Summary: SELinux is preventing /sbin/iptables-multi access to a leaked /root/status file descriptor. Detailed Description: [iptables has a permissive type (iptables_t). This access was not denied.] SELinux denied access requested by the iptables command. It looks like this is either a leaked descriptor or iptables output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the /root/status. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional Information: Source Context unconfined_u:system_r:iptables_t:s0 Target Context unconfined_u:object_r:admin_home_t:s0 Target Objects /root/status [ file ] Source iptables Source Path /sbin/iptables-multi Port <Unknown> Host (removed) Source RPM Packages iptables-1.4.7-2.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-6.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name leaks Host Name (removed) Platform Linux localhost.localdomain 2.6.33.2-57.fc13.x86_64 #1 SMP Tue Apr 20 08:57:50 UTC 2010 x86_64 x86_64 Alert Count 2 First Seen Wed 05 May 2010 05:07:10 AM EDT Last Seen Wed 05 May 2010 05:08:08 AM EDT Local ID 5b0e37e6-7f25-42d9-892f-545d446e1fce Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1273050488.841:33980): avc: denied { write } for pid=2359 comm="iptables" path="/root/status" dev=dm-0 ino=87606 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1273050488.841:33980): arch=c000003e syscall=59 success=yes exit=0 a0=23bc240 a1=2375900 a2=2379250 a3=7fffc9a3a0f0 items=0 ppid=2349 pid=2359 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="iptables" exe="/sbin/iptables-multi" subj=unconfined_u:system_r:iptables_t:s0 key=(null) Hash String generated from leaks,iptables,iptables_t,admin_home_t,file,write audit2allow suggests: #============= iptables_t ============== allow iptables_t admin_home_t:file write;
I ran this command: [root@localhost ~]# service iptables status > status Is it correct that SELinux denies output redirection to file?
We don't want to allow the iptables_t domain this access. #============= iptables_t ============== allow iptables_t admin_home_t:file write; But you can use # service iptables status | cat > status Or you can allow it using # grep iptables /var/log/audit/audit.log | audit2allow -M myiptables # semodule -i myiptables.pp
Kamil that requires the confined domain iptables_t to be able to write to default files in /root account. It would allow it to write to /root/.bashrc for example. If a hack happened and this file got modified, an unconfined_t admin logging in would execute the file.