[DSE-User] iptables trying to access initrc_t:unix_stream_socket and var_log_t:file
Dennison Williams
dennison.williams at gmail.com
Fri Mar 26 21:41:13 UTC 2010
I have a live system that I am trying to get a custom selinux policy
written for. The system is currently running in permissive mode so that
I can examine the audit2allow messages to determine if I need to add
custom rules. The process of figuring out how to determine what is
causing an audit rule has been difficult to say the least.
I am currently working on a set of rules for iptables and am trying to
find the source of the audit rule so that I can determine if it is
appropriate to add the rule or if I need to set a custom file system
context. Any help in determining the source of this would be appreciated.
The audit2allow rules are:
allow iptables_t initrc_t:unix_stream_socket { read write };
allow iptables_t var_log_t:file append;
It seems that the corresponding messages in my log file are:
Mar 26 01:18:41 server kernel: audit(1269591521.046:110269): avc:
denied { read write } for pid=15476 comm="iptables"
path="socket:[43035]" dev=sockfs ino=43035
scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
Mar 26 01:18:41 server kernel: audit(1269591521.046:110270): avc:
denied { append } for pid=15476 comm="iptables"
path=2F7661722F6C6F672F6661696C3262616E2E6C6F672E31202864656C6574656429
dev=sda5 ino=23963356 scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=file
As you can see the messages come in pairs. The frequency is about 8
time a day at the following times:
Mar 25 01:02:25
Mar 25 01:12:25
Mar 25 19:51:46
Mar 25 20:01:46
Mar 25 21:20:30
Mar 25 21:30:30
Mar 25 21:41:14
Mar 25 21:51:14
Since there are a few time that this happens on 10 minute intervals I
thought this might correspond to some cron job that is happening but I
can't find anything that matches that frequency. I am pretty sure this
is an issue with fail2ban, of which there is no module for in
selinux-policy-refpolicy-targeted.
Any feedback is appreciated.
Sincerely,
Dennison Williams
More information about the Selinux-user
mailing list