+++ This bug was initially created as a clone of Bug #1296826 +++ Description of problem: When booting Fedora Atomic 23 we get AVC's about iptables in the journal: Jan 08 08:35:52 localhost.localdomain.localdomain audit[962]: AVC avc: denied { read } for pid=962 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[963]: AVC avc: denied { read } for pid=963 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[964]: AVC avc: denied { read } for pid=964 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[969]: AVC avc: denied { read } for pid=969 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[970]: AVC avc: denied { read } for pid=970 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[971]: AVC avc: denied { read } for pid=971 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[972]: AVC avc: denied { read } for pid=972 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[973]: AVC avc: denied { read } for pid=973 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[974]: AVC avc: denied { read } for pid=974 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[975]: AVC avc: denied { read } for pid=975 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[976]: AVC avc: denied { read } for pid=976 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[980]: AVC avc: denied { read } for pid=980 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[981]: AVC avc: denied { read } for pid=981 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[982]: AVC avc: denied { read } for pid=982 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[983]: AVC avc: denied { read } for pid=983 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[984]: AVC avc: denied { read } for pid=984 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[985]: AVC avc: denied { read } for pid=985 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[986]: AVC avc: denied { read } for pid=986 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[987]: AVC avc: denied { read } for pid=987 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[988]: AVC avc: denied { read } for pid=988 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[989]: AVC avc: denied { read } for pid=989 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Jan 08 08:35:52 localhost.localdomain.localdomain audit[990]: AVC avc: denied { read } for pid=990 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Version-Release number of selected component (if applicable): iptables-1.4.21-15.fc23.x86_64 selinux-policy-targeted-3.13.1-157.fc23.noarch selinux-policy-3.13.1-157.fc23.noarch kernel-4.2.7-300.fc23.x86_64 package firewalld is not installed * 2015-12-20 06:44:31 23.38 aab6ef55dd fedora-atomic fedora-atomic:fedora-atomic/f23/x86_64/docker-host How reproducible: Every boot. Steps to Reproduce: 1. git clone https://github.com/cockpit-project/cockpit 2. cd cockpit 3. sudo test/vm-prep 4. test/vm-run fedora-atomic 5. Login with 'root' 'foobar 6. journalctl -a | grep avc Actual results: See AVC's above Expected results: No AVC's This issue was found via the Cockpit integration tests. This issue does not occur on a stock Fedora 23 Server. Perhaps because firewalld is present (just a guess). --- Additional comment from Miroslav Grepl on 2016-01-08 04:10:09 EST --- There is ongoing SELinux upstream discussion about it. --- Additional comment from Miroslav Grepl on 2016-01-08 04:11:18 EST --- Basically it is about nsfs labeling. --- Additional comment from Lukas Vrabec on 2016-01-18 10:31:59 EST --- --- Additional comment from Lukas Vrabec on 2016-01-18 10:33:01 EST --- --- Additional comment from Lukas Vrabec on 2016-01-19 09:39:40 EST --- commit 2adcd19ff15912786123221fbacde8504ce6bca5 Author: Lukas Vrabec <lvrabec> Date: Tue Jan 19 15:37:55 2016 +0100 Allow iptables to read nsfs files. BZ(1296826) --- Additional comment from Fedora Update System on 2016-02-03 07:02:22 EST --- selinux-policy-3.13.1-158.4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21 --- Additional comment from Fedora Update System on 2016-02-03 18:00:18 EST --- selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21 --- Additional comment from Fedora Update System on 2016-02-07 00:23:50 EST --- selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
commit 68ca1e716b8565548dd442b0ce7ff74c9c95e1d8 Author: Lukas Vrabec <lvrabec> Date: Tue Jan 19 15:37:55 2016 +0100 Allow iptables to read nsfs files. BZ(1308622)
selinux-policy-3.13.1-128.27.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
selinux-policy-3.13.1-128.27.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
selinux-policy-3.13.1-128.28.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
selinux-policy-3.13.1-128.28.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
selinux-policy-3.13.1-128.28.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.