Bug 445525 - SELinux is preventing iptables (iptables_t) "read write" to socket (unconfined_t)
Summary: SELinux is preventing iptables (iptables_t) "read write" to socket (unconfine...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2008-05-07 12:34 UTC by Akira TAGOH
Modified: 2008-05-07 15:09 UTC (History)
2 users (show)

Clone Of:
Last Closed: 2008-05-07 15:09:05 UTC

Attachments (Terms of Use)

Description Akira TAGOH 2008-05-07 12:34:11 UTC
Description of problem:
The following messages appears by disabling/enabling firewall on

type=AVC msg=audit(1210163156.386:110): avc:  denied  { read write } for  pid=71
01 comm="iptables" path="socket:[39235]" dev=sockfs ino=39235 scontext=unconfine
d_u:system_r:iptables_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0
:c0.c1023 tclass=unix_stream_socket
type=SYSCALL msg=audit(1210163156.386:110): arch=c000003e syscall=59 success=yes
 exit=0 a0=1e2fea0 a1=1ded460 a2=1de9be0 a3=7fffeaa0fe20 items=0 ppid=7091 pid=7
101 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) 
ses=4 comm="iptables" exe="/sbin/iptables" subj=unconfined_u:system_r:iptables_t
:s0 key=(null)

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.run system-config-firewall on Enforcing mode
2.press Enable/Disable button

Comment 1 Daniel Walsh 2008-05-07 12:57:51 UTC
You can safely ignore this.

Nalin, do you think this could be consolehelper leaking a file descriptor?

Akira how do you have authentication setup?  ldap? NIS? Local Password?

Comment 2 Akira TAGOH 2008-05-07 13:16:27 UTC
Only local password is setting up here.

Comment 3 Daniel Walsh 2008-05-07 15:09:05 UTC
Fixed in selinux-policy-3.3.1-47.fc10.src.rpm

Note You need to log in before you can comment on or make changes to this bug.