Hi, I am using selinux on a fedora 10 system with the following selinux rules
applied:
chcon -R -t httpd_sys_content_t '/var/www/html/ossec/'
chcon -t httpd_sys_content_t '/var/ossec'
chcon -R -t httpd_sys_content_t '/var/ossec/logs/'
chcon -R -t httpd_sys_content_t '/var/ossec/queue/agent-info/'
chcon -R -t httpd_sys_content_t '/var/ossec/queue/syscheck'
chcon -R -t httpd_sys_content_t '/var/ossec/stats/'
However when active response goes to write a block to iptables I get an selinux
denial though it does write an ALL:"IP ADDRESS" to /etc/hosts.deny. The
necessary selinux info is below, any way to get selinux to allow this as I am
not sure? Thanks.
Source Context: unconfined_u:system_r:iptables_t:s0Target Context:
unconfined_u:system_r:initrc_t:s0Target Objects: socket [ unix_dgram_socket
]Source: iptablesSource Path: /sbin/iptablesPort: <Unknown>
node=WASLOCALHOST.NAME type=AVC msg=audit(1234463100.317:82): avc: denied {
read write } for pid=6263 comm="iptables" path="socket:[200088]" dev=sockfs
ino=200088 scontext=unconfined_u:system_r:iptables_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_dgram_socket
node=WASLOCALHOST.NAME type=AVC msg=audit(1234463100.317:82): avc: denied {
read } for pid=6263 comm="iptables" path="/var/ossec/etc/shared/ar.conf"
dev=sda11 ino=48513 scontext=unconfined_u:system_r:iptables_t:s0
tcontext=unconfined_u:object_r:var_t:s0 tclass=file
node=WASLOCALHOST.NAME type=SYSCALL msg=audit(1234463100.317:82): arch=40000003
syscall=11 success=yes exit=0 a0=8ec18a8 a1=8ec1650 a2=8ebab00 a3=0 items=0
ppid=6227 pid=6263 auid=500 uid=0 gid=501 euid=0 suid=0 fsuid=0 egid=501
sgid=501 fsgid=501 tty=(none) ses=1 comm="iptables" exe="/sbin/iptables"
subj=unconfined_u:system_r:iptables_t:s0 key=(null)
_________________________________________________________________
Twice the fun—Share photos while you chat with Windows Live Messenger. Learn
more.
http://www.microsoft.com/uk/windows/windowslive/products/messenger.aspx
