Bug 1308622 - SELinux blocks iptables on Fedora Atomic 23
Summary: SELinux blocks iptables on Fedora Atomic 23
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 22
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 1296826
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-02-15 15:57 UTC by Lukas Vrabec
Modified: 2016-05-10 17:56 UTC (History)
12 users (show)

Fixed In Version: selinux-policy-3.13.1-128.27.fc22 selinux-policy-3.13.1-128.28.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of: 1296826
Environment:
Last Closed: 2016-05-10 17:56:53 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Lukas Vrabec 2016-02-15 15:57:24 UTC 
+++ This bug was initially created as a clone of Bug #1296826 +++

Description of problem:

When booting Fedora Atomic 23 we get AVC's about iptables in the journal:

Jan 08 08:35:52 localhost.localdomain.localdomain audit[962]: AVC avc:  denied  { read } for  pid=962 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[963]: AVC avc:  denied  { read } for  pid=963 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[964]: AVC avc:  denied  { read } for  pid=964 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[969]: AVC avc:  denied  { read } for  pid=969 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[970]: AVC avc:  denied  { read } for  pid=970 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[971]: AVC avc:  denied  { read } for  pid=971 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[972]: AVC avc:  denied  { read } for  pid=972 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[973]: AVC avc:  denied  { read } for  pid=973 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[974]: AVC avc:  denied  { read } for  pid=974 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[975]: AVC avc:  denied  { read } for  pid=975 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[976]: AVC avc:  denied  { read } for  pid=976 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[980]: AVC avc:  denied  { read } for  pid=980 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[981]: AVC avc:  denied  { read } for  pid=981 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[982]: AVC avc:  denied  { read } for  pid=982 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[983]: AVC avc:  denied  { read } for  pid=983 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[984]: AVC avc:  denied  { read } for  pid=984 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[985]: AVC avc:  denied  { read } for  pid=985 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[986]: AVC avc:  denied  { read } for  pid=986 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[987]: AVC avc:  denied  { read } for  pid=987 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[988]: AVC avc:  denied  { read } for  pid=988 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[989]: AVC avc:  denied  { read } for  pid=989 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Jan 08 08:35:52 localhost.localdomain.localdomain audit[990]: AVC avc:  denied  { read } for  pid=990 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0


Version-Release number of selected component (if applicable):

iptables-1.4.21-15.fc23.x86_64
selinux-policy-targeted-3.13.1-157.fc23.noarch
selinux-policy-3.13.1-157.fc23.noarch
kernel-4.2.7-300.fc23.x86_64
package firewalld is not installed

* 2015-12-20 06:44:31     23.38     aab6ef55dd     fedora-atomic     fedora-atomic:fedora-atomic/f23/x86_64/docker-host     


How reproducible:

Every boot.

Steps to Reproduce:
1. git clone https://github.com/cockpit-project/cockpit
2. cd cockpit
3. sudo test/vm-prep
4. test/vm-run fedora-atomic
5. Login with 'root' 'foobar
6. journalctl -a | grep avc

Actual results:

See AVC's above

Expected results:

No AVC's

This issue was found via the Cockpit integration tests.

This issue does not occur on a stock Fedora 23 Server. Perhaps because firewalld is present (just a guess).

--- Additional comment from Miroslav Grepl on 2016-01-08 04:10:09 EST ---

There is ongoing SELinux upstream discussion about it.

--- Additional comment from Miroslav Grepl on 2016-01-08 04:11:18 EST ---

Basically it is about nsfs labeling.

--- Additional comment from Lukas Vrabec on 2016-01-18 10:31:59 EST ---



--- Additional comment from Lukas Vrabec on 2016-01-18 10:33:01 EST ---



--- Additional comment from Lukas Vrabec on 2016-01-19 09:39:40 EST ---

commit 2adcd19ff15912786123221fbacde8504ce6bca5
Author: Lukas Vrabec <lvrabec>
Date:   Tue Jan 19 15:37:55 2016 +0100

    Allow iptables to read nsfs files. BZ(1296826)

--- Additional comment from Fedora Update System on 2016-02-03 07:02:22 EST ---

selinux-policy-3.13.1-158.4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21

--- Additional comment from Fedora Update System on 2016-02-03 18:00:18 EST ---

selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21

--- Additional comment from Fedora Update System on 2016-02-07 00:23:50 EST ---

selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 1 Lukas Vrabec 2016-02-15 16:09:41 UTC 
commit 68ca1e716b8565548dd442b0ce7ff74c9c95e1d8
Author: Lukas Vrabec <lvrabec>
Date:   Tue Jan 19 15:37:55 2016 +0100

    Allow iptables to read nsfs files. BZ(1308622)
Comment 2 Fedora Update System 2016-02-15 17:46:20 UTC 
selinux-policy-3.13.1-128.27.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
Comment 3 Fedora Update System 2016-02-17 06:25:49 UTC 
selinux-policy-3.13.1-128.27.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
Comment 4 Fedora Update System 2016-02-18 12:27:03 UTC 
selinux-policy-3.13.1-128.28.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
Comment 5 Fedora Update System 2016-02-21 18:28:48 UTC 
selinux-policy-3.13.1-128.28.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
Comment 6 Fedora Update System 2016-05-10 17:55:33 UTC 
selinux-policy-3.13.1-128.28.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.