Bug 1308622

Summary: SELinux blocks iptables on Fedora Atomic 23
Product: [Fedora] Fedora Reporter: Lukas Vrabec <lvrabec>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 22CC: dominick.grift, dperpeet, dwalsh, eparis, extras-qa, lvrabec, mgrepl, mvollmer, plautrba, stefw, walters, zmoravec
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-128.27.fc22 selinux-policy-3.13.1-128.28.fc22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1296826 Environment:
Last Closed: 2016-05-10 17:56:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1296826    
Bug Blocks:    

Description Lukas Vrabec 2016-02-15 15:57:24 UTC 
+++ This bug was initially created as a clone of Bug #1296826 +++

Description of problem:

When booting Fedora Atomic 23 we get AVC's about iptables in the journal:

Jan 08 08:35:52 localhost.localdomain.localdomain audit[962]: AVC avc:  denied  { read } for  pid=962 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[963]: AVC avc:  denied  { read } for  pid=963 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[964]: AVC avc:  denied  { read } for  pid=964 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[969]: AVC avc:  denied  { read } for  pid=969 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[970]: AVC avc:  denied  { read } for  pid=970 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[971]: AVC avc:  denied  { read } for  pid=971 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[972]: AVC avc:  denied  { read } for  pid=972 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[973]: AVC avc:  denied  { read } for  pid=973 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[974]: AVC avc:  denied  { read } for  pid=974 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[975]: AVC avc:  denied  { read } for  pid=975 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[976]: AVC avc:  denied  { read } for  pid=976 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[980]: AVC avc:  denied  { read } for  pid=980 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[981]: AVC avc:  denied  { read } for  pid=981 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[982]: AVC avc:  denied  { read } for  pid=982 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[983]: AVC avc:  denied  { read } for  pid=983 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[984]: AVC avc:  denied  { read } for  pid=984 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[985]: AVC avc:  denied  { read } for  pid=985 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[986]: AVC avc:  denied  { read } for  pid=986 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[987]: AVC avc:  denied  { read } for  pid=987 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[988]: AVC avc:  denied  { read } for  pid=988 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[989]: AVC avc:  denied  { read } for  pid=989 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[990]: AVC avc:  denied  { read } for  pid=990 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0


Version-Release number of selected component (if applicable):

iptables-1.4.21-15.fc23.x86_64
selinux-policy-targeted-3.13.1-157.fc23.noarch
selinux-policy-3.13.1-157.fc23.noarch
kernel-4.2.7-300.fc23.x86_64
package firewalld is not installed

* 2015-12-20 06:44:31     23.38     aab6ef55dd     fedora-atomic     fedora-atomic:fedora-atomic/f23/x86_64/docker-host     


How reproducible:

Every boot.

Steps to Reproduce:
1. git clone https://github.com/cockpit-project/cockpit
2. cd cockpit
3. sudo test/vm-prep
4. test/vm-run fedora-atomic
5. Login with 'root' 'foobar
6. journalctl -a | grep avc

Actual results:

See AVC's above

Expected results:

No AVC's

This issue was found via the Cockpit integration tests.

This issue does not occur on a stock Fedora 23 Server. Perhaps because firewalld is present (just a guess).

--- Additional comment from Miroslav Grepl on 2016-01-08 04:10:09 EST ---

There is ongoing SELinux upstream discussion about it.

--- Additional comment from Miroslav Grepl on 2016-01-08 04:11:18 EST ---

Basically it is about nsfs labeling.

--- Additional comment from Lukas Vrabec on 2016-01-18 10:31:59 EST ---



--- Additional comment from Lukas Vrabec on 2016-01-18 10:33:01 EST ---



--- Additional comment from Lukas Vrabec on 2016-01-19 09:39:40 EST ---

commit 2adcd19ff15912786123221fbacde8504ce6bca5
Author: Lukas Vrabec <lvrabec>
Date:   Tue Jan 19 15:37:55 2016 +0100

    Allow iptables to read nsfs files. BZ(1296826)

--- Additional comment from Fedora Update System on 2016-02-03 07:02:22 EST ---

selinux-policy-3.13.1-158.4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21

--- Additional comment from Fedora Update System on 2016-02-03 18:00:18 EST ---

selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21

--- Additional comment from Fedora Update System on 2016-02-07 00:23:50 EST ---

selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 1 Lukas Vrabec 2016-02-15 16:09:41 UTC 
commit 68ca1e716b8565548dd442b0ce7ff74c9c95e1d8
Author: Lukas Vrabec <lvrabec>
Date:   Tue Jan 19 15:37:55 2016 +0100

    Allow iptables to read nsfs files. BZ(1308622)
Comment 2 Fedora Update System 2016-02-15 17:46:20 UTC 
selinux-policy-3.13.1-128.27.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
Comment 3 Fedora Update System 2016-02-17 06:25:49 UTC 
selinux-policy-3.13.1-128.27.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
Comment 4 Fedora Update System 2016-02-18 12:27:03 UTC 
selinux-policy-3.13.1-128.28.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
Comment 5 Fedora Update System 2016-02-21 18:28:48 UTC 
selinux-policy-3.13.1-128.28.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
Comment 6 Fedora Update System 2016-05-10 17:55:33 UTC 
selinux-policy-3.13.1-128.28.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.