AVCs "denied { ioctl }" seen when iptables list cgroup directories
Issue
-
Checking the audit log, we can see an AVC related to iptables list cgroup directories
type=SYSCALL ... : arch=x86_64 syscall=execve success=yes exit=0 ... ppid=XXXXXX pid=XXXXXX auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iptables exe=/usr/sbin/xtables-nft-multi subj=system_u:system_r:iptables_t:s0 key=(null) type=AVC ... : avc: denied { ioctl } for pid=XXXXXX comm=iptables path=/sys/fs/cgroup dev="tmpfs" ino=XXX scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0
Environment
- Red Hat Enterprise Linux 8
- iptables
- selinux-policy
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
