Red Hat Bugzilla – Bug 1373220
avc denial: comm="iptables.init" name="plymouth"
Last modified: 2018-04-10 08:23:31 EDT
Description of problem: there is avc denial during starting iptables , but its there rarely. Version-Release number of selected component (if applicable): iptables-1.4.21-17.el7.s390x selinux-policy-3.13.1-96.el7.noarch How reproducible: rarely Steps to Reproduce: 1. start iptables + ip6tables + firewalld Actual results: time->Sun Sep 4 01:34:54 2016 type=SYSCALL msg=audit(1472949294.909:1707): arch=80000016 syscall=300 success=no exit=-13 a0=ffffffffffffff9c a1=90ea45b0 a2=1 a3=200 items=0 ppid=1 pid=45704 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables.init" exe="/usr/bin/bash" subj=system_u:system_r:iptables_t:s0 key=(null) type=AVC msg=audit(1472949294.909:1707): avc: denied { execute } for pid=45704 comm="iptables.init" name="plymouth" dev="dm-0" ino=613888 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:plymouth_exec_t:s0 tclass=file Fail: AVC messages found. Expected results: no denial Additional info:
We're getting similar errors. Note that this is on a CentOS 7.3.1611 system, so I probably shouldn't report here. But I have also opened a bug with CentOS: https://bugs.centos.org/view.php?id=12648 Here are the errors we get: type=AVC msg=audit(1484222790.149:1385018): avc: denied { setattr } for pid=10803 comm="chmod" name="iptables.save" dev="dm-0" ino=35288115 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=file type=AVC msg=audit(1484222790.150:1385019): avc: denied { execute } for pid=10790 comm="iptables.init" name="plymouth" dev="dm-0" ino=67870175 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:plymouth_exec_t:s0 tclass=file type=AVC msg=audit(1484222790.221:1385042): avc: denied { unlink } for pid=10860 comm="rm" name="ip6tables" dev="tmpfs" ino=17162 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1484222790.240:1385045): avc: denied { read } for pid=10862 comm="ip6tables.init" name="modprobe.d" dev="dm-0" ino=34095125 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir For us this happens only on reboot and it is consistently reproducible. It started on the first reboot after updating to 7.3.1611.
the legacy commands iptables.init and ip6tables.init are part of the iptables-services-1.4.21-17.el7.x86_64 package they are sourcing /etc/init.d/functions which executes plymouth commands similar to bz1419957
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0763