Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: rhel-10.1, rhel-9.7
Component/s: selinux-policy
Labels:
- selinux_triaged

Regression:
None
Severity:
Moderate
AssignedTeam:
rhel-security-selinux

Story Points:
None
ACKs Check:

QE ack
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Preliminary Testing:
None
Test Coverage:

Automated

ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

When executing nft list ruleset as a confined domain (iptables_t), the following AVCs are seen:

type=AVC msg=audit(02/27/2026 08:40:18.066:252) : avc:  denied  { search } for  pid=2157 comm=nft name=2006 dev="proc" ino=28306 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=dir permissive=0
----
type=AVC msg=audit(02/27/2026 08:40:18.068:253) : avc:  denied  { search } for  pid=2157 comm=nft name=2 dev="proc" ino=14497 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir permissive=0
----
type=AVC msg=audit(02/27/2026 08:40:18.068:254) : avc:  denied  { search } for  pid=2157 comm=nft name=3 dev="proc" ino=14499 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir permissive=0
----
type=AVC msg=audit(02/27/2026 08:40:18.068:255) : avc:  denied  { search } for  pid=2157 comm=nft name=4 dev="proc" ino=14501 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir permissive=0
----
[...]

In a nutshell, the command tries to read /proc/<PID>/fd/<FD> and fails to do so because there is no rule in the policy to allow this.

This operation is necessary to collect the program name among other things.
Corresponding nft is:

(gdb) bt
#0  __GI___open64_nocancel (file=0x7ffeea15cb40 "/proc/1439/fd/", oflag=591872) at ../sysdeps/unix/sysv/linux/open64_nocancel.c:45
#1  0x00007f69310d6389 in __opendir (name=name@entry=0x7ffeea15cb40 "/proc/1439/fd/") at ../sysdeps/unix/sysv/linux/opendir.c:86
#2  0x00007f693134dbb1 in portid2name.constprop.0 (pid=pid@entry=1439, inode=inode@entry=27030, portid=<optimized out>) at /usr/src/debug/nftables-1.0.9-5.el9_7.x86_64/src/owner.c:56
#3  0x00007f693130cddc in name_by_portid (inode=<optimized out>, portid=1439) at /usr/src/debug/nftables-1.0.9-5.el9_7.x86_64/src/owner.c:101
#4  get_progname (portid=1439) at /usr/src/debug/nftables-1.0.9-5.el9_7.x86_64/src/owner.c:170
#5  0x00007f69312da7be in table_print (table=0x5654166913c0, octx=0x5654166502e8) at /usr/src/debug/nftables-1.0.9-5.el9_7.x86_64/src/rule.c:1277
#6  0x00007f69312dd04f in do_list_table (table=0x5654166913c0, ctx=0x7ffeea15d140) at /usr/src/debug/nftables-1.0.9-5.el9_7.x86_64/src/rule.c:1598
#7  do_list_ruleset (cmd=<optimized out>, cmd=<optimized out>, ctx=0x7ffeea15d140) at /usr/src/debug/nftables-1.0.9-5.el9_7.x86_64/src/rule.c:2226
#8  do_command_list (ctx=0x7ffeea15d140, cmd=<optimized out>) at /usr/src/debug/nftables-1.0.9-5.el9_7.x86_64/src/rule.c:2369
#9  0x00007f6931315f72 in do_command (cmd=0x565416670ee0, ctx=0x7ffeea15d140) at /usr/src/debug/nftables-1.0.9-5.el9_7.x86_64/src/rule.c:2617
#10 nft_netlink (nft=<optimized out>, cmds=<optimized out>, msgs=<optimized out>) at /usr/src/debug/nftables-1.0.9-5.el9_7.x86_64/src/libnftables.c:42
#11 0x00007f69313205ee in nft_run_cmd_from_buffer (nft=0x5654166502a0, buf=buf@entry=0x565416670bd0 "list ruleset") at /usr/src/debug/nftables-1.0.9-5.el9_7.x86_64/src/libnftables.c:597
#12 0x0000565414b58e0b in main (argc=3, argv=<optimized out>) at /usr/src/debug/nftables-1.0.9-5.el9_7.x86_64/src/main.c:533

The solution consists in allowing iptables_t to read /proc fully:

domain_read_all_domains_state(iptables_t)

What is the impact of this issue to you?

AVCs + "truncated" command output

Please provide the package NVR for which the bug is seen:

selinux-policy-38.1.65-1.el9.noarch
selinux-policy-42.1.7-1.el10.noarch

How reproducible is this bug?

Always

Steps to reproduce

Enable firewalld (prerequisite)
```
# systemctl start firewalld
```
Execute the command as a service so that it becomes iptables_t
```
# systemd-run nft list ruleset
```

Expected results

No AVC.
Full output, e.g. first line should be:

table inet firewalld { # progname firewalld

Actual results

AVCs.
First line doesn't have "progname firewalld" but this below, due to not being able to read what it requires from /proc:

table inet firewalld { # progname (null)

Assignee:: Zdenek Pytela

Reporter:: Renaud Métrich

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Created:: 2026/02/27 8:31 AM

Updated:: 2026/03/02 10:44 AM

Stale Date:: 2027/03/01

Details

Description

What were you trying to do that didn't work?

What is the impact of this issue to you?

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?

Steps to reproduce

Expected results

Actual results

Attachments

Easy Agile Planning Poker

Activity

People

Dates