Summary: SELinux is preventing sh (dhcpc_t) "execute" to ./iptables (iptables_exec_t). Detailed Description: SELinux denied access requested by sh. It is not expected that this access is required by sh and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./iptables, restorecon -v './iptables' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:dhcpc_t Target Context system_u:object_r:iptables_exec_t Target Objects ./iptables [ file ] Source sh Source Path /bin/bash Port <Unknown> Host localhost.localdomain Source RPM Packages bash-3.2-32.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-316.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.18-274.3.1.el5xen #1 SMP Fri Aug 26 19:08:58 EDT 2011 x86_64 x86_64 Alert Count 384 First Seen Mon 22 Aug 2011 11:57:23 AM PDT Last Seen Tue 27 Sep 2011 05:26:50 AM PDT Local ID 4a813ab8-d0cc-43e3-93c0-b506259979c9 Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1317126410.221:9934): avc: denied { execute } for pid=14511 comm="sh" name="iptables" dev=dm-0 ino=196608185 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file host=localhost.localdomain type=SYSCALL msg=audit(1317126410.221:9934): arch=c000003e syscall=59 success=no exit=-13 a0=1a1b60c0 a1=1a1b61d0 a2=1a19fdb0 a3=8 items=0 ppid=14510 pid=14511 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:dhcpc_t:s0 key=(null)
I have run restorecon -v '/etc/init.d/iptable' '/sbin/iptables' to no avail. I do not want to switch selinux off
I am addding optional_policy(` tunable_policy(`dhcpc_exec_iptables',` iptables_domtrans(dhcpc_t) ') ') which we have in RHEL6. Which will allow it using dhcpc_exec_iptables boolean
Fixed in selinux-policy-2.4.6-317.el5
(In reply to comment #3) > Fixed in selinux-policy-2.4.6-317.el5 Below is what I get when I run yum update selinux-policy-2.4.6-317.el5 Kindly instruct what to do. # yum update selinux-policy-2.4.6-317.el5 Loaded plugins: product-id, rhnplugin, security, subscription-manager Updating Red Hat repositories. Skipping security plugin, no data Setting up Update Process No Match for argument: selinux-policy-2.4.6-317.el5 No package selinux-policy-2.4.6-317.el5 available. No Packages marked for Update
Yes, because this is a pre-release which is not available on rhn.
(In reply to comment #5) > Yes, because this is a pre-release which is not available on rhn. You are being pretty criptic with me. Could you clarify where to get the pre-release so I can rectify the error? Where is the pre-release package?
This pre-release is now available from http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
Hi Raymond, could you please confirm that the issue is fixed with selinux-policy-2.4.6-317.el5? Thank you in advance.
I installed the pre-release version ofselinux-policy-2.4.6-317.el5 from http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ to no avail.The problem was not solved.
You need to turn on the dhcpc_exec_iptables boolean. setsebool -P dhcpc_exec_iptables 1
# setsebool -P dhcpc_exec_iptables 1 libsemanage.dbase_llist_set: record not found in the database libsemanage.dbase_llist_set: could not set record value Could not change boolean dhcpc_exec_iptables Could not change policy booleans
rpm -q selinux-policy
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0158.html