Zusammenfassung: SELinux is preventing /sbin/iptables-multi access to a leaked unix_stream_socket file descriptor. Detaillierte Beschreibung: [SELinux ist im Permissive-Modus. Dieser Zugriff wurde nicht verweigert.] SELinux denied access requested by the iptables command. It looks like this is either a leaked descriptor or iptables output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the unix_stream_socket. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Zugriff erlauben: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Zusätzliche Informationen: Quellkontext system_u:system_r:iptables_t:s0 Zielkontext system_u:system_r:fail2ban_t:s0 Zielobjekte unix_stream_socket [ unix_stream_socket ] Quelle iptables Quellen-Pfad /sbin/iptables-multi Port <Unbekannt> Host (removed) Quellen-RPM-Pakete iptables-1.4.5-1.fc12 Ziel-RPM-Pakete RPM-Richtlinie selinux-policy-3.6.32-27.fc12 SELinux aktiviert True Richtlinienversion targeted MLS aktiviert True Enforcing-Modus Permissive Plugin-Name leaks Hostname (removed) Plattform Linux (removed) 2.6.31.5-96.fc12.i686 #1 SMP Fri Oct 23 19:53:24 EDT 2009 i686 athlon Anzahl der Alarme 2 Zuerst gesehen So 25 Okt 2009 20:15:08 CET Zuletzt gesehen So 25 Okt 2009 20:15:08 CET Lokale ID 4efb3edc-a0f1-443c-9337-40376dbbf7bc Zeilennummern Raw-Audit-Meldungen node=(removed) type=AVC msg=audit(1256498108.580:28916): avc: denied { read write } for pid=5220 comm="iptables" path="socket:[315859]" dev=sockfs ino=315859 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket node=(removed) type=AVC msg=audit(1256498108.580:28916): avc: denied { read write } for pid=5220 comm="iptables" path="socket:[315867]" dev=sockfs ino=315867 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_dgram_socket node=(removed) type=SYSCALL msg=audit(1256498108.580:28916): arch=40000003 syscall=11 success=yes exit=0 a0=9cacd08 a1=9cacf18 a2=9cac2d0 a3=9cacf18 items=0 ppid=5219 pid=5220 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables-multi" subj=system_u:system_r:iptables_t:s0 key=(null) Hash String generated from selinux-policy-3.6.32-27.fc12,leaks,iptables,iptables_t,fail2ban_t,unix_stream_socket,read,write audit2allow suggests: #============= iptables_t ============== allow iptables_t fail2ban_t:unix_dgram_socket { read write }; allow iptables_t fail2ban_t:unix_stream_socket { read write };
This is a bug in fail2ban, you can ignore for now. fail2ban has to close its file descriptors on exec
*** Bug 530875 has been marked as a duplicate of this bug. ***
*** This bug has been marked as a duplicate of bug 522767 ***