Bug 1285039

Summary: NSFS is unlabeled_t
Product: [Fedora] Fedora Reporter: Eric Paris <eparis>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 23CC: admiller, D8F55524, dominick.grift, dwalsh, lvrabec, mgrepl, plautrba, pmoore
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-18 15:31:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eric Paris 2015-11-24 17:54:12 UTC 
Notice I said NSFS, not NFS. Don't dare close this bug blaming me for mislabeling   :)

type=PROCTITLE msg=audit(11/24/2015 17:50:15.233:170) : proctitle=/usr/sbin/iptables --wait -t nat -C POSTROUTING -s 10.1.0.1/24 ! -o lbr0 -j MASQUERADE 
type=PATH msg=audit(11/24/2015 17:50:15.233:170) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=5454 dev=ca:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL 
type=PATH msg=audit(11/24/2015 17:50:15.233:170) : item=0 name=/usr/sbin/iptables inode=12881 dev=ca:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:iptables_exec_t:s0 nametype=NORMAL 
type=CWD msg=audit(11/24/2015 17:50:15.233:170) :  cwd=/ 
type=EXECVE msg=audit(11/24/2015 17:50:15.233:170) : argc=13 a0=/usr/sbin/iptables a1=--wait a2=-t a3=nat a4=-C a5=POSTROUTING a6=-s a7=10.1.0.1/24 a8=! a9=-o a10=lbr0 a11=-j a12=MASQUERADE 
type=SYSCALL msg=audit(11/24/2015 17:50:15.233:170) : arch=x86_64 syscall=execve success=yes exit=0 a0=0xc820287600 a1=0xc820388a10 a2=0xc820075ae0 a3=0x0 items=2 ppid=1102 pid=1188 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iptables exe=/usr/sbin/xtables-multi subj=system_u:system_r:iptables_t:s0 key=(null) 
type=AVC msg=audit(11/24/2015 17:50:15.233:170) : avc:  denied  { read } for  pid=1188 comm=iptables path=net:[4026532017] dev="nsfs" ino=4026532017 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 

I believe that https://bugzilla.redhat.com/attachment.cgi?id=1090403&action=diff has a potential solution, but do no know if it is the correct solution.
Comment 1 Eric Paris 2015-11-24 17:58:44 UTC 
Notice that this is also discussed in:
https://bugzilla.redhat.com/show_bug.cgi?id=1234757#c7 (incorrectly closed NOTABUG)

And also in
https://bugzilla.redhat.com/show_bug.cgi?id=1206751
Comment 2 Lukas Vrabec 2016-01-18 15:31:59 UTC 

*** This bug has been marked as a duplicate of bug 1296826 ***