Bug 2149948

Summary: iptables creates AVCs on /sys/fs/cgroup
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.7CC: lvrabec, mmalik, nknazeko, ssekidde, vbhope
Target Milestone: rcKeywords: Triaged
Target Release: 8.8   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-02 08:53:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Renaud Métrich 2022-12-01 12:26:24 UTC 
Description of problem:

A customer reports AVCs when iptables is executing, e.g.:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
type=PROCTITLE ... : proctitle=iptables -w 5 -W 100000 -S KUBE-PROXY-CANARY -t mangle 
type=EXECVE ... : argc=9 a0=iptables a1=-w a2=5 a3=-W a4=100000 a5=-S a6=KUBE-PROXY-CANARY a7=-t a8=mangle 
type=SYSCALL ... : arch=x86_64 syscall=execve success=yes exit=0 a0=0xc00efb61f8 a1=0xc00536e870 a2=0xc00536e8c0 a3=0x0 items=0 ppid=127049 pid=3581642 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iptables exe=/usr/sbin/xtables-nft-multi subj=system_u:system_r:iptables_t:s0 key=(null) 
type=AVC ... : avc:  denied  { ioctl } for  pid=3581642 comm=iptables path=/sys/fs/cgroup dev="tmpfs" ino=1222 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0 
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Apparently this was a well-known issue on Fedora which was fixed by https://github.com/fedora-selinux/selinux-policy/pull/1083/files

Please backport this to RHEL8.


Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-108.el8.noarch

How reproducible:

Always on customer system
Comment 1 Zdenek Pytela 2022-12-02 08:53:44 UTC 
Fixed in RHEL 8.8.

*** This bug has been marked as a duplicate of bug 2134820 ***