as all fixes are in the current release