Description of problem: SELinux is preventing iptables from 'ioctl' accesses on the directory /sys/fs/cgroup. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that iptables should be allowed ioctl access on the cgroup directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'iptables' --raw | audit2allow -M my-iptables # semodule -X 300 -i my-iptables.pp Additional Information: Source Context unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 Target Context system_u:object_r:cgroup_t:s0 Target Objects /sys/fs/cgroup [ dir ] Source iptables Source Path iptables Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-35.15-1.fc35.noarch Local Policy RPM selinux-policy-targeted-35.15-1.fc35.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.16.10-200.fc35.x86_64 #1 SMP PREEMPT Wed Feb 16 13:28:00 UTC 2022 x86_64 x86_64 Alert Count 33 First Seen 2022-03-07 15:01:34 EST Last Seen 2022-03-07 15:01:37 EST Local ID c37d8931-bbee-4370-a7d0-09602648b617 Raw Audit Messages type=AVC msg=audit(1646683297.394:47879): avc: denied { ioctl } for pid=2302162 comm="iptables" path="/sys/fs/cgroup" dev="cgroup2" ino=1 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0 Hash: iptables,iptables_t,cgroup_t,dir,ioctl Version-Release number of selected component: selinux-policy-targeted-35.15-1.fc35.noarch Additional info: component: selinux-policy reporter: libreport-2.15.2 hashmarkername: setroubleshoot kernel: 5.16.10-200.fc35.x86_64 type: libreport
*** This bug has been marked as a duplicate of bug 2008097 ***