Description of problem: For an enhancement of firewalld it is needed to be able to use the {ip|ip6|eb}tables-restore commands with temporary files that are passed to the restore commands on stdin. firewalld will create the directory /run/firewalld at startup and will create the temporary files in there. Version-Release number of selected component (if applicable): selinux-policy-3.13.1-155.fc23 Here are the AVC messages: ype=AVC msg=audit(1450092486.349:70144): avc: denied { read } for pid=17865 comm="iptables-restor" path="/run/firewalld/temp.gciaj0pn" dev="tmpfs" ino=1078786 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:firewalld_var_run_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1450092486.349:70144): arch=x86_64 syscall=execve success=yes exit=0 a0=7f3310f82520 a1=55bb740c6b60 a2=55bb73ccdd00 a3=1 items=0 ppid=17787 pid=17865 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=iptables-restor exe=/usr/sbin/xtables-multi subj=system_u:system_r:iptables_t:s0 key=(null) Hash: iptables-restor,iptables_t,firewalld_var_run_t,file,read type=AVC msg=audit(1450092486.350:70145): avc: denied { getattr } for pid=17865 comm="iptables-restor" path="/run/firewalld/temp.gciaj0pn" dev="tmpfs" ino=1078786 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:firewalld_var_run_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1450092486.350:70145): arch=x86_64 syscall=fstat success=yes exit=0 a0=0 a1=7fffa63c6300 a2=7fffa63c6300 a3=7fde21bbc700 items=0 ppid=17787 pid=17865 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=iptables-restor exe=/usr/sbin/xtables-multi subj=system_u:system_r:iptables_t:s0 key=(null) Hash: iptables-restor,iptables_t,firewalld_var_run_t,file,getattr Please also add these for F-22 and rawhide. On F-22 I had to allow firewalld to create the directory in (/var)/run: allow firewalld_t var_run_t:dir create;
commit 872c7b4c77ca92788eb0f097a82c73c921469ef7 Author: Lukas Vrabec <lvrabec> Date: Mon Dec 14 13:06:06 2015 +0100 Add interface firewalld_read_pid_files() commit 132fbc10ee97fa1a9d3838842fadf6e5e842f856 Author: Lukas Vrabec <lvrabec> Date: Mon Dec 14 13:07:21 2015 +0100 Allow iptables to read firewalld pid files. BZ(1291243)
commit 44a47e0c0d2e9e365a5750539e817a061c7c248c Author: Lukas Vrabec <lvrabec> Date: Mon Dec 14 13:27:19 2015 +0100 Allow firewalld to create firewalld_var_run_t directory. BZ(1291243)
selinux-policy-3.13.1-158.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-eb32da49ac
selinux-policy-3.13.1-158.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update selinux-policy' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-eb32da49ac
selinux-policy-3.13.1-158.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.