[RHEL8] selinux denials /usr/sbin/xtables-nft-multi from ioctl access on the directory /sys/fs/cgroup

[Klaas-]

Hi, it seems there is an denial that is currently unhandled within the policy. I am getting a lot of errors like this in my journal on a fresh rhel 8.7 k3s install:

SELinux is preventing /usr/sbin/xtables-nft-multi from ioctl access on the directory /sys/fs/cgroup.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that xtables-nft-multi should be allowed ioctl access on the cgroup directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'iptables' --raw | audit2allow -M my-iptables
# semodule -X 300 -i my-iptables.pp

I am guessing this is because of https://github.com/fedora-selinux/selinux-policy/pull/1083 not being in rhel 8 (yet?). the audit2allow suggestion is:

module my-iptables 1.0;

require {
        type iptables_t;
        type cgroup_t;
        class dir ioctl;
}

#============= iptables_t ==============
allow iptables_t cgroup_t:dir ioctl;

Which does work, the denials are gone afterwards.

Do you think this should be part of the k3s-selinux package meanwhile? I'll also try to trigger a backport of this into rhel8.

Greetings Klaas

[Klaas-]

https://bugzilla.redhat.com/show_bug.cgi?id=2134820 so hopefully this makes it into 8.8

[Klaas-]

it's in RHEL 8.8