Sommario: SELinux is preventing /sbin/iptables-multi access to a leaked packet_socket file descriptor. Descrizione dettagliata: [iptables presenta una tipologia permissiva (iptables_t). Questo accesso non è stato negato.] SELinux denied access requested by the iptables command. It looks like this is either a leaked descriptor or iptables output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the packet_socket. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Abilitazione accesso in corso: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Informazioni aggiuntive: Contesto della sorgente unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c102 3 Contesto target unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Oggetti target packet_socket [ packet_socket ] Sorgente iptables Percorso della sorgente /sbin/iptables-multi Porta <Sconosciuto> Host (removed) Sorgente Pacchetti RPM iptables-1.4.5-1.fc12 Pacchetti RPM target RPM della policy selinux-policy-3.6.32-84.fc12 Selinux abilitato True Tipo di policy targeted Modalità Enforcing Enforcing Nome plugin leaks Host Name (removed) Piattaforma Linux (removed) 2.6.31.12-174.2.3.fc12.i686 #1 SMP Mon Jan 18 20:22:46 UTC 2010 i686 i686 Conteggio avvisi 1440 Primo visto sab 13 feb 2010 16:49:07 CET Ultimo visto dom 14 feb 2010 01:10:16 CET ID locale 428df0a1-055d-4e73-97d3-41a82ff6f87e Numeri di linea Messaggi Raw Audit node=(removed) type=AVC msg=audit(1266106216.369:92): avc: denied { read write } for pid=2839 comm="iptables" path="socket:[218915]" dev=sockfs ino=218915 scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=packet_socket node=(removed) type=AVC msg=audit(1266106216.369:92): avc: denied { read write } for pid=2839 comm="iptables" path="socket:[218916]" dev=sockfs ino=218916 scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=rawip_socket node=(removed) type=AVC msg=audit(1266106216.369:92): avc: denied { read write } for pid=2839 comm="iptables" path="socket:[218919]" dev=sockfs ino=218919 scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=packet_socket node=(removed) type=AVC msg=audit(1266106216.369:92): avc: denied { read write } for pid=2839 comm="iptables" path="socket:[218924]" dev=sockfs ino=218924 scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=tcp_socket node=(removed) type=AVC msg=audit(1266106216.369:92): avc: denied { read write } for pid=2839 comm="iptables" path="socket:[218932]" dev=sockfs ino=218932 scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=tcp_socket node=(removed) type=AVC msg=audit(1266106216.369:92): avc: denied { read write } for pid=2839 comm="iptables" path="socket:[218936]" dev=sockfs ino=218936 scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=tcp_socket node=(removed) type=AVC msg=audit(1266106216.369:92): avc: denied { read write } for pid=2839 comm="iptables" path="socket:[218938]" dev=sockfs ino=218938 scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=tcp_socket node=(removed) type=AVC msg=audit(1266106216.369:92): avc: denied { read write } for pid=2839 comm="iptables" path="socket:[218940]" dev=sockfs ino=218940 scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=tcp_socket node=(removed) type=AVC msg=audit(1266106216.369:92): avc: denied { read write } for pid=2839 comm="iptables" path="socket:[218942]" dev=sockfs ino=218942 scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=tcp_socket node=(removed) type=AVC msg=audit(1266106216.369:92): avc: denied { read write } for pid=2839 comm="iptables" path="socket:[218944]" dev=sockfs ino=218944 scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=tcp_socket node=(removed) type=AVC msg=audit(1266106216.369:92): avc: denied { read write } for pid=2839 comm="iptables" path="socket:[218946]" dev=sockfs ino=218946 scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=tcp_socket node=(removed) type=AVC msg=audit(1266106216.369:92): avc: denied { read write } for pid=2839 comm="iptables" path="socket:[218948]" dev=sockfs ino=218948 scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=tcp_socket node=(removed) type=SYSCALL msg=audit(1266106216.369:92): arch=40000003 syscall=11 success=yes exit=0 a0=bf9fecf8 a1=9990700 a2=bf9ff640 a3=bfa00f8a items=0 ppid=2662 pid=2839 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="iptables" exe="/sbin/iptables-multi" subj=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 key=(null) Hash String generated from leaks,iptables,iptables_t,unconfined_t,packet_socket,read,write audit2allow suggests: #============= iptables_t ============== allow iptables_t unconfined_t:packet_socket { read write }; allow iptables_t unconfined_t:rawip_socket { read write }; allow iptables_t unconfined_t:tcp_socket { read write };
What tool are you using that is generating these AVCs. These are leaked file descriptors and usually indicate a bug in the application that is running the iptables command. Miroslav lets just add ifdef(`hide_broken_symptoms', ` dontaudit iptables_t $1:socket_class_set { read write }; ') to iptables_domtrans.
Fixed in selinux-policy-3.6.32-91.fc12
selinux-policy-3.6.32-92.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-92.fc12
selinux-policy-3.6.32-92.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-2953
selinux-policy-3.6.32-92.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.