Notice I said NSFS, not NFS. Don't dare close this bug blaming me for mislabeling :) type=PROCTITLE msg=audit(11/24/2015 17:50:15.233:170) : proctitle=/usr/sbin/iptables --wait -t nat -C POSTROUTING -s 10.1.0.1/24 ! -o lbr0 -j MASQUERADE type=PATH msg=audit(11/24/2015 17:50:15.233:170) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=5454 dev=ca:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL type=PATH msg=audit(11/24/2015 17:50:15.233:170) : item=0 name=/usr/sbin/iptables inode=12881 dev=ca:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:iptables_exec_t:s0 nametype=NORMAL type=CWD msg=audit(11/24/2015 17:50:15.233:170) : cwd=/ type=EXECVE msg=audit(11/24/2015 17:50:15.233:170) : argc=13 a0=/usr/sbin/iptables a1=--wait a2=-t a3=nat a4=-C a5=POSTROUTING a6=-s a7=10.1.0.1/24 a8=! a9=-o a10=lbr0 a11=-j a12=MASQUERADE type=SYSCALL msg=audit(11/24/2015 17:50:15.233:170) : arch=x86_64 syscall=execve success=yes exit=0 a0=0xc820287600 a1=0xc820388a10 a2=0xc820075ae0 a3=0x0 items=2 ppid=1102 pid=1188 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iptables exe=/usr/sbin/xtables-multi subj=system_u:system_r:iptables_t:s0 key=(null) type=AVC msg=audit(11/24/2015 17:50:15.233:170) : avc: denied { read } for pid=1188 comm=iptables path=net:[4026532017] dev="nsfs" ino=4026532017 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 I believe that https://bugzilla.redhat.com/attachment.cgi?id=1090403&action=diff has a potential solution, but do no know if it is the correct solution.
Notice that this is also discussed in: https://bugzilla.redhat.com/show_bug.cgi?id=1234757#c7 (incorrectly closed NOTABUG) And also in https://bugzilla.redhat.com/show_bug.cgi?id=1206751
*** This bug has been marked as a duplicate of bug 1296826 ***