Description of problem: SELinux denied access requested by /sbin/iptables. It is not expected that this access is required by /sbin/iptables and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.Allowing AccessYou can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package.Additional InformationSource Context: system_u:system_r:iptables_tTarget Context: system_u:system_r:initrc_tTarget Objects: socket:[13390] [ unix_dgram_socket ]Affected RPM Packages: iptables-1.3.8-6.fc7 [application]Policy RPM: selinux-policy-2.6.4-67.fc7Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: PermissivePlugin Name: plugins.catchall Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Raw Audit Messages :avc: denied { read, write } for comm="iptables" dev=sockfs egid=494 euid=0 exe="/sbin/iptables" exit=0 fsgid=494 fsuid=0 gid=494 items=0 path="socket:[13390]" pid=25424 scontext=system_u:system_r:iptables_t:s0 sgid=494 subj=system_u:system_r:iptables_t:s0 suid=0 tclass=unix_dgram_socket tcontext=system_u:system_r:initrc_t:s0 tty=(none) uid=0
This looks like a leaked file descriptor of the program that execed iptables. The owner of socket:[13390] is leaking the file descriptor and should close it on exec. You can find the owner using lsof, or look for processes running as initrc_t. ps -eZ | grep initrc_t
[root@server ~]# ps -eZ | grep initrc_t system_u:system_r:initrc_t 2954 ? 00:00:02 rpcbind system_u:system_r:initrc_t 3138 ? 00:00:18 python system_u:system_r:initrc_t 3225 ? 00:00:00 mysqld_safe system_u:system_r:initrc_t 3326 ? 00:00:00 couriertcpd system_u:system_r:initrc_t 3328 ? 00:00:00 courierlogger system_u:system_r:initrc_t 3336 ? 00:00:00 couriertcpd system_u:system_r:initrc_t 3338 ? 00:00:00 courierlogger system_u:system_r:initrc_t 3344 ? 00:00:00 couriertcpd system_u:system_r:initrc_t 3346 ? 00:00:00 courierlogger system_u:system_r:initrc_t 3353 ? 00:00:00 couriertcpd system_u:system_r:initrc_t 3355 ? 00:00:00 courierlogger system_u:system_r:initrc_t 3369 ? 00:00:02 qmail-send system_u:system_r:initrc_t 3371 ? 00:00:00 splogger system_u:system_r:initrc_t 3372 ? 00:00:00 qmail-lspawn system_u:system_r:initrc_t 3373 ? 00:00:00 qmail-rspawn system_u:system_r:initrc_t 3374 ? 00:00:00 qmail-clean system_u:system_r:initrc_t 3458 ? 00:00:00 httpsd system_u:system_r:initrc_t 3462 ? 00:01:06 httpsd system_u:system_r:initrc_t 3482 ? 00:01:08 httpsd system_u:system_r:initrc_t 3484 ? 00:00:25 drwebd system_u:system_r:initrc_t 3500 ? 00:00:00 nasd system_u:system_r:initrc_t 3772 ? 00:00:15 ossec-maild system_u:system_r:initrc_t 3776 ? 00:00:00 ossec-execd system_u:system_r:initrc_t 3780 ? 00:00:18 ossec-analysisd system_u:system_r:initrc_t 3784 ? 00:00:46 ossec-logcollec system_u:system_r:initrc_t 3795 ? 00:05:17 ossec-syscheckd system_u:system_r:initrc_t 3799 ? 00:00:00 ossec-monitord system_u:system_r:initrc_t 14647 ? 00:00:00 supervisor system_u:system_r:initrc_t 14666 ? 00:00:36 supervisor <defunct> system_u:system_r:initrc_t 14790 ? 00:00:00 drwebd <defunct> system_u:system_r:initrc_t 17346 ? 00:00:00 drwebd system_u:system_r:initrc_t 17347 ? 00:00:00 drwebd system_u:system_r:initrc_t 17348 ? 00:00:00 drwebd system_u:system_r:initrc_t 17349 ? 00:00:00 drwebd system_u:system_r:initrc_t 30738 ? 00:00:00 qmail-remote system_u:system_r:initrc_t 30739 ? 00:00:00 qmail-remote.mo
Does lsof tell you anything? You can just allow this by executing # grep iptables /var/log/audit/audit.log | audit2allow -M myiptbales # semodule -i myiptables.pp But there is not much I can do to fix it.