#800645 iptables: leaks a file handle for a Unix domain socket when executing modprobe

Package:
iptables
Source:
iptables
Description:
administration tools for packet filtering and NAT
Submitter:
Russell Coker
Date:
2015-10-02 05:03:05 UTC
Severity:
normal
#800645#5
Date:
2015-10-02 04:59:11 UTC
From:
To:
type=AVC msg=audit(1443760532.924:27): avc:  denied  { read write } for
pid=273 comm="modprobe" path="socket:[8859]" dev="sockfs" ino=8859
scontext=system_u:system_r:insmod_t:s0
tcontext=system_u:system_r:iptables_t:s0 tclass=unix_stream_socket
permissive=0

When booting a SE Linux system in the "strict" configuration the above error is
logged
on boot.  iptables needs to either close the file handle for the Unix domain
socket
before executing modprobe or set it to close on exec.

While this is mostly a cosmetic error it has the potential for unexpected
behavior on
a non-SE system if modprobe was to try to access that file handle.