Description of problem:
We see a SELinux issue in customer environment during boot, with iptables-services enabled:
# audit2allow -a
#============= iptables_t ==============
allow iptables_t plymouthd_t:unix_stream_socket connectto;
Version-Release number of selected component (if applicable): -
How reproducible: Unknown
Steps to Reproduce:
According to the customer report, this is happening on all their RHEL 8.2 with iptables-services installed, but so far, I wasn't able to reproduce it on one of my RHEL 8 boxes.
Actual results: SELinux hit
Expected results: No deny seen.
Customer case linked.
We need more information to be able to assess this issue. Please gather audited AVC denials:
# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts boot
The reproducing steps would also be helpful when available, or a list of related changes made to the default state of the system.
I tried to find a reproducer but failed until now.
I'll ask the CU to provide me with the data from your mentioned ausearch!
I'm going to get back to you, once I have the information!
Thanks Peter for directly providing the additional information here on this BZ - I've put them now "private", since this BZ is open.
@Zdenek, can you work with this additional information?
Thank for sharing the details. It needs to be figured out why plymouth runs in iptables_t domain.
# sesearch -A -s iptables_t -t plymouthd_t -c unix_stream_socket -p connectto
# sesearch -A -s plymouth_t -t plymouthd_t -c unix_stream_socket -p connectto
allow plymouth_t plymouthd_t:unix_stream_socket connectto;
I was unable to reproduce it with just installing and enabling iptables-service, so wonder what else is required to trigger these denials.
Closing per feedback the issue is no longer valid.