Re: iptables denied by selinux

[Antonio Olivares <olivares14031 yahoo com>]

--- On Thu, 12/11/08, Paul Howarth <paul city-fan org> wrote:

> From: Paul Howarth <paul city-fan org>
> Subject: Re: iptables denied by selinux
> To: olivares14031 yahoo com, "Fedora SELinux support list" <fedora-selinux-list redhat com>
> Date: Thursday, December 11, 2008, 1:38 AM
> Antonio Olivares wrote:
> > Dear all,
> > 
> > I have still yet to make the dhcpd server work because
> of selinux.  I have been patient, but I am getting
> frustrated :(
> > 
> > [olivares localhost ~]$ dmesg | grep avc
> > type=1400 audit(1228956840.530:4): avc:  denied  {
> write } for  pid=1499 comm="ip6tables-resto"
> path="/0" dev=devpts ino=2
> scontext=system_u:system_r:iptables_t:s0
> tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
> > [olivares localhost ~]$ 
> > 
> > I have already ran touch /.autorelabel; reboot and all
> of the other denials have been cleared but this one.  I am
> not yet taking selinux off or getting that desparate,
> because when I booted in enforcing=0 mode for other
> troubles, the dhcpd server still did not work, but the
> iptables message was still there :(
> > 
> > Please advice me, I do not want to throw the towel
> yet!
> 
> Why do you think the DHCP server problem is SELinux
> related? The AVC here appears to be from starting the
> ip6tables service, and you say that the DCHP server still
> doesn't work in permissive mode...
> 
> What, if any, messages do you see in /var/log/messages from
> dhcpd?
> 
> Paul.

Well I overlooked the 6 in ip6tables-resto and blamed it on selinux.  Mr. Walsh added it to the policy to fix the other selinux error, but the machines on the DHCP server get ip's, dns and all and cannot surf so I easily blamed it on selinux.  Sorry for that.  What else could be interfering here?

Here's output of tail -f /var/log/messages:

Dec 11 07:01:32 localhost dhcpd: DHCPDISCOVER from 00:d0:b7:c1:09:58 via eth1
Dec 11 07:01:33 localhost dhcpd: DHCPOFFER on 192.168.0.2 to 00:d0:b7:c1:09:58 (6355-hthhzebqqx) via eth1
Dec 11 07:01:33 localhost dhcpd: Wrote 3 leases to leases file.
Dec 11 07:01:33 localhost dhcpd: DHCPREQUEST for 192.168.0.2 (192.168.0.1) from 00:d0:b7:c1:09:58 (6355-hthhzebqqx) via eth1
Dec 11 07:01:33 localhost dhcpd: DHCPACK on 192.168.0.2 to 00:d0:b7:c1:09:58 (6355-hthhzebqqx) via eth1
Dec 11 07:02:34 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
Dec 11 07:02:34 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via eth1
Dec 11 07:02:37 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
Dec 11 07:02:37 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via eth1
Dec 11 07:02:53 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
Dec 11 07:02:53 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via eth1
Dec 11 07:02:57 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
Dec 11 07:02:57 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via eth1
Dec 11 07:04:09 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
Dec 11 07:04:09 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via eth1
Dec 11 07:04:13 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
Dec 11 07:04:13 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via eth1
Dec 11 07:04:21 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
Dec 11 07:04:21 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via eth1
Dec 11 07:04:25 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
Dec 11 07:04:25 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via eth1

Sorry but I overlooked the 6 in the selinux denied avc.  Does it make a difference with the server?  

Thanks,

Antonio