This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 312191 - SELINUX denied modprobe access to iptables
SELINUX denied modprobe access to iptables
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: iptables (Show other bugs)
7
All Linux
low Severity low
: ---
: ---
Assigned To: Thomas Woerner
Fedora Extras Quality Assurance
:
: 364331 399131 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-29 04:04 EDT by Jan Willem Huijbers
Modified: 2007-12-15 12:45 EST (History)
4 users (show)

See Also:
Fixed In Version: 1.3.8-6.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-26 13:41:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Willem Huijbers 2007-09-29 04:04:14 EDT
Description of problem:
strange log messages regarding iptables. IPTABLES seems to work

Version-Release number of selected component (if applicable):
latests selinux targetted and the one before

How reproducible:
reboot the server

Steps to Reproduce:
1. reboot
2.
3.
  
Actual results:
firewall script created with fwbuilder creates errors. This script is started by
rc.local

Sep 29 09:36:17 fedora-pc setroubleshoot:      SELinux is preventing
/sbin/modprobe (insmod_t) "read write" to socket:[11642] (iptables_t).      For
complete SELinux messages. run sealert -l 9aeec25b-c5a6-4736-98de-8b6f2d4195c0
Sep 29 09:36:17 fedora-pc setroubleshoot:      SELinux is preventing
/sbin/modprobe (insmod_t) "read write" to socket:[11650] (iptables_t).      For
complete SELinux messages. run sealert -l 615993c3-bbac-48c9-9a17-240ce85785b4
Sep 29 09:36:18 fedora-pc setroubleshoot:      SELinux is preventing
/sbin/modprobe (insmod_t) "read write" to socket:[11658] (iptables_t).      For
complete SELinux messages. run sealert -l 4db28153-908d-41ba-b228-3aab6a4f99ce


Expected results:
no errors

Additional info:
[root@fedora-pc ~]# sealert -l 4db28153-908d-41ba-b228-3aab6a4f99ce
Summary
    SELinux is preventing /sbin/modprobe (insmod_t) "read write" to
    socket:[11658] (iptables_t).

Detailed Description
    SELinux denied access requested by /sbin/modprobe. It is not expected that
    this access is required by /sbin/modprobe and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:insmod_t
Target Context                system_u:system_r:iptables_t
Target Objects                socket:[11658] [ rawip_socket ]
Affected RPM Packages         module-init-tools-3.3-0.pre11.1.0.fc7
                              [application]
Policy RPM                    selinux-policy-2.6.4-43.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall
Host Name                     fedora-pc.huijbers.net
Platform                      Linux fedora-pc.huijbers.net 2.6.22.9-91.fc7 #1
                              SMP Thu Sep 27 23:10:59 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Sat Sep 29 09:36:09 2007
Last Seen                     Sat Sep 29 09:36:09 2007
Local ID                      4db28153-908d-41ba-b228-3aab6a4f99ce
Line Numbers                  

Raw Audit Messages            

avc: denied { read, write } for comm="modprobe" dev=sockfs egid=0 euid=0
exe="/sbin/modprobe" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name=""
path="socket:[11658]" pid=2906 scontext=system_u:system_r:insmod_t:s0 sgid=0
subj=system_u:system_r:insmod_t:s0 suid=0 tclass=rawip_socket
tcontext=system_u:system_r:iptables_t:s0 tty=(none) uid=0
Comment 1 Daniel Walsh 2007-10-01 15:45:10 EDT
This is a leaked file descriptor.  All file desctiptors should be closed on exec

fcntl(fd, F_SETFD, FD_CLOEXEC)
Comment 2 Jan Willem Huijbers 2007-10-20 07:14:12 EDT
relabeling the filesystem seems to have fixed these messages.

touch /.autorelabel
reboot
Comment 3 Thomas Woerner 2007-10-24 07:39:11 EDT
If relabeling is fixing this - can this be a leaked file descriptor then?
Comment 4 Daniel Walsh 2007-10-24 09:20:11 EDT
No I believe these have nothing to do with it.  There is nothing in labeling
which would cause insmod_t to need access to iptables__t rawip_socket this is
definitely a leaked file descriptor.
Comment 5 Thomas Woerner 2007-11-05 11:14:00 EST
*** Bug 364331 has been marked as a duplicate of this bug. ***
Comment 6 Tim Fenn 2007-11-05 20:00:46 EST
see here for netfilter-devel discussion re. this bug:

http://marc.info/?t=119402839200007&r=1&w=2
Comment 7 Fedora Update System 2007-11-08 00:57:52 EST
iptables-1.3.8-6.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update iptables'
Comment 8 Thomas Woerner 2007-11-26 11:00:30 EST
*** Bug 399131 has been marked as a duplicate of this bug. ***
Comment 9 Fedora Update System 2007-11-26 13:41:48 EST
iptables-1.3.8-6.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2007-12-03 06:47:22 EST
iptables-1.3.8-6.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update iptables'
Comment 11 Fedora Update System 2007-12-15 12:45:50 EST
iptables-1.3.8-6.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.