Description of problem: SELinux is preventing ebtables from 'create' accesses on the rawip_socket Unknown. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that ebtables should be allowed create access on the Unknown rawip_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ebtables' --raw | audit2allow -M my-ebtables # semodule -X 300 -i my-ebtables.pp Additional Information: Source Context system_u:system_r:firewalld_t:s0 Target Context system_u:system_r:firewalld_t:s0 Target Objects Unknown [ rawip_socket ] Source ebtables Source Path ebtables Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-28.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.18.0-0.rc5.git4.1.fc29.x86_64 #1 SMP Fri Jul 20 17:00:15 UTC 2018 x86_64 x86_64 Alert Count 4 First Seen 2018-07-24 18:59:39 +05 Last Seen 2018-07-24 18:59:39 +05 Local ID b9bd7a7c-30d6-429b-a385-aeb47b293640 Raw Audit Messages type=AVC msg=audit(1532440779.933:153): avc: denied { create } for pid=1087 comm="ebtables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=1 Hash: ebtables,firewalld_t,firewalld_t,rawip_socket,create Version-Release number of selected component: selinux-policy-3.14.2-28.fc29.noarch Additional info: component: selinux-policy reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.18.0-0.rc5.git4.1.fc29.x86_64 type: libreport
Description of problem: systemctl restart firewalld Version-Release number of selected component: selinux-policy-3.14.2-29.fc29.noarch Additional info: reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.17.7-200.fc28.x86_64 type: libreport
type=PROCTITLE msg=audit(07/27/2018 13:29:07.872:185410) : proctitle=/usr/sbin/ebtables -t filter -L type=SYSCALL msg=audit(07/27/2018 13:29:07.872:185410) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=inet a1=SOCK_RAW a2=igmp a3=0x55c4bb817010 items=0 ppid=27580 pid=27737 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ebtables exe=/usr/sbin/ebtables-legacy subj=system_u:system_r:firewalld_t:s0 key=(null) type=AVC msg=audit(07/27/2018 13:29:07.872:185410) : avc: denied { create } for pid=27737 comm=ebtables scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=0 sh# sesearch -A -s firewalld_t -t firewalld_t -c rawip_socket sh#
And AVCs in permissive mode type=PROCTITLE msg=audit(07/27/2018 13:34:58.298:185513) : proctitle=/usr/sbin/ebtables --concurrent -L type=SYSCALL msg=audit(07/27/2018 13:34:58.298:185513) : arch=x86_64 syscall=socket success=yes exit=3 a0=inet a1=SOCK_RAW a2=igmp a3=0x8 items=0 ppid=28039 pid=28052 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ebtables exe=/usr/sbin/ebtables-legacy subj=system_u:system_r:firewalld_t:s0 key=(null) type=AVC msg=audit(07/27/2018 13:34:58.298:185513) : avc: denied { net_raw } for pid=28052 comm=ebtables capability=net_raw scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=capability permissive=1 type=AVC msg=audit(07/27/2018 13:34:58.298:185513) : avc: denied { create } for pid=28052 comm=ebtables scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=1 ---- type=PROCTITLE msg=audit(07/27/2018 13:34:58.298:185514) : proctitle=/usr/sbin/ebtables --concurrent -L type=SYSCALL msg=audit(07/27/2018 13:34:58.298:185514) : arch=x86_64 syscall=getsockopt success=no exit=ENOPROTOOPT(Protocol not available) a0=0x3 a1=ip a2=unknown-ipopt-name(0x80) a3=0x7fff84f6df70 items=0 ppid=28039 pid=28052 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ebtables exe=/usr/sbin/ebtables-legacy subj=system_u:system_r:firewalld_t:s0 key=(null) type=AVC msg=audit(07/27/2018 13:34:58.298:185514) : avc: denied { getopt } for pid=28052 comm=ebtables lport=2 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=1
This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle. Changing version to '29'.
*** Bug 1618507 has been marked as a duplicate of this bug. ***
Description of problem: Right after logging in on XFCE desktop. Version-Release number of selected component: selinux-policy-3.14.2-32.fc29.noarch Additional info: reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.18.5-300.fc29.armv7hl type: libreport
Note that https://bodhi.fedoraproject.org/updates/FEDORA-2018-379c39d97c and https://koji.fedoraproject.org/koji/buildinfo?buildID=1140843 will 'solve' this for now, by switching back to iptables. Presumably at some point in future at least Rawhide will switch back to ebtables, though, so this will show up again...
selinux-policy-3.14.2-34.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-db240a1726
selinux-policy-3.14.2-34.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.