Bug 431562 - SELinux is preventing modprobe (insmod_t) "read write" to socket (iptables_t).
Summary: SELinux is preventing modprobe (insmod_t) "read write" to socket (iptables_t).
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: iptables
Version: rawhide
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-02-05 14:31 UTC by Matěj Cepl
Modified: 2018-04-11 18:41 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-05-07 13:18:22 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Matěj Cepl 2008-02-05 14:31:07 UTC
Description of problem:

Summary:

SELinux is preventing modprobe (insmod_t) "read write" to socket (iptables_t).

Detailed Description:

SELinux denied access requested by modprobe. It is not expected that this access
is required by modprobe and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:insmod_t
Target Context                unconfined_u:system_r:iptables_t
Target Objects                socket [ rawip_socket ]
Source                        modprobe
Source Path                   /sbin/modprobe
Port                          <Unknown>
Host                          hubmaier.ceplovi.cz
Source RPM Packages           module-init-tools-3.4-2.fc8
Target RPM Packages           
Policy RPM                    selinux-policy-3.2.6-2.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     hubmaier.ceplovi.cz
Platform                      Linux hubmaier.ceplovi.cz 2.6.24-9.fc9 #1 SMP Tue
                              Jan 29 17:45:59 EST 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Út 5. únor 2008, 15:22:26 CET
Last Seen                     Út 5. únor 2008, 15:22:26 CET
Local ID                      8cba5d8c-f525-4fda-b916-a6a7c1456749
Line Numbers                  

Raw Audit Messages            

host=hubmaier.ceplovi.cz type=AVC msg=audit(1202221346.868:264): avc:  denied  {
read write } for  pid=18796 comm="modprobe" path="socket:[302671]" dev=sockfs
ino=302671 scontext=unconfined_u:system_r:insmod_t:s0
tcontext=unconfined_u:system_r:iptables_t:s0 tclass=rawip_socket

host=hubmaier.ceplovi.cz type=SYSCALL msg=audit(1202221346.868:264):
arch=c000003e syscall=59 success=yes exit=0 a0=816440 a1=7fffa7f98820
a2=7fffa7f9bdc0 a3=2aaaaaacb0d0 items=0 ppid=18764 pid=18796 auid=500 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="modprobe"
exe="/sbin/modprobe" subj=unconfined_u:system_r:insmod_t:s0 key=(null)

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.2.6-2.fc9.noarch
module-init-tools-3.4-2.fc8.x86_64

Comment 1 Daniel Walsh 2008-02-05 19:56:11 UTC
This is a bug in iptables.  It is leaking an open file descriptor.

Comment 2 Matěj Cepl 2008-02-06 09:37:23 UTC
Thomas?

Comment 3 Thomas Woerner 2008-02-08 16:18:23 UTC
This is strange, because iptables already contains a patch to close the socket
fd on exec.

Comment 4 Jon Masters 2008-04-26 01:43:08 UTC
This bug shouldn't be assigned to me. I'm re-assigning it to Dan.

Jon.

Comment 5 Daniel Walsh 2008-04-28 12:30:40 UTC
Jon this is not an SELinux bug,  This is a leaked file descriptor bug.  iptables
or someone that is execing iptables is leaking a file descriptor.  It is a
socket call to a raw socket that needs to be closed on exec as I stated above.


Matej

Are you running iptables within some tool?  

Comment 6 Matěj Cepl 2008-04-30 21:30:34 UTC
Created attachment 304276 [details]
script used to generate iptables

(In reply to comment #5)
> Are you running iptables within some tool?  

I have a weird feeling of deja vu -- I think I have already answered in some
other bug, that I have nothing else for iptables, than this hand-made Bash
script.

Comment 7 Thomas Woerner 2008-05-05 10:29:57 UTC
Are you using iptables-1.4.0-4? If not please update to the latest iptables package.

Comment 8 Matěj Cepl 2008-05-05 20:14:26 UTC
(In reply to comment #7)
> Are you using iptables-1.4.0-4? If not please update to the latest iptables
package.

iptables-1.4.0-4.fc9.x86_64

Comment 9 Thomas Woerner 2008-05-07 13:10:37 UTC
I am not getting any selinux denial in rawhide using your script.

iptables-1.4.0-4.fc9.i386
module-init-tools-3.4-13.fc9.i386
selinux-policy-3.3.1-42.fc9.noarch

Comment 10 Matěj Cepl 2008-05-07 13:18:22 UTC
Seems to be working now.


Note You need to log in before you can comment on or make changes to this bug.