Switching the component, there are already some rules in container-selinux:

f35# sesearch -A -s iptables_t -t container_file_t -c dir,file
allow application_domain_type logfile:file { append getattr ioctl lock };
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow iptables_t container_file_t:dir { getattr open search };
allow iptables_t container_file_t:file open;

In Cockpit we started to see these as well now, in our Fedora CoreOS CI: for example, [1]

audit: type=1400 audit(1641799023.984:237): avc:  denied  { ioctl } for  pid=1161 comm="iptables" path="/var/lib/containers/storage/overlay/0fac9b410d57d0f8ae6fa8f042e8672ae70ddbeb4e25845223e35a3b2260c169/merged" dev="overlay" ino=17950249 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0:c1022,c1023 tclass=dir permissive=0

Nothing in that test fiddles with iptables, that's somehow internal to podman. But lots of tests start a cockpit/ws container there, so this just feels random. E.g. here [2] and here[3] it hit two different, and completely unrelated tests. We haven't seen this before, and haven't refreshed our CoreOS image in a whole week. Was this some sort of a time bomb? (But I can't imagine SELinux rules being time dependent)

[1] https://logs.cockpit-project.org/logs/pull-16798-20220110-064948-be591291-fedora-coreos/log.html#232
[2] https://logs.cockpit-project.org/logs/pull-2784-20220110-024544-7afed88e-fedora-coreos-cockpit-project-cockpit/log.html#152
[3] https://logs.cockpit-project.org/logs/pull-2784-20220110-063907-7afed88e-fedora-coreos-cockpit-project-cockpit/log.html#241

This bug appears to have been reported against 'rawhide' during the Fedora 36 development cycle.
Changing version to 36.

It seems it is /usr/libexec/podman/netavark which executes iptables which tries to ioctl /var/lib/containers/storage/overlay/HASH/merged on execve:

    PID    PPID COMMAND                     CONTEXT
    685     670 bash -l                     unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
 179294     685 podman run -p 9090:9090 -d  unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023
 179304  179294 /usr/libexec/podman/netavar unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023

----
type=PROCTITLE msg=audit(09/13/2022 10:15:05.216:33510) : proctitle=iptables --version 
type=PATH msg=audit(09/13/2022 10:15:05.216:33510) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=137936 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(09/13/2022 10:15:05.216:33510) : item=0 name=/usr/sbin/iptables inode=158128 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:iptables_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(09/13/2022 10:15:05.216:33510) : cwd=/root
type=EXECVE msg=audit(09/13/2022 10:15:05.216:33510) : argc=2 a0=iptables a1=--version
type=SYSCALL msg=audit(09/13/2022 10:15:05.216:33510) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7fdb735a4d90 a1=0x559443869c80 a2=0x7ffe25ccd7d8 a3=0x8 items=2 ppid=179304 pid=179305 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=iptables exe=/usr/sbin/xtables-nft-multi subj=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(09/13/2022 10:15:05.216:33510) : avc:  denied  { ioctl } for  pid=179305 comm=iptables path=/var/lib/containers/storage/overlay/bd4ddcdfce3c80350149a8f9d5f9caaf4442ec64ccd646addfb6983a86d8fdef/merged/etc dev="overlay" ino=263556 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0:c775,c1020 tclass=dir permissive=0
type=AVC msg=audit(09/13/2022 10:15:05.216:33510) : avc:  denied  { ioctl } for  pid=179305 comm=iptables path=/var/lib/containers/storage/overlay/bd4ddcdfce3c80350149a8f9d5f9caaf4442ec64ccd646addfb6983a86d8fdef/merged dev="overlay" ino=399476 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0:c775,c1020 tclass=dir permissive=0

Switching the component, please assess if there can be leaked file descriptors.

Fixed in container-selinux-2.190.0

FEDORA-2022-32ab235aaa has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-32ab235aaa

FEDORA-2022-e2afae8ac7 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-e2afae8ac7

FEDORA-2022-32ab235aaa has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-32ab235aaa`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-32ab235aaa

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

FEDORA-2022-e2afae8ac7 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-e2afae8ac7`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-e2afae8ac7

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

FEDORA-2022-32ab235aaa has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.

FEDORA-2022-e2afae8ac7 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.