Bug 498358 - SELinux is preventing ip6tables-resto (iptables_t) "read write" unconfined_t.
SELinux is preventing ip6tables-resto (iptables_t) "read write" unconfined_t.
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
10
i686 Linux
low Severity high
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-04-29 23:34 EDT by Dave
Modified: 2009-08-21 17:03 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-08-21 17:03:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dave 2009-04-29 23:34:58 EDT
ummary:

SELinux is preventing ip6tables-resto (iptables_t) "read write" unconfined_t.

Detailed Description:

SELinux denied access requested by ip6tables-resto. It is not expected that this
access is required by ip6tables-resto and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:iptables_t:s0
Target Context                unconfined_u:unconfined_r:unconfined_t:s0
Target Objects                socket [ unix_stream_socket ]
Source                        iptables
Source Path                   /sbin/iptables
Port                          <Unknown>
Host                          home.69isfine.com
Source RPM Packages           iptables-ipv6-1.4.1.1-2.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-57.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     home.69isfine.com
Platform                      Linux home.69isfine.com
                              2.6.27.21-170.2.56.fc10.i686 #1 SMP Mon Mar 23
                              23:37:54 EDT 2009 i686 i686
Alert Count                   54
First Seen                    Wed 29 Apr 2009 08:33:59 PM PDT
Last Seen                     Wed 29 Apr 2009 08:37:50 PM PDT
Local ID                      f4851bea-d166-4ec4-8ce0-df5889f67997
Line Numbers                  

Raw Audit Messages            

node=home.69isfine.com type=AVC msg=audit(1241062670.394:404): avc:  denied  { read write } for  pid=16951 comm="ip6tables-resto" path="socket:[391123]" dev=sockfs ino=391123 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket

node=home.69isfine.com type=SYSCALL msg=audit(1241062670.394:404): arch=40000003 syscall=11 success=yes exit=0 a0=94dfda8 a1=94e0080 a2=94bb370 a3=0 items=0 ppid=16940 pid=16951 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ip6tables-resto" exe="/sbin/ip6tables-restore" subj=unconfined_u:system_r:iptables_t:s0 key=(null)
Comment 1 Daniel Walsh 2009-05-04 10:41:06 EDT
How did you trigger this?  It looks like a leaked file descriptor potentially from konsole?  Are you using the kde konsole for terminal access?  Or did you use some gui tool to trigger this avc.

It can safely be ignored as I am sure the iptables command succeeded, and SELinux just closed the leak.

Note You need to log in before you can comment on or make changes to this bug.