Bug 1217470

Summary: SELinux prevents virsh net-start
Product: [openSUSE] openSUSE Tumbleweed Reporter: Felix Niederwanger <felix.niederwanger>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED DUPLICATE QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: cathy.hu, filippo.bonazzi
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
See Also: https://bugzilla.suse.com/show_bug.cgi?id=1216903
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: avc after the denial happens

Description Felix Niederwanger 2023-11-24 08:20:56 UTC 
Created attachment 870960 [details]
avc after the denial happens

On the current Tumbleweed 20231122 with SELinux in enforcing mode, starting a libvirt network fails with the permission to iptables being denied:

> # virsh net-start default
> error: Failed to start network default
> error: internal error: Failed to apply firewall rules /sbin/iptables -w --table filter --insert LIBVIRT_INP --in-interface virbr0 --protocol tcp --destination-port 67 --jump ACCEPT: libvirt:  error : cannot execute binary /sbin/iptables: Permission denied

The issue could be present for some weeks already.

I'm attaching also the output of `ausearch -ts boot -m avc` as avc.txt
Comment 2 Filippo Bonazzi 2023-11-24 08:39:40 UTC 
Sorry, wrong bug. Duplicate of bug 1216903
Comment 3 Cathy Hu 2023-11-24 08:44:13 UTC 
yes, its a duplicate of 1216903

*** This bug has been marked as a duplicate of bug 1216903 ***
Comment 4 Felix Niederwanger 2023-11-24 08:53:06 UTC 
Yes indeed, thank you!