Bug 431562 – SELinux is preventing modprobe (insmod_t) "read write" to socket (iptables_t).

Bug 431562 - SELinux is preventing modprobe (insmod_t) "read write" to socket (iptables_t).

Summary:	SELinux is preventing modprobe (insmod_t) "read write" to socket (iptables_t).

Status:	CLOSED RAWHIDE

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	iptables (Show other bugs)
Sub Component:
Version:	rawhide
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Thomas Woerner
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:

URL:
Whiteboard:
Keywords:	SELinux

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2008-02-05 09:31 EST by Matěj Cepl
Modified:	2008-05-07 09:18 EDT (History)
CC List:	3 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2008-05-07 09:18:22 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Matěj Cepl 2008-02-05 09:31:07 EST

Description of problem:

Summary:

SELinux is preventing modprobe (insmod_t) "read write" to socket (iptables_t).

Detailed Description:

SELinux denied access requested by modprobe. It is not expected that this access
is required by modprobe and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:insmod_t
Target Context                unconfined_u:system_r:iptables_t
Target Objects                socket [ rawip_socket ]
Source                        modprobe
Source Path                   /sbin/modprobe
Port                          <Unknown>
Host                          hubmaier.ceplovi.cz
Source RPM Packages           module-init-tools-3.4-2.fc8
Target RPM Packages           
Policy RPM                    selinux-policy-3.2.6-2.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     hubmaier.ceplovi.cz
Platform                      Linux hubmaier.ceplovi.cz 2.6.24-9.fc9 #1 SMP Tue
                              Jan 29 17:45:59 EST 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Út 5. únor 2008, 15:22:26 CET
Last Seen                     Út 5. únor 2008, 15:22:26 CET
Local ID                      8cba5d8c-f525-4fda-b916-a6a7c1456749
Line Numbers                  

Raw Audit Messages            

host=hubmaier.ceplovi.cz type=AVC msg=audit(1202221346.868:264): avc:  denied  {
read write } for  pid=18796 comm="modprobe" path="socket:[302671]" dev=sockfs
ino=302671 scontext=unconfined_u:system_r:insmod_t:s0
tcontext=unconfined_u:system_r:iptables_t:s0 tclass=rawip_socket

host=hubmaier.ceplovi.cz type=SYSCALL msg=audit(1202221346.868:264):
arch=c000003e syscall=59 success=yes exit=0 a0=816440 a1=7fffa7f98820
a2=7fffa7f9bdc0 a3=2aaaaaacb0d0 items=0 ppid=18764 pid=18796 auid=500 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="modprobe"
exe="/sbin/modprobe" subj=unconfined_u:system_r:insmod_t:s0 key=(null)

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.2.6-2.fc9.noarch
module-init-tools-3.4-2.fc8.x86_64

Comment 1 Daniel Walsh 2008-02-05 14:56:11 EST

This is a bug in iptables.  It is leaking an open file descriptor.

Comment 2 Matěj Cepl 2008-02-06 04:37:23 EST

Thomas?

Comment 3 Thomas Woerner 2008-02-08 11:18:23 EST

This is strange, because iptables already contains a patch to close the socket
fd on exec.

Comment 4 Jon Masters 2008-04-25 21:43:08 EDT

This bug shouldn't be assigned to me. I'm re-assigning it to Dan.

Jon.

Comment 5 Daniel Walsh 2008-04-28 08:30:40 EDT

Jon this is not an SELinux bug,  This is a leaked file descriptor bug.  iptables
or someone that is execing iptables is leaking a file descriptor.  It is a
socket call to a raw socket that needs to be closed on exec as I stated above.


Matej

Are you running iptables within some tool?

Comment 6 Matěj Cepl 2008-04-30 17:30:34 EDT

Created attachment 304276 [details]
script used to generate iptables

(In reply to comment #5)
> Are you running iptables within some tool?  

I have a weird feeling of deja vu -- I think I have already answered in some
other bug, that I have nothing else for iptables, than this hand-made Bash
script.

Comment 7 Thomas Woerner 2008-05-05 06:29:57 EDT

Are you using iptables-1.4.0-4? If not please update to the latest iptables package.

Comment 8 Matěj Cepl 2008-05-05 16:14:26 EDT

(In reply to comment #7)
> Are you using iptables-1.4.0-4? If not please update to the latest iptables
package.

iptables-1.4.0-4.fc9.x86_64

Comment 9 Thomas Woerner 2008-05-07 09:10:37 EDT

I am not getting any selinux denial in rawhide using your script.

iptables-1.4.0-4.fc9.i386
module-init-tools-3.4-13.fc9.i386
selinux-policy-3.3.1-42.fc9.noarch

Comment 10 Matěj Cepl 2008-05-07 09:18:22 EDT

Seems to be working now.

Note You need to log in before you can comment on or make changes to this bug.