Bug 1600690 - selinux-policy denies all(?) iptables operations with iptables 1.8.0 (breaks firewalld)
Summary: selinux-policy denies all(?) iptables operations with iptables 1.8.0 (breaks ...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: All
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard: AcceptedBlocker
Depends On:
Blocks: F29BetaBlocker
TreeView+ depends on / blocked
 
Reported: 2018-07-12 19:13 UTC by Adam Williamson
Modified: 2018-08-11 00:14 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-08-11 00:14:49 UTC


Attachments (Terms of Use)

Description Adam Williamson 2018-07-12 19:13:12 UTC
iptables 1.8.0 landed in Rawhide a couple of days ago. Since then, it appears that all iptables operations are blocked by SELinux. This prevents the firewalld service from starting correctly. This breaks several release criteria, including "All system services present after installation with one of the release-blocking package sets must start properly, unless they require hardware which is not present" (Final) and "After system installation without explicit firewall configuration, the system firewall must be active on all non-loopback interfaces" (Basic). Thus, proposing as an F29 Beta blocker. Here are the denials from a typical affected installation:

----
time->Wed Jul 11 23:39:05 2018
type=AVC msg=audit(1531366745.585:97): avc:  denied  { create } for  pid=597 comm="iptables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=0
----
time->Wed Jul 11 23:39:05 2018
type=AVC msg=audit(1531366745.586:98): avc:  denied  { getattr } for  pid=597 comm="iptables" name="/" dev="proc" ino=1 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0
----
time->Wed Jul 11 23:39:05 2018
type=AVC msg=audit(1531366745.586:99): avc:  denied  { read } for  pid=597 comm="iptables" name="modprobe" dev="proc" ino=23737 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0
----
time->Wed Jul 11 23:39:05 2018
type=AVC msg=audit(1531366745.613:100): avc:  denied  { create } for  pid=600 comm="ip6tables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=0
----
time->Wed Jul 11 23:39:05 2018
type=AVC msg=audit(1531366745.613:101): avc:  denied  { read } for  pid=600 comm="ip6tables" name="modprobe" dev="proc" ino=23737 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0
----
time->Wed Jul 11 23:39:05 2018
type=AVC msg=audit(1531366745.756:105): avc:  denied  { create } for  pid=614 comm="iptables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=0
----
time->Wed Jul 11 23:39:05 2018
type=AVC msg=audit(1531366745.756:106): avc:  denied  { getattr } for  pid=614 comm="iptables" name="/" dev="proc" ino=1 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0
----
time->Wed Jul 11 23:39:05 2018
type=AVC msg=audit(1531366745.757:107): avc:  denied  { read } for  pid=614 comm="iptables" name="modprobe" dev="proc" ino=23737 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0
----
time->Wed Jul 11 23:39:05 2018
type=AVC msg=audit(1531366745.780:108): avc:  denied  { create } for  pid=618 comm="iptables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=0
----
time->Wed Jul 11 23:39:05 2018
type=AVC msg=audit(1531366745.780:109): avc:  denied  { getattr } for  pid=618 comm="iptables" name="/" dev="proc" ino=1 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0
----
time->Wed Jul 11 23:39:05 2018
type=AVC msg=audit(1531366745.780:110): avc:  denied  { read } for  pid=618 comm="iptables" name="modprobe" dev="proc" ino=23737 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0
----
time->Wed Jul 11 23:39:05 2018
type=AVC msg=audit(1531366745.793:111): avc:  denied  { create } for  pid=620 comm="iptables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=0
----
time->Wed Jul 11 23:39:05 2018
type=AVC msg=audit(1531366745.794:112): avc:  denied  { getattr } for  pid=620 comm="iptables" name="/" dev="proc" ino=1 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0
----
time->Wed Jul 11 23:39:05 2018
type=AVC msg=audit(1531366745.800:113): avc:  denied  { read } for  pid=620 comm="iptables" name="modprobe" dev="proc" ino=23737 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0
----
time->Wed Jul 11 23:39:05 2018
type=AVC msg=audit(1531366745.812:114): avc:  denied  { create } for  pid=621 comm="iptables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=0
----
time->Wed Jul 11 23:39:05 2018
type=AVC msg=audit(1531366745.813:115): avc:  denied  { getattr } for  pid=621 comm="iptables" name="/" dev="proc" ino=1 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0
----
time->Wed Jul 11 23:39:05 2018
type=AVC msg=audit(1531366745.813:116): avc:  denied  { read } for  pid=621 comm="iptables" name="modprobe" dev="proc" ino=23737 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0
----
time->Wed Jul 11 23:39:05 2018
type=AVC msg=audit(1531366745.840:123): avc:  denied  { create } for  pid=622 comm="iptables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=0
----
time->Wed Jul 11 23:39:05 2018
type=AVC msg=audit(1531366745.841:124): avc:  denied  { getattr } for  pid=622 comm="iptables" name="/" dev="proc" ino=1 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0
----
time->Wed Jul 11 23:39:05 2018
type=AVC msg=audit(1531366745.841:125): avc:  denied  { read } for  pid=622 comm="iptables" name="modprobe" dev="proc" ino=23737 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0
----
time->Wed Jul 11 23:39:05 2018
type=AVC msg=audit(1531366745.869:128): avc:  denied  { create } for  pid=625 comm="ip6tables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=0
----
time->Wed Jul 11 23:39:05 2018
type=AVC msg=audit(1531366745.870:129): avc:  denied  { read } for  pid=625 comm="ip6tables" name="modprobe" dev="proc" ino=23737 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0
----
time->Wed Jul 11 23:39:05 2018
type=AVC msg=audit(1531366745.879:130): avc:  denied  { create } for  pid=626 comm="ip6tables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=0
----
time->Wed Jul 11 23:39:05 2018
type=AVC msg=audit(1531366745.879:131): avc:  denied  { read } for  pid=626 comm="ip6tables" name="modprobe" dev="proc" ino=23737 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0
----
time->Wed Jul 11 23:39:05 2018
type=AVC msg=audit(1531366745.888:132): avc:  denied  { create } for  pid=627 comm="ip6tables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=0
----
time->Wed Jul 11 23:39:05 2018
type=AVC msg=audit(1531366745.888:133): avc:  denied  { read } for  pid=627 comm="ip6tables" name="modprobe" dev="proc" ino=23737 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0
----
time->Wed Jul 11 23:39:05 2018
type=AVC msg=audit(1531366745.900:135): avc:  denied  { create } for  pid=628 comm="ip6tables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=0
----
time->Wed Jul 11 23:39:05 2018
type=AVC msg=audit(1531366745.901:136): avc:  denied  { read } for  pid=628 comm="ip6tables" name="modprobe" dev="proc" ino=23737 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0
----
time->Wed Jul 11 23:39:05 2018
type=AVC msg=audit(1531366745.913:139): avc:  denied  { create } for  pid=630 comm="ip6tables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=0
----
time->Wed Jul 11 23:39:05 2018
type=AVC msg=audit(1531366745.913:140): avc:  denied  { read } for  pid=630 comm="ip6tables" name="modprobe" dev="proc" ino=23737 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0
----
time->Wed Jul 11 23:39:06 2018
type=AVC msg=audit(1531366746.168:142): avc:  denied  { create } for  pid=662 comm="iptables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=0
----
time->Wed Jul 11 23:39:06 2018
type=AVC msg=audit(1531366746.178:143): avc:  denied  { create } for  pid=663 comm="ip6tables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=0

Comment 1 Phil Sutter 2018-07-13 11:52:16 UTC
Hi,

Thanks for your report!

The problems seems to be that some iptables executables got renamed and therefore end up having the wrong selinux context.

In my Rawhide VM I could get firewalld to start again by calling the following command:

| chcon system_u:object_r:iptables_exec_t:s0 /sbin/xtables-legacy-multi /sbin/xtables-nft-multi

So in selinux-policy repository, file policy/modules/system/iptables.fc needs to be extended by /sbin/xtables-{legacy,nft}-multi.

Cheers, Phil

Comment 2 Lukas Vrabec 2018-07-16 10:54:16 UTC
commit 91497482ac05e9c5a19adc0da5f13c8772c14269 (HEAD -> rawhide, origin/rawhide)
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Mon Jul 16 12:52:24 2018 +0200

    Label /sbin/xtables-legacy-multi and /sbin/xtables-nft-multi as
    iptables_exec_t BZ(1600690)

Comment 3 Lukas Ruzicka 2018-07-16 17:17:53 UTC
Discussed at the 2018-07-16 blocker review meeting [1]:

AcceptedBlocker (Beta) - this is accepted as a violation of the Basic criterion "After system installation without explicit firewall configuration, the system firewall must be active on all non-loopback interfaces"

[1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2018-07-16/

Comment 4 Adam Williamson 2018-08-11 00:14:49 UTC
This is resolved by now, I'm pretty sure.


Note You need to log in before you can comment on or make changes to this bug.