SLFO-pool/container-selinux
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
container-selinux/rootless-docker_iptables.patch

40 lines
2.0 KiB
Diff
Raw Permalink Blame History

commit 10cc7ecacd631368e23691a77dbfe63ac6ca855f
Author: Robert Frohl <rfrohl@suse.com>
Date: Wed Jul 16 14:35:45 2025 +0200
Dontaudit dac_override for iptables_t
There are AVCs observed during rootless docker 'systemctl --user restart
docker.service', but no functional impact.
Minimal steps to reproduce:
> sudo modprobe ip_tables
> # creates /proc/net/ip_tables_names
> systemctl --user restart docker.service
> # reproduces the AVCs
----
type=PROCTITLE msg=audit(..) : proctitle=/sbin/iptables --wait -t filter -n -L DOCKER-USER
type=PATH msg=audit(..) : item=0 name=/proc/net/ip_tables_names inode=4026532558 dev=00:17 mode=file,440 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(..) : cwd=/home/user3
type=SYSCALL msg=audit(07/14/25 10:50:08.851:653) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55916df27b70 a2=O_RDONLY a3=0x0 items=1 ppid=4831 pid=4979 auid=user3 uid=user3 gid=user3 euid=user3 suid=user3 fsuid=user3 egid=user3 sgid=user3 fsgid=user3 tty=(none) ses=12 comm=iptables exe=/usr/sbin/xtables-nft-multi subj=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(..) : avc: denied { dac_override } for pid=4979 comm=iptables capability=dac_override scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0
----
Fixes: bsc#1246348
Signed-off-by: Robert Frohl <rfrohl@suse.com>
diff --git a/container.te b/container.te
index 9e20607..271efa8 100644
--- a/container.te
+++ b/container.te
@@ -465,6 +465,7 @@ optional_policy(`
container_append_file(iptables_t)
allow iptables_t container_runtime_domain:fifo_file rw_fifo_file_perms;
allow iptables_t container_file_type:dir list_dir_perms;
+ dontaudit iptables_t self:cap_userns dac_override;
')
optional_policy(`
Reference in New Issue View Git Blame Copy Permalink