SELinux is preventing /usr/sbin/nft from open access on the fifo_file fifo_file

[EdDev]

I have been encountering this issue recently after updating CentOS Stream (8).

I've been working on calling nft executable from a CNI plugin (bridge) on a Kubernetes deployment.
The data is passed from the CNI plugin to nft through stdin (see here the implementation).

I'm trying to figure out if this is an intentional restriction added or a problem that should be resolved.

        $ sealert -l e884ba06-8e10-4e05-a442-e34752e6d660
        SELinux is preventing /usr/sbin/nft from open access on the fifo_file fifo_file.
         
        *****  Plugin catchall (100. confidence) suggests   **************************
         
        If you believe that nft should be allowed open access on the fifo_file fifo_file by default.
        Then you should report this as a bug.
        You can generate a local policy module to allow this access.
        Do
        allow this access for now by executing:
        # ausearch -c 'nft' --raw | audit2allow -M my-nft
        # semodule -X 300 -i my-nft.pp
         
         
        Additional Information:
        Source Context                system_u:system_r:iptables_t:s0
        Target Context                system_u:system_r:container_runtime_t:s0
        Target Objects                fifo_file [ fifo_file ]
        Source                        nft
        Source Path                   /usr/sbin/nft
        Port                          <Unknown>
        Host                          node02
        Source RPM Packages           nftables-0.9.3-21.el8.x86_64
        Target RPM Packages          
        SELinux Policy RPM            selinux-policy-targeted-3.14.3-62.el8.noarch
        Local Policy RPM              selinux-policy-targeted-3.14.3-62.el8.noarch
        Selinux Enabled               True
        Policy Type                   targeted
        Enforcing Mode                Enforcing
        Host Name                     node02
        Platform                      Linux node02 4.18.0-338.el8.x86_64 #1 SMP Fri Aug
                                      27 17:32:14 UTC 2021 x86_64 x86_64
        Alert Count                   570
        First Seen                    2021-09-02 06:39:36 UTC
        Last Seen                     2021-09-02 06:44:06 UTC
        Local ID                      e884ba06-8e10-4e05-a442-e34752e6d660
         
        Raw Audit Messages
        type=AVC msg=audit(1630565046.89:4103): avc:  denied  { open } for  pid=72831 comm="nft" path="pipe:[792657]" dev="pipefs" ino=792657 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=fifo_file permissive=0
         
         
        type=SYSCALL msg=audit(1630565046.89:4103): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=7f1e0ca8f879 a2=0 a3=0 items=0 ppid=72818 pid=72831 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=nft exe=/usr/sbin/nft subj=system_u:system_r:iptables_t:s0 key=(null)
         
        Hash: nft,iptables_t,container_runtime_t,fifo_file,open

[rhatdan]

Not intentional.

@wrabcak Should we fix this hear or in SELinux Policy?

[zpytela]

It can be both. It is more closely related to containers and (apart from virt) we have very few rules calling container interfaces in selinux-policy, so if you don't mind, add it to container-selinux. There are already a few rules for iptables_t there.