Description of problem: strange log messages regarding iptables. IPTABLES seems to work Version-Release number of selected component (if applicable): latests selinux targetted and the one before How reproducible: reboot the server Steps to Reproduce: 1. reboot 2. 3. Actual results: firewall script created with fwbuilder creates errors. This script is started by rc.local Sep 29 09:36:17 fedora-pc setroubleshoot: SELinux is preventing /sbin/modprobe (insmod_t) "read write" to socket:[11642] (iptables_t). For complete SELinux messages. run sealert -l 9aeec25b-c5a6-4736-98de-8b6f2d4195c0 Sep 29 09:36:17 fedora-pc setroubleshoot: SELinux is preventing /sbin/modprobe (insmod_t) "read write" to socket:[11650] (iptables_t). For complete SELinux messages. run sealert -l 615993c3-bbac-48c9-9a17-240ce85785b4 Sep 29 09:36:18 fedora-pc setroubleshoot: SELinux is preventing /sbin/modprobe (insmod_t) "read write" to socket:[11658] (iptables_t). For complete SELinux messages. run sealert -l 4db28153-908d-41ba-b228-3aab6a4f99ce Expected results: no errors Additional info: [root@fedora-pc ~]# sealert -l 4db28153-908d-41ba-b228-3aab6a4f99ce Summary SELinux is preventing /sbin/modprobe (insmod_t) "read write" to socket:[11658] (iptables_t). Detailed Description SELinux denied access requested by /sbin/modprobe. It is not expected that this access is required by /sbin/modprobe and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:insmod_t Target Context system_u:system_r:iptables_t Target Objects socket:[11658] [ rawip_socket ] Affected RPM Packages module-init-tools-3.3-0.pre11.1.0.fc7 [application] Policy RPM selinux-policy-2.6.4-43.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall Host Name fedora-pc.huijbers.net Platform Linux fedora-pc.huijbers.net 2.6.22.9-91.fc7 #1 SMP Thu Sep 27 23:10:59 EDT 2007 i686 i686 Alert Count 1 First Seen Sat Sep 29 09:36:09 2007 Last Seen Sat Sep 29 09:36:09 2007 Local ID 4db28153-908d-41ba-b228-3aab6a4f99ce Line Numbers Raw Audit Messages avc: denied { read, write } for comm="modprobe" dev=sockfs egid=0 euid=0 exe="/sbin/modprobe" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="" path="socket:[11658]" pid=2906 scontext=system_u:system_r:insmod_t:s0 sgid=0 subj=system_u:system_r:insmod_t:s0 suid=0 tclass=rawip_socket tcontext=system_u:system_r:iptables_t:s0 tty=(none) uid=0
This is a leaked file descriptor. All file desctiptors should be closed on exec fcntl(fd, F_SETFD, FD_CLOEXEC)
relabeling the filesystem seems to have fixed these messages. touch /.autorelabel reboot
If relabeling is fixing this - can this be a leaked file descriptor then?
No I believe these have nothing to do with it. There is nothing in labeling which would cause insmod_t to need access to iptables__t rawip_socket this is definitely a leaked file descriptor.
*** Bug 364331 has been marked as a duplicate of this bug. ***
see here for netfilter-devel discussion re. this bug: http://marc.info/?t=119402839200007&r=1&w=2
iptables-1.3.8-6.fc8 has been pushed to the Fedora 8 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update iptables'
*** Bug 399131 has been marked as a duplicate of this bug. ***
iptables-1.3.8-6.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
iptables-1.3.8-6.fc7 has been pushed to the Fedora 7 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update iptables'
iptables-1.3.8-6.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.