Description of problem: Summary: SELinux is preventing the modprobe from using potentially mislabeled files (/tmp/iptables.DJg2FA). Detailed Description: SELinux has denied modprobe access to potentially mislabeled file(s) (/tmp/iptables.DJg2FA). This means that SELinux will not allow modprobe to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want modprobe to access this files, you need to relabel them using restorecon -v '/tmp/iptables.DJg2FA'. You might want to relabel the entire directory using restorecon -R -v '/tmp'. Additional Information: Source Context unconfined_u:system_r:insmod_t Target Context unconfined_u:object_r:initrc_tmp_t Target Objects /tmp/iptables.DJg2FA [ file ] Source modprobe Source Path /sbin/modprobe Port <Unknown> Host hubmaier.ceplovi.cz Source RPM Packages module-init-tools-3.4-2.fc8 Target RPM Packages Policy RPM selinux-policy-3.3.1-17.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name hubmaier.ceplovi.cz Platform Linux hubmaier.ceplovi.cz 2.6.25-0.121.rc5.git4.fc9 #1 SMP Fri Mar 14 22:50:25 EDT 2008 x86_64 x86_64 Alert Count 1 First Seen Mon 17 Mar 2008 17:58:03 CET Last Seen Mon 17 Mar 2008 17:58:03 CET Local ID 80579923-7317-4d4a-9622-92f6b4fe6435 Line Numbers Raw Audit Messages host=hubmaier.ceplovi.cz type=AVC msg=audit(1205773083.373:640): avc: denied { write } for pid=18726 comm="modprobe" path="/tmp/iptables.DJg2FA" dev=dm-1 ino=65587 scontext=unconfined_u:system_r:insmod_t:s0 tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=file host=hubmaier.ceplovi.cz type=AVC msg=audit(1205773083.373:640): avc: denied { read } for pid=18726 comm="modprobe" path="/proc/18725/net/ip_tables_names" dev=proc ino=4026532219 scontext=unconfined_u:system_r:insmod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file host=hubmaier.ceplovi.cz type=AVC msg=audit(1205773083.373:640): avc: denied { read write } for pid=18726 comm="modprobe" path="socket:[261495]" dev=sockfs ino=261495 scontext=unconfined_u:system_r:insmod_t:s0 tcontext=unconfined_u:system_r:iptables_t:s0 tclass=rawip_socket host=hubmaier.ceplovi.cz type=SYSCALL msg=audit(1205773083.373:640): arch=c000003e syscall=59 success=yes exit=0 a0=d17f70 a1=7fff032797d0 a2=7fff0327a098 a3=7ff8fb25b810 items=0 ppid=18725 pid=18726 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11 comm="modprobe" exe="/sbin/modprobe" subj=unconfined_u:system_r:insmod_t:s0 key=(null) Version-Release number of selected component (if applicable): iptables-1.4.0-3.fc9.x86_64 module-init-tools-3.4-2.fc8.x86_64 selinux-policy-targeted-3.3.1-17.fc9.noarch
Why are you using a file in /tmp with iptables? What kind of file is /tmp/iptables.DJg2FA?
Also looks like iptables is leaking file descriptor to /proc/18725/net/ip_tables_names and rawip_socket fcntl(fd, F_SETFD, FD_CLOSEXEC)
(In reply to comment #1) > Why are you using a file in /tmp with iptables? What kind of file is > /tmp/iptables.DJg2FA? I am sorry, but I have no idea, what kind of file it is. And now it is gone, so I cannot even take a look at it.
I think it is also a leaked file descriptor or a redirection of stdout to a log file in /tmp. Are you using some tool to configure iptables that could be causing this error?
Created attachment 298605 [details] Script to generate iptables (In reply to comment #4) > Are you using some tool to configure iptables that could be causing this error? No, just this script
But do you have this script directing output to a /tmp file?
"service iptables save" is writing to a temporary file in /tmp, which will be copied to /etc/sysconfig/iptables after successful generation before it gets removed. The file in /tmp is only used for this.
So this is a redirection of stdout for modutils to the tmp file. I will allow this in selinux-policy-3.3.1-22.fc9.src.rpm Leaked file descriptor should be fixed.
You do not need to change selinux-policy. Using O_CLOEXEC on all opened files is solving the problem for me completely. Fixed in rawhide in package iptables-1.4.0-4.fc9.