This is on a system with unconfined disabled. The iptables restart script does a bunch of weird things like module loading and unloading. It's this one: rlpowell@stodi> ls -lZ /usr/libexec/iptables/iptables.init -rwxr-xr-x. 1 root root system_u:object_r:iptables_exec_t:s0 11047 Aug 3 2017 /usr/libexec/iptables/iptables.init* and running rlpowell@stodi> sudo service iptables restart generates: type=AVC msg=audit(1518334082.802:50546003): avc: denied { read write } for pid=3852 comm="lsmod" path="socket:[320907725]" dev="sockfs" ino=320907725 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1 type=AVC msg=audit(1518334082.817:50546007): avc: denied { module_load } for pid=3859 comm="modprobe" scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:system_r:insmod_t:s0 tclass=system permissive=1 type=AVC msg=audit(1518334085.140:50546019): avc: denied { read write } for pid=3879 comm="sh" path="socket:[320908602]" dev="sockfs" ino=320908602 scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_screen_t:s0 tclass=unix_stream_socket permissive=1 type=AVC msg=audit(1518334085.142:50546020): avc: denied { ioctl } for pid=3879 comm="sh" path="socket:[320908602]" dev="sockfs" ino=320908602 ioctlcmd=0x5401 scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_screen_t:s0 tclass=unix_stream_socket permissive=1 I'm not sure what the screen_t stuff is about, although I do use tmux for everything, but it does all 4 of those even when I'm not running it under tmux. The module_load part is the big one; because "sudo service iptables stop" unloads a bunch of relevant modules (which is *not* blocked, by the way) an iptables start or restart can't work because it doesn't have a bunch of the modules it needs.
# audit2allow -i avc #============= insmod_t ============== #!!!! This avc is allowed in the current policy allow insmod_t init_t:unix_stream_socket { read write }; #!!!! This avc is allowed in the current policy allow insmod_t self:system module_load; #============= user_t ============== #!!!! This avc has a dontaudit rule in the current policy allow user_t user_screen_t:unix_stream_socket { ioctl read write }; # rpm -q selinux-policy selinux-policy-3.13.1-283.26.fc27.noarch Please update to current version of selinux-policy rpm package. Lukas.
I'm not seeing it in the current release. Perhaps it is relevant that I'm running with unconfined disabled? rlpowell@vrici> echo ' type=AVC msg=audit(1521438345.053:8842223): avc: denied { module_load } for pid=19455 comm="modprobe" scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:system_r:insmod_t:s0 tclass=system permissive=1 ' | audit2allow -R require { type insmod_t; class system module_load; } #============= insmod_t ============== allow insmod_t self:system module_load; rlpowell@vrici> sudo dnf list installed '*selinux*' [sudo] password for rlpowell: Installed Packages container-selinux.noarch 2:2.55-1.fc27 @updates-testing libselinux.x86_64 2.7-3.fc27 @updates libselinux-devel.x86_64 2.7-3.fc27 @updates libselinux-python.x86_64 2.7-3.fc27 @updates libselinux-python3.x86_64 2.7-3.fc27 @updates libselinux-ruby.x86_64 2.7-3.fc27 @updates libselinux-utils.x86_64 2.7-3.fc27 @updates rpm-plugin-selinux.x86_64 4.14.1-1.fc27 @updates selinux-policy.noarch 3.13.1-283.28.fc27 @updates-testing selinux-policy-devel.noarch 3.13.1-283.28.fc27 @updates-testing selinux-policy-doc.noarch 3.13.1-283.28.fc27 @updates-testing selinux-policy-targeted.noarch 3.13.1-283.28.fc27 @updates-testing
selinux-policy-3.13.1-283.29.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-ad9976b6a2
selinux-policy-3.13.1-283.29.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-ad9976b6a2
selinux-policy-3.13.1-283.29.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
With rlpowell@stodi> rpm -q selinux-policy selinux-policy-3.13.1-283.34.fc27.noarch I'm still seeing: type=AVC msg=audit(1527571260.489:72269492): avc: denied { read write } for pid=1121 comm="lsmod" path="socket:[430924691]" dev="sockfs" ino=430924691 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0 , but the reload works, so if you think that's OK, then that's fine. The other AVCs are gone.