[DSE-User] iptables trying to access initrc_t:unix_stream_socket and var_log_t:file

Dennison Williams dennison.williams at gmail.com
Fri Mar 26 21:41:13 UTC 2010 

I have a live system that I am trying to get a custom selinux policy
written for.  The system is currently running in permissive mode so that
I can examine the audit2allow messages to determine if I need to add
custom rules.  The process of figuring out how to determine what is
causing an audit rule has been difficult to say the least.

I am currently working on a set of rules for iptables and am trying to
find the source of the audit rule so that I can determine if it is
appropriate to add the rule or if I need to set a custom file system
context.  Any help in determining the source of this would be appreciated.

The audit2allow rules are:

allow iptables_t initrc_t:unix_stream_socket { read write };
allow iptables_t var_log_t:file append;

It seems that the corresponding messages in my log file are:
Mar 26 01:18:41 server kernel: audit(1269591521.046:110269): avc: 
denied  { read write } for  pid=15476 comm="iptables"
path="socket:[43035]" dev=sockfs ino=43035
scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
Mar 26 01:18:41 server kernel: audit(1269591521.046:110270): avc: 
denied  { append } for  pid=15476 comm="iptables"
path=2F7661722F6C6F672F6661696C3262616E2E6C6F672E31202864656C6574656429
dev=sda5 ino=23963356 scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=file

As you can see the messages come in pairs.  The frequency is about 8
time a day at the following times:
Mar 25 01:02:25
Mar 25 01:12:25
Mar 25 19:51:46
Mar 25 20:01:46
Mar 25 21:20:30
Mar 25 21:30:30
Mar 25 21:41:14
Mar 25 21:51:14

Since there are a few time that this happens on 10 minute intervals I
thought this might correspond to some cron job that is happening but I
can't find anything that matches that frequency.  I am pretty sure this
is an issue with fail2ban, of which there is no module for in
selinux-policy-refpolicy-targeted.

Any feedback is appreciated.

Sincerely,
Dennison Williams

More information about the Selinux-user mailing list