Bug 1285039 - NSFS is unlabeled_t
NSFS is unlabeled_t
Status: CLOSED DUPLICATE of bug 1296826
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2015-11-24 12:54 EST by Eric Paris
Modified: 2016-01-18 10:31 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-01-18 10:31:59 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Eric Paris 2015-11-24 12:54:12 EST
Notice I said NSFS, not NFS. Don't dare close this bug blaming me for mislabeling   :)

type=PROCTITLE msg=audit(11/24/2015 17:50:15.233:170) : proctitle=/usr/sbin/iptables --wait -t nat -C POSTROUTING -s ! -o lbr0 -j MASQUERADE 
type=PATH msg=audit(11/24/2015 17:50:15.233:170) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=5454 dev=ca:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL 
type=PATH msg=audit(11/24/2015 17:50:15.233:170) : item=0 name=/usr/sbin/iptables inode=12881 dev=ca:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:iptables_exec_t:s0 nametype=NORMAL 
type=CWD msg=audit(11/24/2015 17:50:15.233:170) :  cwd=/ 
type=EXECVE msg=audit(11/24/2015 17:50:15.233:170) : argc=13 a0=/usr/sbin/iptables a1=--wait a2=-t a3=nat a4=-C a5=POSTROUTING a6=-s a7= a8=! a9=-o a10=lbr0 a11=-j a12=MASQUERADE 
type=SYSCALL msg=audit(11/24/2015 17:50:15.233:170) : arch=x86_64 syscall=execve success=yes exit=0 a0=0xc820287600 a1=0xc820388a10 a2=0xc820075ae0 a3=0x0 items=2 ppid=1102 pid=1188 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iptables exe=/usr/sbin/xtables-multi subj=system_u:system_r:iptables_t:s0 key=(null) 
type=AVC msg=audit(11/24/2015 17:50:15.233:170) : avc:  denied  { read } for  pid=1188 comm=iptables path=net:[4026532017] dev="nsfs" ino=4026532017 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 

I believe that https://bugzilla.redhat.com/attachment.cgi?id=1090403&action=diff has a potential solution, but do no know if it is the correct solution.
Comment 1 Eric Paris 2015-11-24 12:58:44 EST
Notice that this is also discussed in:
https://bugzilla.redhat.com/show_bug.cgi?id=1234757#c7 (incorrectly closed NOTABUG)

And also in
Comment 2 Lukas Vrabec 2016-01-18 10:31:59 EST

*** This bug has been marked as a duplicate of bug 1296826 ***

Note You need to log in before you can comment on or make changes to this bug.