Bug 1296826 - SELinux blocks iptables on Fedora Atomic 23
SELinux blocks iptables on Fedora Atomic 23
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
23
Unspecified Unspecified
high Severity high
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
:
: 1285039 (view as bug list)
Depends On:
Blocks: 1308622
  Show dependency treegraph
 
Reported: 2016-01-08 03:46 EST by Stef Walter
Modified: 2016-02-15 10:57 EST (History)
9 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-158.4.fc23
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1308622 (view as bug list)
Environment:
Last Closed: 2016-02-07 00:24:19 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Stef Walter 2016-01-08 03:46:49 EST
Description of problem:

When booting Fedora Atomic 23 we get AVC's about iptables in the journal:

Jan 08 08:35:52 localhost.localdomain.localdomain audit[962]: AVC avc:  denied  { read } for  pid=962 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[963]: AVC avc:  denied  { read } for  pid=963 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[964]: AVC avc:  denied  { read } for  pid=964 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[969]: AVC avc:  denied  { read } for  pid=969 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[970]: AVC avc:  denied  { read } for  pid=970 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[971]: AVC avc:  denied  { read } for  pid=971 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[972]: AVC avc:  denied  { read } for  pid=972 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[973]: AVC avc:  denied  { read } for  pid=973 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[974]: AVC avc:  denied  { read } for  pid=974 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[975]: AVC avc:  denied  { read } for  pid=975 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[976]: AVC avc:  denied  { read } for  pid=976 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[980]: AVC avc:  denied  { read } for  pid=980 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[981]: AVC avc:  denied  { read } for  pid=981 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[982]: AVC avc:  denied  { read } for  pid=982 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[983]: AVC avc:  denied  { read } for  pid=983 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[984]: AVC avc:  denied  { read } for  pid=984 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[985]: AVC avc:  denied  { read } for  pid=985 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[986]: AVC avc:  denied  { read } for  pid=986 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[987]: AVC avc:  denied  { read } for  pid=987 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[988]: AVC avc:  denied  { read } for  pid=988 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[989]: AVC avc:  denied  { read } for  pid=989 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[990]: AVC avc:  denied  { read } for  pid=990 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0


Version-Release number of selected component (if applicable):

iptables-1.4.21-15.fc23.x86_64
selinux-policy-targeted-3.13.1-157.fc23.noarch
selinux-policy-3.13.1-157.fc23.noarch
kernel-4.2.7-300.fc23.x86_64
package firewalld is not installed

* 2015-12-20 06:44:31     23.38     aab6ef55dd     fedora-atomic     fedora-atomic:fedora-atomic/f23/x86_64/docker-host     


How reproducible:

Every boot.

Steps to Reproduce:
1. git clone https://github.com/cockpit-project/cockpit
2. cd cockpit
3. sudo test/vm-prep
4. test/vm-run fedora-atomic
5. Login with 'root' 'foobar
6. journalctl -a | grep avc

Actual results:

See AVC's above

Expected results:

No AVC's

This issue was found via the Cockpit integration tests.

This issue does not occur on a stock Fedora 23 Server. Perhaps because firewalld is present (just a guess).
Comment 1 Miroslav Grepl 2016-01-08 04:10:09 EST
There is ongoing SELinux upstream discussion about it.
Comment 2 Miroslav Grepl 2016-01-08 04:11:18 EST
Basically it is about nsfs labeling.
Comment 3 Lukas Vrabec 2016-01-18 10:31:59 EST
*** Bug 1285039 has been marked as a duplicate of this bug. ***
Comment 4 Lukas Vrabec 2016-01-18 10:33:01 EST
*** Bug 1212076 has been marked as a duplicate of this bug. ***
Comment 5 Lukas Vrabec 2016-01-19 09:39:40 EST
commit 2adcd19ff15912786123221fbacde8504ce6bca5
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Tue Jan 19 15:37:55 2016 +0100

    Allow iptables to read nsfs files. BZ(1296826)
Comment 6 Fedora Update System 2016-02-03 07:02:22 EST
selinux-policy-3.13.1-158.4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21
Comment 7 Fedora Update System 2016-02-03 18:00:18 EST
selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21
Comment 8 Fedora Update System 2016-02-07 00:23:50 EST
selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.