Zusammenfassung: SELinux is preventing /sbin/iptables-multi access to a leaked unix_stream_socket file descriptor. Detaillierte Beschreibung: [iptables hat einen toleranten Typ (iptables_t). Dieser Zugriff wurde nicht verweigert.] SELinux denied access requested by the iptables command. It looks like this is either a leaked descriptor or iptables output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the unix_stream_socket. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Zugriff erlauben: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Zusätzliche Informationen: Quellkontext system_u:system_r:iptables_t:s0 Zielkontext system_u:system_r:fail2ban_t:s0 Zielobjekte unix_stream_socket [ unix_stream_socket ] Quelle iptables Quellen-Pfad /sbin/iptables-multi Port <Unbekannt> Host (removed) Quellen-RPM-Pakete iptables-1.4.5-1.fc12 Ziel-RPM-Pakete RPM-Richtlinie selinux-policy-3.6.32-41.fc12 SELinux aktiviert True Richtlinienversion targeted MLS aktiviert True Enforcing-Modus Enforcing Plugin-Name leaks Hostname (removed) Plattform Linux (removed) 2.6.31.5-127.fc12.i686.PAE #1 SMP Sat Nov 7 21:25:57 EST 2009 i686 i686 Anzahl der Alarme 12 Zuerst gesehen Fr 20 Nov 2009 08:42:16 CET Zuletzt gesehen Fr 20 Nov 2009 08:42:16 CET Lokale ID a239f1f7-9cc4-4155-b6fd-3351a10d6b79 Zeilennummern Raw-Audit-Meldungen node=(removed) type=AVC msg=audit(1258702936.587:12310): avc: denied { read write } for pid=1441 comm="iptables" path="socket:[12238]" dev=sockfs ino=12238 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket node=(removed) type=AVC msg=audit(1258702936.587:12310): avc: denied { read write } for pid=1441 comm="iptables" path="socket:[12326]" dev=sockfs ino=12326 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket node=(removed) type=AVC msg=audit(1258702936.587:12310): avc: denied { read write } for pid=1441 comm="iptables" path="socket:[12246]" dev=sockfs ino=12246 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_dgram_socket node=(removed) type=AVC msg=audit(1258702936.587:12310): avc: denied { read write } for pid=1441 comm="iptables" path="socket:[12255]" dev=sockfs ino=12255 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket node=(removed) type=SYSCALL msg=audit(1258702936.587:12310): arch=40000003 syscall=11 success=yes exit=0 a0=841f4a0 a1=841f5d0 a2=841f750 a3=841f5d0 items=0 ppid=1436 pid=1441 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables-multi" subj=system_u:system_r:iptables_t:s0 key=(null) Hash String generated from selinux-policy-3.6.32-41.fc12,leaks,iptables,iptables_t,fail2ban_t,unix_stream_socket,read,write audit2allow suggests: #============= iptables_t ============== allow iptables_t fail2ban_t:unix_dgram_socket { read write }; allow iptables_t fail2ban_t:unix_stream_socket { read write };
*** This bug has been marked as a duplicate of bug 522767 ***