Description of problem: We noticed this issue running CKI "Networking bridge: sanity" [1] on a aarch64 machine. ---- time->Sun Jun 20 04:09:04 2021 type=AVC msg=audit(1624176544.113:1062): avc: denied { read } for pid=770801 comm="systemd-gpt-aut" name="b252:1" dev="tmpfs" ino=916 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 ---- time->Sun Jun 20 04:09:04 2021 type=AVC msg=audit(1624176544.113:1063): avc: denied { open } for pid=770801 comm="systemd-gpt-aut" path="/run/udev/data/b252:1" dev="tmpfs" ino=916 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 ---- time->Sun Jun 20 04:09:04 2021 type=AVC msg=audit(1624176544.113:1064): avc: denied { getattr } for pid=770801 comm="systemd-gpt-aut" path="/run/udev/data/b252:1" dev="tmpfs" ino=916 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 ---- time->Sun Jun 20 04:09:56 2021 type=AVC msg=audit(1624176596.073:1131): avc: denied { read } for pid=771707 comm="systemd-gpt-aut" name="b252:1" dev="tmpfs" ino=916 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 ---- time->Sun Jun 20 04:09:56 2021 type=AVC msg=audit(1624176596.073:1132): avc: denied { open } for pid=771707 comm="systemd-gpt-aut" path="/run/udev/data/b252:1" dev="tmpfs" ino=916 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 ---- time->Sun Jun 20 04:09:56 2021 type=AVC msg=audit(1624176596.073:1133): avc: denied { getattr } for pid=771707 comm="systemd-gpt-aut" path="/run/udev/data/b252:1" dev="tmpfs" ino=916 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 Version-Release number of selected component (if applicable): selinux-policy-34.9-1.fc35.noarch How reproducible: 100% Steps to Reproduce: 1.Run the test [1] on aarch64 machine on Rawhide compose that includes selinux-policy-34.9-1.fc35.noarch [1] https://gitlab.com/cki-project/kernel-tests/-/tree/main/networking/bridge/sanity_check
For a quick workaround, execute these commands: echo '(allow systemd_gpt_generator_t udev_var_run_t (file (getattr open read ioctl lock)))' > local_sd_gpt_aut.cil semodule -i local_sd_gpt_aut.cil and, once the module is not needed, semodule -r local_sd_gpt_aut.cil
This bug appears to have been reported against 'rawhide' during the Fedora 35 development cycle. Changing version to 35.