Description of problem: Starting docker daemon produces AVC denials like type=AVC msg=audit(1497521828.624:143): avc: denied { read } for pid=2472 comm="iptables" path="net:[4026531961]" dev="nsfs" ino=4026531961 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=file permissive=0 Version-Release number of selected component (if applicable): docker-1.13.1-13.git51eb16e.fc26 container-selinux-2.18-1.fc26 How reproducible: Deterministic. Steps to Reproduce: 1. dnf install -y docker 2. systemctl start docker 3. Check audit.log. Actual results: time->Thu Jun 15 06:17:08 2017 type=AVC msg=audit(1497521828.605:139): avc: denied { read } for pid=2464 comm="iptables" path="net:[4026531961]" dev="nsfs" ino=4026531961 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=file permissive=0 ---- time->Thu Jun 15 06:17:08 2017 type=AVC msg=audit(1497521828.608:140): avc: denied { read } for pid=2466 comm="iptables" path="net:[4026531961]" dev="nsfs" ino=4026531961 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=file permissive=0 ---- time->Thu Jun 15 06:17:08 2017 type=AVC msg=audit(1497521828.623:142): avc: denied { read } for pid=2471 comm="iptables" path="net:[4026531961]" dev="nsfs" ino=4026531961 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=file permissive=0 ---- time->Thu Jun 15 06:17:08 2017 type=AVC msg=audit(1497521828.624:143): avc: denied { read } for pid=2472 comm="iptables" path="net:[4026531961]" dev="nsfs" ino=4026531961 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=file permissive=0 ---- time->Thu Jun 15 06:17:08 2017 type=AVC msg=audit(1497521828.625:145): avc: denied { read } for pid=2473 comm="iptables" path="net:[4026531961]" dev="nsfs" ino=4026531961 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=file permissive=0 ---- time->Thu Jun 15 06:17:08 2017 type=AVC msg=audit(1497521828.626:146): avc: denied { read } for pid=2474 comm="iptables" path="net:[4026531961]" dev="nsfs" ino=4026531961 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=file permissive=0 Expected results: No AVC denial. Additional info:
Need to add container_read_state(iptables_t) This pull request adds this interface b22d1515cb3e164c0ac3cdc2020c2e8c4d7a55fd
Which repo is this pull request against? Any chance of getting this merged and updated policy shipped to Fedora 26?
Jan, the PR is here: https://github.com/fedora-selinux/selinux-policy/pull/197
Awesome. Lukáš, can we get the PR merged and new policy built?
Jan, Yes, sure. Build is in progress: https://koji.fedoraproject.org/koji/taskinfo?taskID=20437433
selinux-policy-3.13.1-260.1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c2721b7375
selinux-policy-3.13.1-260.1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c2721b7375
selinux-policy-3.13.1-260.1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.