Bug 445525 - SELinux is preventing iptables (iptables_t) "read write" to socket (unconfined_t)
Summary: SELinux is preventing iptables (iptables_t) "read write" to socket (unconfine...
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
(Show other bugs)
Version: rawhide
Hardware: All Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-05-07 12:34 UTC by Akira TAGOH
Modified: 2008-05-07 15:09 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-07 15:09:05 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Akira TAGOH 2008-05-07 12:34:11 UTC
Description of problem:
The following messages appears by disabling/enabling firewall on
system-config-firewall.

type=AVC msg=audit(1210163156.386:110): avc:  denied  { read write } for  pid=71
01 comm="iptables" path="socket:[39235]" dev=sockfs ino=39235 scontext=unconfine
d_u:system_r:iptables_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0
:c0.c1023 tclass=unix_stream_socket
type=SYSCALL msg=audit(1210163156.386:110): arch=c000003e syscall=59 success=yes
 exit=0 a0=1e2fea0 a1=1ded460 a2=1de9be0 a3=7fffeaa0fe20 items=0 ppid=7091 pid=7
101 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) 
ses=4 comm="iptables" exe="/sbin/iptables" subj=unconfined_u:system_r:iptables_t
:s0 key=(null)


Version-Release number of selected component (if applicable):
selinux-policy-3.3.1-42.fc9.noarch

How reproducible:
always

Steps to Reproduce:
1.run system-config-firewall on Enforcing mode
2.press Enable/Disable button

Comment 1 Daniel Walsh 2008-05-07 12:57:51 UTC
You can safely ignore this.

Nalin, do you think this could be consolehelper leaking a file descriptor?


Akira how do you have authentication setup?  ldap? NIS? Local Password?

Comment 2 Akira TAGOH 2008-05-07 13:16:27 UTC
Only local password is setting up here.

Comment 3 Daniel Walsh 2008-05-07 15:09:05 UTC
Fixed in selinux-policy-3.3.1-47.fc10.src.rpm



Note You need to log in before you can comment on or make changes to this bug.