Bug 428553 - SELinux is preventing /sbin/iptables (iptables_t) "read write" to socket:[13390] (initrc_t).
SELinux is preventing /sbin/iptables (iptables_t) "read write" to socket:[133...
Status: CLOSED CANTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
7
All Linux
low Severity high
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-13 01:44 EST by David
Modified: 2009-09-12 18:53 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-15 09:52:33 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David 2008-01-13 01:44:27 EST
Description of problem:
SELinux denied access requested by /sbin/iptables. It is not expected that this
access is required by /sbin/iptables and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.Allowing AccessYou can
generate a local policy module to allow this access - see FAQ Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report against this package.Additional InformationSource
Context:  system_u:system_r:iptables_tTarget
Context:  system_u:system_r:initrc_tTarget Objects:  socket:[13390] [
unix_dgram_socket ]Affected RPM Packages:  iptables-1.3.8-6.fc7
[application]Policy RPM:  selinux-policy-2.6.4-67.fc7Selinux
Enabled:  TruePolicy Type:  targetedMLS Enabled:  TrueEnforcing
Mode:  PermissivePlugin Name:  plugins.catchall

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 David 2008-01-13 01:44:40 EST
Raw Audit Messages :avc: denied { read, write } for comm="iptables" dev=sockfs
egid=494 euid=0 exe="/sbin/iptables" exit=0 fsgid=494 fsuid=0 gid=494 items=0
path="socket:[13390]" pid=25424 scontext=system_u:system_r:iptables_t:s0
sgid=494 subj=system_u:system_r:iptables_t:s0 suid=0 tclass=unix_dgram_socket
tcontext=system_u:system_r:initrc_t:s0 tty=(none) uid=0 
Comment 2 Daniel Walsh 2008-01-14 12:48:15 EST
This looks like a leaked file descriptor of the program that execed iptables. 
The owner of socket:[13390] is leaking the file descriptor and should close it
on exec.  You can find the owner using lsof, or look for processes running as
initrc_t.  ps -eZ | grep initrc_t
Comment 3 David 2008-01-14 19:18:28 EST
[root@server ~]# ps -eZ | grep initrc_t
system_u:system_r:initrc_t       2954 ?        00:00:02 rpcbind
system_u:system_r:initrc_t       3138 ?        00:00:18 python
system_u:system_r:initrc_t       3225 ?        00:00:00 mysqld_safe
system_u:system_r:initrc_t       3326 ?        00:00:00 couriertcpd
system_u:system_r:initrc_t       3328 ?        00:00:00 courierlogger
system_u:system_r:initrc_t       3336 ?        00:00:00 couriertcpd
system_u:system_r:initrc_t       3338 ?        00:00:00 courierlogger
system_u:system_r:initrc_t       3344 ?        00:00:00 couriertcpd
system_u:system_r:initrc_t       3346 ?        00:00:00 courierlogger
system_u:system_r:initrc_t       3353 ?        00:00:00 couriertcpd
system_u:system_r:initrc_t       3355 ?        00:00:00 courierlogger
system_u:system_r:initrc_t       3369 ?        00:00:02 qmail-send
system_u:system_r:initrc_t       3371 ?        00:00:00 splogger
system_u:system_r:initrc_t       3372 ?        00:00:00 qmail-lspawn
system_u:system_r:initrc_t       3373 ?        00:00:00 qmail-rspawn
system_u:system_r:initrc_t       3374 ?        00:00:00 qmail-clean
system_u:system_r:initrc_t       3458 ?        00:00:00 httpsd
system_u:system_r:initrc_t       3462 ?        00:01:06 httpsd
system_u:system_r:initrc_t       3482 ?        00:01:08 httpsd
system_u:system_r:initrc_t       3484 ?        00:00:25 drwebd
system_u:system_r:initrc_t       3500 ?        00:00:00 nasd
system_u:system_r:initrc_t       3772 ?        00:00:15 ossec-maild
system_u:system_r:initrc_t       3776 ?        00:00:00 ossec-execd
system_u:system_r:initrc_t       3780 ?        00:00:18 ossec-analysisd
system_u:system_r:initrc_t       3784 ?        00:00:46 ossec-logcollec
system_u:system_r:initrc_t       3795 ?        00:05:17 ossec-syscheckd
system_u:system_r:initrc_t       3799 ?        00:00:00 ossec-monitord
system_u:system_r:initrc_t      14647 ?        00:00:00 supervisor
system_u:system_r:initrc_t      14666 ?        00:00:36 supervisor <defunct>
system_u:system_r:initrc_t      14790 ?        00:00:00 drwebd <defunct>
system_u:system_r:initrc_t      17346 ?        00:00:00 drwebd
system_u:system_r:initrc_t      17347 ?        00:00:00 drwebd
system_u:system_r:initrc_t      17348 ?        00:00:00 drwebd
system_u:system_r:initrc_t      17349 ?        00:00:00 drwebd
system_u:system_r:initrc_t      30738 ?        00:00:00 qmail-remote
system_u:system_r:initrc_t      30739 ?        00:00:00 qmail-remote.mo
Comment 4 Daniel Walsh 2008-01-15 09:52:33 EST
Does lsof tell you anything?

You can just allow this by executing 

# grep iptables /var/log/audit/audit.log | audit2allow -M myiptbales
# semodule -i myiptables.pp

But there is not much I can do to fix it.

Note You need to log in before you can comment on or make changes to this bug.