Bug 1285039 - NSFS is unlabeled_t
Summary: NSFS is unlabeled_t
Keywords:
Status: CLOSED DUPLICATE of bug 1296826
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 23
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-11-24 17:54 UTC by Eric Paris
Modified: 2016-01-18 15:31 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-01-18 15:31:59 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Eric Paris 2015-11-24 17:54:12 UTC
Notice I said NSFS, not NFS. Don't dare close this bug blaming me for mislabeling   :)

type=PROCTITLE msg=audit(11/24/2015 17:50:15.233:170) : proctitle=/usr/sbin/iptables --wait -t nat -C POSTROUTING -s 10.1.0.1/24 ! -o lbr0 -j MASQUERADE 
type=PATH msg=audit(11/24/2015 17:50:15.233:170) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=5454 dev=ca:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL 
type=PATH msg=audit(11/24/2015 17:50:15.233:170) : item=0 name=/usr/sbin/iptables inode=12881 dev=ca:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:iptables_exec_t:s0 nametype=NORMAL 
type=CWD msg=audit(11/24/2015 17:50:15.233:170) :  cwd=/ 
type=EXECVE msg=audit(11/24/2015 17:50:15.233:170) : argc=13 a0=/usr/sbin/iptables a1=--wait a2=-t a3=nat a4=-C a5=POSTROUTING a6=-s a7=10.1.0.1/24 a8=! a9=-o a10=lbr0 a11=-j a12=MASQUERADE 
type=SYSCALL msg=audit(11/24/2015 17:50:15.233:170) : arch=x86_64 syscall=execve success=yes exit=0 a0=0xc820287600 a1=0xc820388a10 a2=0xc820075ae0 a3=0x0 items=2 ppid=1102 pid=1188 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iptables exe=/usr/sbin/xtables-multi subj=system_u:system_r:iptables_t:s0 key=(null) 
type=AVC msg=audit(11/24/2015 17:50:15.233:170) : avc:  denied  { read } for  pid=1188 comm=iptables path=net:[4026532017] dev="nsfs" ino=4026532017 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 

I believe that https://bugzilla.redhat.com/attachment.cgi?id=1090403&action=diff has a potential solution, but do no know if it is the correct solution.

Comment 1 Eric Paris 2015-11-24 17:58:44 UTC
Notice that this is also discussed in:
https://bugzilla.redhat.com/show_bug.cgi?id=1234757#c7 (incorrectly closed NOTABUG)

And also in
https://bugzilla.redhat.com/show_bug.cgi?id=1206751

Comment 2 Lukas Vrabec 2016-01-18 15:31:59 UTC

*** This bug has been marked as a duplicate of bug 1296826 ***


Note You need to log in before you can comment on or make changes to this bug.