Description of problem: When booting Fedora Atomic 23 we get AVC's about iptables in the journal: Jan 08 08:35:52 localhost.localdomain.localdomain audit[962]: AVC avc: denied { read } for pid=962 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[963]: AVC avc: denied { read } for pid=963 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[964]: AVC avc: denied { read } for pid=964 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[969]: AVC avc: denied { read } for pid=969 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[970]: AVC avc: denied { read } for pid=970 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[971]: AVC avc: denied { read } for pid=971 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[972]: AVC avc: denied { read } for pid=972 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[973]: AVC avc: denied { read } for pid=973 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[974]: AVC avc: denied { read } for pid=974 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[975]: AVC avc: denied { read } for pid=975 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[976]: AVC avc: denied { read } for pid=976 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[980]: AVC avc: denied { read } for pid=980 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[981]: AVC avc: denied { read } for pid=981 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[982]: AVC avc: denied { read } for pid=982 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[983]: AVC avc: denied { read } for pid=983 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[984]: AVC avc: denied { read } for pid=984 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[985]: AVC avc: denied { read } for pid=985 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[986]: AVC avc: denied { read } for pid=986 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[987]: AVC avc: denied { read } for pid=987 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[988]: AVC avc: denied { read } for pid=988 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[989]: AVC avc: denied { read } for pid=989 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[990]: AVC avc: denied { read } for pid=990 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Version-Release number of selected component (if applicable): iptables-1.4.21-15.fc23.x86_64 selinux-policy-targeted-3.13.1-157.fc23.noarch selinux-policy-3.13.1-157.fc23.noarch kernel-4.2.7-300.fc23.x86_64 package firewalld is not installed * 2015-12-20 06:44:31 23.38 aab6ef55dd fedora-atomic fedora-atomic:fedora-atomic/f23/x86_64/docker-host How reproducible: Every boot. Steps to Reproduce: 1. git clone https://github.com/cockpit-project/cockpit 2. cd cockpit 3. sudo test/vm-prep 4. test/vm-run fedora-atomic 5. Login with 'root' 'foobar 6. journalctl -a | grep avc Actual results: See AVC's above Expected results: No AVC's This issue was found via the Cockpit integration tests. This issue does not occur on a stock Fedora 23 Server. Perhaps because firewalld is present (just a guess).
There is ongoing SELinux upstream discussion about it.
Basically it is about nsfs labeling.
*** Bug 1285039 has been marked as a duplicate of this bug. ***
*** Bug 1212076 has been marked as a duplicate of this bug. ***
commit 2adcd19ff15912786123221fbacde8504ce6bca5 Author: Lukas Vrabec <lvrabec> Date: Tue Jan 19 15:37:55 2016 +0100 Allow iptables to read nsfs files. BZ(1296826)
selinux-policy-3.13.1-158.4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21
selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21
selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.