SELinux is preventing /usr/sbin/xtables-legacy-multi from read access on the file file. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that xtables-legacy-multi should be allowed read access on the file file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'iptables' --raw | audit2allow -M my-iptables # semodule -X 300 -i my-iptables.pp Additional Information: Source Context system_u:system_r:iptables_t:s0 Target Context system_u:system_r:NetworkManager_t:s0 Target Objects file [ file ] Source iptables Source Path /usr/sbin/xtables-legacy-multi Port <Unknown> Host host.example.com Source RPM Packages iptables-1.8.0-5.fc30.x86_64 Target RPM Packages Policy RPM selinux-policy-3.14.3-23.fc30.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name host.example.com Platform Linux host.example.com 5.0.0-300.fc30.x86_64 #1 SMP Mon Mar 4 22:46:48 UTC 2019 x86_64 x86_64 Alert Count 10 First Seen 2019-03-20 07:34:58 EDT Last Seen 2019-03-20 07:37:31 EDT Local ID 6bdcd256-f54d-4163-8cd4-ed0cba99e339 Raw Audit Messages type=AVC msg=audit(1553081851.399:1793): avc: denied { read } for pid=28846 comm="iptables" path="net:[4026531992]" dev="nsfs" ino=4026531992 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1553081851.399:1793): arch=x86_64 syscall=execve success=yes exit=0 a0=c0003f05e0 a1=c000428630 a2=c0003c27e0 a3=0 items=2 ppid=28827 pid=28846 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=iptables exe=/usr/sbin/xtables-legacy-multi subj=system_u:system_r:iptables_t:s0 key=(null) type=CWD msg=audit(1553081851.399:1793): cwd=/ type=PATH msg=audit(1553081851.399:1793): item=0 name=/usr/sbin/iptables inode=25233753 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:iptables_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 type=PATH msg=audit(1553081851.399:1793): item=1 name=/lib64/ld-linux-x86-64.so.2 inode=25172487 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 Hash: iptables,iptables_t,NetworkManager_t,file,read
commit f0a193bb741522224ffcd02679b65f03d3ba6920 (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Wed Mar 20 22:06:48 2019 +0100 Allow iptables_t domain to read NetworkManager state BZ(1690881)
selinux-policy-3.14.3-27.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-2b32005b65
selinux-policy-3.14.3-27.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-2b32005b65
selinux-policy-3.14.3-27.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.