Maan
Mission Specialist
Mission Specialist
  • 392 Views

SELinux denied issue - iptables_t plymouthd_t:unix_stream_socket connectto

We have Amazon Linux 2 with Selinux enabled on it

from audit.log file, we have the following denied:

type=AVC msg=audit(1645462240.556:179): avc:  denied  { connectto } for  pid=7329 comm="plymouth" path=002F6F72672F667265656465736B746F702F706C796D6F75746864 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:plymouthd_t:s0 tclass=unix_stream_socket permissive=0

Was caused by:
    Missing type enforcement (TE) allow rule.

    You can use audit2allow to generate a loadable module to allow this access.

I tried to generate a custom selinux module using this command:

sudo grep "plymouth" /var/log/audit/audit.log | audit2allow -M myip
sudo semodule -i myip.pp

but we got this in the logs:

type=AVC msg=audit(1645462240.556:179): avc:  denied  { connectto } for  pid=7329 comm="plymouth" path=002F6F72672F667265656465736B746F702F706C796D6F75746864 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:plymouthd_t:s0 tclass=unix_stream_socket permissive=0

Was caused by:
    Unknown - would be allowed by active policy
    Possible mismatch between this policy and the one under which the audit message was generated.

    Possible mismatch between current in-memory boolean settings vs. permanent ones.

Can anyone please help with this to solve this issue?

Tags (2)
0 Kudos
2 Replies
wojlys
Mission Specialist
Mission Specialist
  • 333 Views

Looks like Plymouth is running in the wrong selinux context.
Target (socket) expects it to be plymouthd_t, but the source (application or demon )is set to iptables_t
I'm no selinux expert, but it looks like an issue or bug with selinux-policy. Have you tried to file a case with RedHat?

Found something similar :

https://bugzilla.redhat.com/show_bug.cgi?id=1850540

0 Kudos
EmanuelHaine
Flight Engineer
Flight Engineer
  • 201 Views

Have you tried changing the context using "semanage context"?

0 Kudos
Join the discussion
You must log in to join this conversation.