Bug 1296826 - SELinux blocks iptables on Fedora Atomic 23
Summary: SELinux blocks iptables on Fedora Atomic 23
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 23
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1285039 (view as bug list)
Depends On:
Blocks: 1308622
TreeView+ depends on / blocked
 
Reported: 2016-01-08 08:46 UTC by Stef Walter
Modified: 2016-02-15 15:57 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-3.13.1-158.4.fc23
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1308622 (view as bug list)
Environment:
Last Closed: 2016-02-07 05:24:19 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Stef Walter 2016-01-08 08:46:49 UTC
Description of problem:

When booting Fedora Atomic 23 we get AVC's about iptables in the journal:

Jan 08 08:35:52 localhost.localdomain.localdomain audit[962]: AVC avc:  denied  { read } for  pid=962 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[963]: AVC avc:  denied  { read } for  pid=963 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[964]: AVC avc:  denied  { read } for  pid=964 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[969]: AVC avc:  denied  { read } for  pid=969 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[970]: AVC avc:  denied  { read } for  pid=970 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[971]: AVC avc:  denied  { read } for  pid=971 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[972]: AVC avc:  denied  { read } for  pid=972 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[973]: AVC avc:  denied  { read } for  pid=973 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[974]: AVC avc:  denied  { read } for  pid=974 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[975]: AVC avc:  denied  { read } for  pid=975 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[976]: AVC avc:  denied  { read } for  pid=976 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[980]: AVC avc:  denied  { read } for  pid=980 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[981]: AVC avc:  denied  { read } for  pid=981 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[982]: AVC avc:  denied  { read } for  pid=982 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[983]: AVC avc:  denied  { read } for  pid=983 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[984]: AVC avc:  denied  { read } for  pid=984 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[985]: AVC avc:  denied  { read } for  pid=985 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[986]: AVC avc:  denied  { read } for  pid=986 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[987]: AVC avc:  denied  { read } for  pid=987 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[988]: AVC avc:  denied  { read } for  pid=988 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[989]: AVC avc:  denied  { read } for  pid=989 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[990]: AVC avc:  denied  { read } for  pid=990 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0


Version-Release number of selected component (if applicable):

iptables-1.4.21-15.fc23.x86_64
selinux-policy-targeted-3.13.1-157.fc23.noarch
selinux-policy-3.13.1-157.fc23.noarch
kernel-4.2.7-300.fc23.x86_64
package firewalld is not installed

* 2015-12-20 06:44:31     23.38     aab6ef55dd     fedora-atomic     fedora-atomic:fedora-atomic/f23/x86_64/docker-host     


How reproducible:

Every boot.

Steps to Reproduce:
1. git clone https://github.com/cockpit-project/cockpit
2. cd cockpit
3. sudo test/vm-prep
4. test/vm-run fedora-atomic
5. Login with 'root' 'foobar
6. journalctl -a | grep avc

Actual results:

See AVC's above

Expected results:

No AVC's

This issue was found via the Cockpit integration tests.

This issue does not occur on a stock Fedora 23 Server. Perhaps because firewalld is present (just a guess).

Comment 1 Miroslav Grepl 2016-01-08 09:10:09 UTC
There is ongoing SELinux upstream discussion about it.

Comment 2 Miroslav Grepl 2016-01-08 09:11:18 UTC
Basically it is about nsfs labeling.

Comment 3 Lukas Vrabec 2016-01-18 15:31:59 UTC
*** Bug 1285039 has been marked as a duplicate of this bug. ***

Comment 4 Lukas Vrabec 2016-01-18 15:33:01 UTC
*** Bug 1212076 has been marked as a duplicate of this bug. ***

Comment 5 Lukas Vrabec 2016-01-19 14:39:40 UTC
commit 2adcd19ff15912786123221fbacde8504ce6bca5
Author: Lukas Vrabec <lvrabec>
Date:   Tue Jan 19 15:37:55 2016 +0100

    Allow iptables to read nsfs files. BZ(1296826)

Comment 6 Fedora Update System 2016-02-03 12:02:22 UTC
selinux-policy-3.13.1-158.4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21

Comment 7 Fedora Update System 2016-02-03 23:00:18 UTC
selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21

Comment 8 Fedora Update System 2016-02-07 05:23:50 UTC
selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.