Bug 596967 - fwknop denied required access under targeted selinux-policy-3.7.19-15.fc13
Summary: fwknop denied required access under targeted selinux-policy-3.7.19-15.fc13
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 13
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2010-05-27 20:18 UTC by P Rauser
Modified: 2010-05-27 21:16 UTC (History)
0 users

Clone Of:
Last Closed: 2010-05-27 21:16:38 UTC

Attachments (Terms of Use)

Description P Rauser 2010-05-27 20:18:32 UTC
Description of problem:

Selinux throws the following AVC, blocking the proper functioning of fwknop.  N.B. the AVC below was thrown in "permissive" mode, after the program failed in "enforcing" mode.

How reproducible:  See the AVC below

SELinux is preventing /sbin/iptables-multi access to a leaked
/var/log/fwknop/knoptm.iptout file descriptor.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by the iptables command. It looks like this is
either a leaked descriptor or iptables output was redirected to a file it is not
allowed to access. Leaks usually can be ignored since SELinux is just closing
the leak and reporting the error. The application does not use the descriptor,
so it will run properly. If this is a redirection, you will not get output in
the /var/log/fwknop/knoptm.iptout. You should generate a bugzilla on
selinux-policy, and it will get routed to the appropriate package. You can
safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ

Additional Information:

Source Context                staff_u:system_r:iptables_t:s0
Target Context                system_u:object_r:var_log_t:s0
Target Objects                /var/log/fwknop/knoptm.iptout [ file ]
Source                        iptables
Source Path                   /sbin/iptables-multi
Port                          <Unknown>
Host                          testbed1.lan
Source RPM Packages           iptables-1.4.7-2.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-15.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   leaks
Host Name                     testbed1.lan
Platform                      Linux testbed1.lan
                     #1 SMP Thu May 13 05:16:23
                              UTC 2010 x86_64 x86_64
Alert Count                   3
First Seen                    Thu 27 May 2010 03:46:11 PM EDT
Last Seen                     Thu 27 May 2010 03:46:57 PM EDT
Local ID                      9102ca41-5de1-4288-9747-fc17a70b7df5
Line Numbers                  

Raw Audit Messages            

node=testbed1.lan type=AVC msg=audit(1274989617.216:819): avc:  denied  { write } for  pid=7745 comm="iptables" path="/var/log/fwknop/knoptm.iptout" dev=dm-1 ino=1433635 scontext=staff_u:system_r:iptables_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file

node=testbed1.lan type=SYSCALL msg=audit(1274989617.216:819): arch=c000003e syscall=59 success=yes exit=0 a0=19f7e50 a1=19f81d0 a2=19f7ef0 a3=40 items=0 ppid=7744 pid=7745 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="iptables" exe="/sbin/iptables-multi" subj=staff_u:system_r:iptables_t:s0 key=(null)

Comment 1 Daniel Walsh 2010-05-27 21:16:38 UTC
This file should have been opened for append by fwknop and then this access would be allowed.

You can add these rules using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i myfwknop.pp

Since we do not ship fwknop, I can not fix that package.

Note You need to log in before you can comment on or make changes to this bug.