Bug 431562 - SELinux is preventing modprobe (insmod_t) "read write" to socket (iptables_t).
SELinux is preventing modprobe (insmod_t) "read write" to socket (iptables_t).
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: iptables (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Thomas Woerner
Fedora Extras Quality Assurance
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-05 09:31 EST by Matěj Cepl
Modified: 2008-05-07 09:18 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-07 09:18:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matěj Cepl 2008-02-05 09:31:07 EST
Description of problem:

Summary:

SELinux is preventing modprobe (insmod_t) "read write" to socket (iptables_t).

Detailed Description:

SELinux denied access requested by modprobe. It is not expected that this access
is required by modprobe and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:insmod_t
Target Context                unconfined_u:system_r:iptables_t
Target Objects                socket [ rawip_socket ]
Source                        modprobe
Source Path                   /sbin/modprobe
Port                          <Unknown>
Host                          hubmaier.ceplovi.cz
Source RPM Packages           module-init-tools-3.4-2.fc8
Target RPM Packages           
Policy RPM                    selinux-policy-3.2.6-2.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     hubmaier.ceplovi.cz
Platform                      Linux hubmaier.ceplovi.cz 2.6.24-9.fc9 #1 SMP Tue
                              Jan 29 17:45:59 EST 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Út 5. únor 2008, 15:22:26 CET
Last Seen                     Út 5. únor 2008, 15:22:26 CET
Local ID                      8cba5d8c-f525-4fda-b916-a6a7c1456749
Line Numbers                  

Raw Audit Messages            

host=hubmaier.ceplovi.cz type=AVC msg=audit(1202221346.868:264): avc:  denied  {
read write } for  pid=18796 comm="modprobe" path="socket:[302671]" dev=sockfs
ino=302671 scontext=unconfined_u:system_r:insmod_t:s0
tcontext=unconfined_u:system_r:iptables_t:s0 tclass=rawip_socket

host=hubmaier.ceplovi.cz type=SYSCALL msg=audit(1202221346.868:264):
arch=c000003e syscall=59 success=yes exit=0 a0=816440 a1=7fffa7f98820
a2=7fffa7f9bdc0 a3=2aaaaaacb0d0 items=0 ppid=18764 pid=18796 auid=500 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="modprobe"
exe="/sbin/modprobe" subj=unconfined_u:system_r:insmod_t:s0 key=(null)

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.2.6-2.fc9.noarch
module-init-tools-3.4-2.fc8.x86_64
Comment 1 Daniel Walsh 2008-02-05 14:56:11 EST
This is a bug in iptables.  It is leaking an open file descriptor.
Comment 2 Matěj Cepl 2008-02-06 04:37:23 EST
Thomas?
Comment 3 Thomas Woerner 2008-02-08 11:18:23 EST
This is strange, because iptables already contains a patch to close the socket
fd on exec.
Comment 4 Jon Masters 2008-04-25 21:43:08 EDT
This bug shouldn't be assigned to me. I'm re-assigning it to Dan.

Jon.
Comment 5 Daniel Walsh 2008-04-28 08:30:40 EDT
Jon this is not an SELinux bug,  This is a leaked file descriptor bug.  iptables
or someone that is execing iptables is leaking a file descriptor.  It is a
socket call to a raw socket that needs to be closed on exec as I stated above.


Matej

Are you running iptables within some tool?  
Comment 6 Matěj Cepl 2008-04-30 17:30:34 EDT
Created attachment 304276 [details]
script used to generate iptables

(In reply to comment #5)
> Are you running iptables within some tool?  

I have a weird feeling of deja vu -- I think I have already answered in some
other bug, that I have nothing else for iptables, than this hand-made Bash
script.
Comment 7 Thomas Woerner 2008-05-05 06:29:57 EDT
Are you using iptables-1.4.0-4? If not please update to the latest iptables package.
Comment 8 Matěj Cepl 2008-05-05 16:14:26 EDT
(In reply to comment #7)
> Are you using iptables-1.4.0-4? If not please update to the latest iptables
package.

iptables-1.4.0-4.fc9.x86_64
Comment 9 Thomas Woerner 2008-05-07 09:10:37 EDT
I am not getting any selinux denial in rawhide using your script.

iptables-1.4.0-4.fc9.i386
module-init-tools-3.4-13.fc9.i386
selinux-policy-3.3.1-42.fc9.noarch
Comment 10 Matěj Cepl 2008-05-07 09:18:22 EDT
Seems to be working now.

Note You need to log in before you can comment on or make changes to this bug.