Summary: SELinux is preventing /sbin/iptables-multi access to a leaked /home/bob/Programs/other/west1/west-chamber/examples/iptables.rules file descriptor. Detailed Description: [iptables-save has a permissive type (iptables_t). This access was not denied.] SELinux denied access requested by the iptables-save command. It looks like this is either a leaked descriptor or iptables-save output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the /home/bob/Programs/other/west1/west-chamber/examples/iptables.rules. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional Information: Source Context unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c102 3 Target Context unconfined_u:object_r:user_home_t:s0 Target Objects /home/bob/Programs/other/west1/west- chamber/examples/iptables.rules [ file ] Source iptables-save Source Path /sbin/iptables-multi Port <Unknown> Host (removed) Source RPM Packages iptables-1.4.7-2.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-57.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name leaks Host Name (removed) Platform Linux (removed) 2.6.34.7-56.fc13.i686 #1 SMP Wed Sep 15 03:33:58 UTC 2010 i686 i686 Alert Count 1 First Seen Sun 26 Sep 2010 08:01:35 PM CST Last Seen Sun 26 Sep 2010 08:01:35 PM CST Local ID 40e9d1c0-f707-44f5-a08e-c3a83550011f Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1285502495.966:479): avc: denied { write } for pid=12100 comm="iptables-save" path="/home/bob/Programs/other/west1/west-chamber/examples/iptables.rules" dev=sda1 ino=2365823 scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1285502495.966:479): arch=40000003 syscall=11 success=yes exit=0 a0=8a02ce8 a1=8a02f08 a2=8a01948 a3=8a02f08 items=0 ppid=12099 pid=12100 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="iptables-save" exe="/sbin/iptables-multi" subj=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 key=(null) Hash String generated from leaks,iptables-save,iptables_t,user_home_t,file,write audit2allow suggests:libsepol.context_from_record: invalid security context: "unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023" libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 to sid
Pleas update your selinux-policy. It was fixed in selinux-policy-3.7.19-64.noarch. Execute # yum update selinux-policy-targeted
At https://admin.fedoraproject.org/updates/selinux-policy it appears this bugfix has not yet been built for f12. Please make this bugfix available for f12 before end-of-life. Thanks.
selinux-policy-3.9.7-10.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-10.fc14
selinux-policy-3.9.7-10.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-10.fc14
selinux-policy-3.9.7-10.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
I'm sorry I don't understand what is happening here. I am new to how things are done here so I will appreciate any clarification or instruction as to how I can assist. Here is how it looks from here: - When I first came here this bug was closed. - In comment #2 I requested a fix for fedora *12* before it goes end-of-life. - Following that (in response, I assumed?) this bug was reopened by dwalsh. - Some build messages were added but they are all for f14 . - Now the bug is closed again. It seems to me there is still no update for f12. Am I missing something? Before all that, someone smarter than me on #fedora tried twice to do a scratch build on koji for me but it failed so I was advised to ask here. And so I have not tried myself. Yes I will be upgrading to f14 as soon as possible but upgrading is a difficult process here due to 36kbit/s max on a noisy remote rural phone line (worse whenever it rains). Because of this it usually takes me more than a month to achieve full productivity after upgrade, so I usually need more than a month overlap when upgrading, and usually run the old fedora offline in parallel for productivity for several months. Access to reasonable speed download involves a vehicle and a usb stick. I am not asking for special treatment, just giving the context for why it matters to me. I am working on the assumption that Fedora release support stops at end-of-life. And the assumption that it is supported until then. Let me know if that is a mistake on my part. But the thing I most want is to properly understand what is going on here. That is a prerequisite to me being able to participate/contribute with Fedora. Thanks.
Hi David, my bad. I have add this bug number for F14 update and this caused the bug was closed by Fedora Update System. So the bug is fixed in F13+ and I will do the last update for F12 policy before end-of-life, which will include the fix.
Fixed in selinux-policy-3.6.32-127.fc12.
selinux-policy-3.6.32-127.fc12 has been submitted as an update for Fedora 12. https://admin.fedoraproject.org/updates/selinux-policy-3.6.32-127.fc12
selinux-policy-3.6.32-127.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.6.32-127.fc12
Install: ok. My issue similar to bug #644908 fixed: ok. Thank you.
selinux-policy-3.6.32-127.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
This problem seems to still be open for f12 # rpm -aq |grep selinux-polic selinux-policy-3.6.32-127.fc12.noarch selinux-policy-targeted-3.6.32-127.fc12.noarch
Correction: still in f12 is 'SELinux is preventing /sbin/iptables-multi "getopt" access."
Fedora 12 is not a supported OS. Please update to Fedora 14 or later OS.