iptables 1.8.0 landed in Rawhide a couple of days ago. Since then, it appears that all iptables operations are blocked by SELinux. This prevents the firewalld service from starting correctly. This breaks several release criteria, including "All system services present after installation with one of the release-blocking package sets must start properly, unless they require hardware which is not present" (Final) and "After system installation without explicit firewall configuration, the system firewall must be active on all non-loopback interfaces" (Basic). Thus, proposing as an F29 Beta blocker. Here are the denials from a typical affected installation: ---- time->Wed Jul 11 23:39:05 2018 type=AVC msg=audit(1531366745.585:97): avc: denied { create } for pid=597 comm="iptables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=0 ---- time->Wed Jul 11 23:39:05 2018 type=AVC msg=audit(1531366745.586:98): avc: denied { getattr } for pid=597 comm="iptables" name="/" dev="proc" ino=1 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0 ---- time->Wed Jul 11 23:39:05 2018 type=AVC msg=audit(1531366745.586:99): avc: denied { read } for pid=597 comm="iptables" name="modprobe" dev="proc" ino=23737 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0 ---- time->Wed Jul 11 23:39:05 2018 type=AVC msg=audit(1531366745.613:100): avc: denied { create } for pid=600 comm="ip6tables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=0 ---- time->Wed Jul 11 23:39:05 2018 type=AVC msg=audit(1531366745.613:101): avc: denied { read } for pid=600 comm="ip6tables" name="modprobe" dev="proc" ino=23737 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0 ---- time->Wed Jul 11 23:39:05 2018 type=AVC msg=audit(1531366745.756:105): avc: denied { create } for pid=614 comm="iptables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=0 ---- time->Wed Jul 11 23:39:05 2018 type=AVC msg=audit(1531366745.756:106): avc: denied { getattr } for pid=614 comm="iptables" name="/" dev="proc" ino=1 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0 ---- time->Wed Jul 11 23:39:05 2018 type=AVC msg=audit(1531366745.757:107): avc: denied { read } for pid=614 comm="iptables" name="modprobe" dev="proc" ino=23737 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0 ---- time->Wed Jul 11 23:39:05 2018 type=AVC msg=audit(1531366745.780:108): avc: denied { create } for pid=618 comm="iptables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=0 ---- time->Wed Jul 11 23:39:05 2018 type=AVC msg=audit(1531366745.780:109): avc: denied { getattr } for pid=618 comm="iptables" name="/" dev="proc" ino=1 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0 ---- time->Wed Jul 11 23:39:05 2018 type=AVC msg=audit(1531366745.780:110): avc: denied { read } for pid=618 comm="iptables" name="modprobe" dev="proc" ino=23737 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0 ---- time->Wed Jul 11 23:39:05 2018 type=AVC msg=audit(1531366745.793:111): avc: denied { create } for pid=620 comm="iptables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=0 ---- time->Wed Jul 11 23:39:05 2018 type=AVC msg=audit(1531366745.794:112): avc: denied { getattr } for pid=620 comm="iptables" name="/" dev="proc" ino=1 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0 ---- time->Wed Jul 11 23:39:05 2018 type=AVC msg=audit(1531366745.800:113): avc: denied { read } for pid=620 comm="iptables" name="modprobe" dev="proc" ino=23737 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0 ---- time->Wed Jul 11 23:39:05 2018 type=AVC msg=audit(1531366745.812:114): avc: denied { create } for pid=621 comm="iptables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=0 ---- time->Wed Jul 11 23:39:05 2018 type=AVC msg=audit(1531366745.813:115): avc: denied { getattr } for pid=621 comm="iptables" name="/" dev="proc" ino=1 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0 ---- time->Wed Jul 11 23:39:05 2018 type=AVC msg=audit(1531366745.813:116): avc: denied { read } for pid=621 comm="iptables" name="modprobe" dev="proc" ino=23737 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0 ---- time->Wed Jul 11 23:39:05 2018 type=AVC msg=audit(1531366745.840:123): avc: denied { create } for pid=622 comm="iptables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=0 ---- time->Wed Jul 11 23:39:05 2018 type=AVC msg=audit(1531366745.841:124): avc: denied { getattr } for pid=622 comm="iptables" name="/" dev="proc" ino=1 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0 ---- time->Wed Jul 11 23:39:05 2018 type=AVC msg=audit(1531366745.841:125): avc: denied { read } for pid=622 comm="iptables" name="modprobe" dev="proc" ino=23737 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0 ---- time->Wed Jul 11 23:39:05 2018 type=AVC msg=audit(1531366745.869:128): avc: denied { create } for pid=625 comm="ip6tables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=0 ---- time->Wed Jul 11 23:39:05 2018 type=AVC msg=audit(1531366745.870:129): avc: denied { read } for pid=625 comm="ip6tables" name="modprobe" dev="proc" ino=23737 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0 ---- time->Wed Jul 11 23:39:05 2018 type=AVC msg=audit(1531366745.879:130): avc: denied { create } for pid=626 comm="ip6tables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=0 ---- time->Wed Jul 11 23:39:05 2018 type=AVC msg=audit(1531366745.879:131): avc: denied { read } for pid=626 comm="ip6tables" name="modprobe" dev="proc" ino=23737 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0 ---- time->Wed Jul 11 23:39:05 2018 type=AVC msg=audit(1531366745.888:132): avc: denied { create } for pid=627 comm="ip6tables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=0 ---- time->Wed Jul 11 23:39:05 2018 type=AVC msg=audit(1531366745.888:133): avc: denied { read } for pid=627 comm="ip6tables" name="modprobe" dev="proc" ino=23737 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0 ---- time->Wed Jul 11 23:39:05 2018 type=AVC msg=audit(1531366745.900:135): avc: denied { create } for pid=628 comm="ip6tables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=0 ---- time->Wed Jul 11 23:39:05 2018 type=AVC msg=audit(1531366745.901:136): avc: denied { read } for pid=628 comm="ip6tables" name="modprobe" dev="proc" ino=23737 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0 ---- time->Wed Jul 11 23:39:05 2018 type=AVC msg=audit(1531366745.913:139): avc: denied { create } for pid=630 comm="ip6tables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=0 ---- time->Wed Jul 11 23:39:05 2018 type=AVC msg=audit(1531366745.913:140): avc: denied { read } for pid=630 comm="ip6tables" name="modprobe" dev="proc" ino=23737 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0 ---- time->Wed Jul 11 23:39:06 2018 type=AVC msg=audit(1531366746.168:142): avc: denied { create } for pid=662 comm="iptables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=0 ---- time->Wed Jul 11 23:39:06 2018 type=AVC msg=audit(1531366746.178:143): avc: denied { create } for pid=663 comm="ip6tables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=0
Hi, Thanks for your report! The problems seems to be that some iptables executables got renamed and therefore end up having the wrong selinux context. In my Rawhide VM I could get firewalld to start again by calling the following command: | chcon system_u:object_r:iptables_exec_t:s0 /sbin/xtables-legacy-multi /sbin/xtables-nft-multi So in selinux-policy repository, file policy/modules/system/iptables.fc needs to be extended by /sbin/xtables-{legacy,nft}-multi. Cheers, Phil
commit 91497482ac05e9c5a19adc0da5f13c8772c14269 (HEAD -> rawhide, origin/rawhide) Author: Lukas Vrabec <lvrabec> Date: Mon Jul 16 12:52:24 2018 +0200 Label /sbin/xtables-legacy-multi and /sbin/xtables-nft-multi as iptables_exec_t BZ(1600690)
Discussed at the 2018-07-16 blocker review meeting [1]: AcceptedBlocker (Beta) - this is accepted as a violation of the Basic criterion "After system installation without explicit firewall configuration, the system firewall must be active on all non-loopback interfaces" [1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2018-07-16/
This is resolved by now, I'm pretty sure.