Description of problem: Summary: SELinux is preventing modprobe (insmod_t) "read write" to socket (iptables_t). Detailed Description: SELinux denied access requested by modprobe. It is not expected that this access is required by modprobe and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:insmod_t Target Context unconfined_u:system_r:iptables_t Target Objects socket [ rawip_socket ] Source modprobe Source Path /sbin/modprobe Port <Unknown> Host hubmaier.ceplovi.cz Source RPM Packages module-init-tools-3.4-2.fc8 Target RPM Packages Policy RPM selinux-policy-3.2.6-2.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name hubmaier.ceplovi.cz Platform Linux hubmaier.ceplovi.cz 2.6.24-9.fc9 #1 SMP Tue Jan 29 17:45:59 EST 2008 x86_64 x86_64 Alert Count 1 First Seen Út 5. únor 2008, 15:22:26 CET Last Seen Út 5. únor 2008, 15:22:26 CET Local ID 8cba5d8c-f525-4fda-b916-a6a7c1456749 Line Numbers Raw Audit Messages host=hubmaier.ceplovi.cz type=AVC msg=audit(1202221346.868:264): avc: denied { read write } for pid=18796 comm="modprobe" path="socket:[302671]" dev=sockfs ino=302671 scontext=unconfined_u:system_r:insmod_t:s0 tcontext=unconfined_u:system_r:iptables_t:s0 tclass=rawip_socket host=hubmaier.ceplovi.cz type=SYSCALL msg=audit(1202221346.868:264): arch=c000003e syscall=59 success=yes exit=0 a0=816440 a1=7fffa7f98820 a2=7fffa7f9bdc0 a3=2aaaaaacb0d0 items=0 ppid=18764 pid=18796 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="modprobe" exe="/sbin/modprobe" subj=unconfined_u:system_r:insmod_t:s0 key=(null) Version-Release number of selected component (if applicable): selinux-policy-targeted-3.2.6-2.fc9.noarch module-init-tools-3.4-2.fc8.x86_64
This is a bug in iptables. It is leaking an open file descriptor.
Thomas?
This is strange, because iptables already contains a patch to close the socket fd on exec.
This bug shouldn't be assigned to me. I'm re-assigning it to Dan. Jon.
Jon this is not an SELinux bug, This is a leaked file descriptor bug. iptables or someone that is execing iptables is leaking a file descriptor. It is a socket call to a raw socket that needs to be closed on exec as I stated above. Matej Are you running iptables within some tool?
Created attachment 304276 [details] script used to generate iptables (In reply to comment #5) > Are you running iptables within some tool? I have a weird feeling of deja vu -- I think I have already answered in some other bug, that I have nothing else for iptables, than this hand-made Bash script.
Are you using iptables-1.4.0-4? If not please update to the latest iptables package.
(In reply to comment #7) > Are you using iptables-1.4.0-4? If not please update to the latest iptables package. iptables-1.4.0-4.fc9.x86_64
I am not getting any selinux denial in rawhide using your script. iptables-1.4.0-4.fc9.i386 module-init-tools-3.4-13.fc9.i386 selinux-policy-3.3.1-42.fc9.noarch
Seems to be working now.