Bug 1465057 - Atomic Host AVC: iptables_t and container_runtime_t
Atomic Host AVC: iptables_t and container_runtime_t
Status: NEW
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2017-06-26 09:47 EDT by Colin Walters
Modified: 2017-08-15 02:35 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Comment 1 Daniel Walsh 2017-06-26 10:03:00 EDT
It looks like firewalld is attempting to read the /proc content of any process that contacts it.
Comment 2 Dusty Mabe 2017-07-07 16:57:26 EDT
(In reply to Daniel Walsh from comment #1)
> It looks like firewalld is attempting to read the /proc content of any
> process that contacts it.

no firewalld in atomic host right? 

here is the denial in case that link above goes away:

time->Fri Jul  7 20:42:25 2017
type=PROCTITLE msg=audit(1499460145.552:158): proctitle=2F7573722F7362696E2F69707461626C6573002D2D77616974002D740066696C746572002D4300464F5257415244002D6F00646F636B657230002D6D00636F6E6E747261636B002D2D63747374
type=SYSCALL msg=audit(1499460145.552:158): arch=c000003e syscall=59 success=yes exit=0 a0=c4202b7500 a1=c4203dc800 a2=c4204456c0 a3=0 items=0 ppid=1008 pid=1114 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=
0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/usr/sbin/xtables-multi" subj=system_u:system_r:iptables_t:s0 key=(null)
type=AVC msg=audit(1499460145.552:158): avc:  denied  { read } for  pid=1114 comm="iptables" path="net:[4026531961]" dev="nsfs" ino=4026531961 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r
:container_runtime_t:s0 tclass=file permissive=0
Comment 3 Jan Kurik 2017-08-15 02:35:02 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.

Note You need to log in before you can comment on or make changes to this bug.