Bug 2166509
| Summary: | SELinux is preventing (sd-worker) from using the 'sys_resource' capabilities. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Matt Fagnani <matt.fagnani> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | medium | ||
| Version: | 37 | CC: | agurenko, dwalsh, lvrabec, mmalik, nberrehouc, omosnacek, pkoncity, vmojzis, zbyszek, zpytela |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:28e9f5c7b8f7461924d6cc7a7a60f82191caec142c8596bcfe2b18c208b88847;VARIANT_ID=kde; | ||
| Fixed In Version: | selinux-policy-37.19-1.fc37 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-02-05 01:46:38 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I searched for systemd-userdbd in the systemd-stable repository and found a commit units: allow systemd-userdbd to change process name which makes the following change adding the CAP_SYS_RESOURCE capability to the systemd-userdbd.service file https://github.com/systemd/systemd-stable/commit/9357d2342981a8b4fcfa2d170b7749c27d364fdd - CapabilityBoundingSet=CAP_DAC_READ_SEARCH + CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE That change might be where these denials are coming from. Correct, and it's already in rawhide, so backporting. Oh, great. I was about to do a build with the revert, but I'll wait for the selinux-policy update instead. Please add it to the bodhi update so they go out together. FEDORA-2023-7bf3639a5d has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-7bf3639a5d Similar problem has been detected:
Since last upgrade
# dnf history info 824
Identifiant de transaction : 824
Temps de début : ven. 03 févr. 2023 05:41:11
Début de RPMDB : 709e8388798c21330990c7d8f5b9166291777fd5b29bb9538896062e66b81716
Temps de fin : ven. 03 févr. 2023 05:41:32 (21 secondes)
Fin de RPMDB : 12ba79557295978e554e669238e3dc64938ba1ee8e12de5b4a17a55d59ca760e
Utilisateur : Nicosss <nicosss>
Code de retour : Réussi
Version : 37
Ligne de commande : upgrade --refresh --enablerepo=*testing
Commentaire :
Paquets modifiés :
Upgrade cifs-utils-7.0-1.fc37.x86_64 @updates-testing
Upgraded cifs-utils-6.15-2.fc37.x86_64 @@System
Upgrade cifs-utils-info-7.0-1.fc37.x86_64 @updates-testing
Upgraded cifs-utils-info-6.15-2.fc37.x86_64 @@System
Upgrade gnome-shell-43.2-2.fc37.x86_64 @updates-testing
Upgraded gnome-shell-43.2-1.fc37.x86_64 @@System
Upgrade libhandy-1.8.1-1.fc37.x86_64 @updates-testing
Upgraded libhandy-1.8.0-1.fc37.x86_64 @@System
Upgrade libpwquality-1.4.5-3.fc37.x86_64 @updates-testing
Upgraded libpwquality-1.4.5-1.fc37.x86_64 @@System
Upgrade llvm11-libs-11.1.0-10.fc37.x86_64 @updates-testing
Upgraded llvm11-libs-11.1.0-6.fc35.x86_64 @@System
Upgrade mutter-43.2-2.fc37.x86_64 @updates-testing
Upgraded mutter-43.2-1.fc37.x86_64 @@System
Upgrade perl-HTML-Parser-3.81-1.fc37.x86_64 @updates-testing
Upgraded perl-HTML-Parser-3.80-1.fc37.x86_64 @@System
Upgrade python3-pwquality-1.4.5-3.fc37.x86_64 @updates-testing
Upgraded python3-pwquality-1.4.5-1.fc37.x86_64 @@System
Upgrade systemd-251.11-1.fc37.x86_64 @updates-testing
Upgraded systemd-251.10-588.fc37.x86_64 @@System
Upgrade systemd-container-251.11-1.fc37.x86_64 @updates-testing
Upgraded systemd-container-251.10-588.fc37.x86_64 @@System
Upgrade systemd-libs-251.11-1.fc37.x86_64 @updates-testing
Upgraded systemd-libs-251.10-588.fc37.x86_64 @@System
Upgrade systemd-networkd-251.11-1.fc37.x86_64 @updates-testing
Upgraded systemd-networkd-251.10-588.fc37.x86_64 @@System
Upgrade systemd-oomd-defaults-251.11-1.fc37.noarch @updates-testing
Upgraded systemd-oomd-defaults-251.10-588.fc37.noarch @@System
Upgrade systemd-pam-251.11-1.fc37.x86_64 @updates-testing
Upgraded systemd-pam-251.10-588.fc37.x86_64 @@System
Upgrade systemd-resolved-251.11-1.fc37.x86_64 @updates-testing
Upgraded systemd-resolved-251.10-588.fc37.x86_64 @@System
Upgrade systemd-rpm-macros-251.11-1.fc37.noarch @updates-testing
Upgraded systemd-rpm-macros-251.10-588.fc37.noarch @@System
Upgrade systemd-udev-251.11-1.fc37.x86_64 @updates-testing
Upgraded systemd-udev-251.10-588.fc37.x86_64 @@System
Upgrade thunderbird-102.7.1-2.fc37.x86_64 @updates-testing
Upgraded thunderbird-102.6.0-2.fc37.x86_64 @@System
Upgrade thunderbird-librnp-rnp-102.7.1-2.fc37.x86_64 @updates-testing
Upgraded thunderbird-librnp-rnp-102.6.0-2.fc37.x86_64 @@System
Upgrade thunderbird-wayland-102.7.1-2.fc37.x86_64 @updates-testing
Upgraded thunderbird-wayland-102.6.0-2.fc37.x86_64 @@System
Upgrade tpm2-tss-3.2.2-1.fc37.x86_64 @updates-testing
Upgraded tpm2-tss-3.2.1-1.fc37.x86_64 @@System
hashmarkername: setroubleshoot
kernel: 6.1.9-200.fc37.x86_64
package: selinux-policy-targeted-37.18-1.fc37.noarch
reason: SELinux is preventing (sd-worker) from using the 'sys_resource' capabilities.
type: libreport
(In reply to Nicolas Berrehouc from comment #5) > Similar problem has been detected: > > Since last upgrade > > # dnf history info 824 > Identifiant de transaction : 824 > Temps de début : ven. 03 févr. 2023 05:41:11 > Début de RPMDB : > 709e8388798c21330990c7d8f5b9166291777fd5b29bb9538896062e66b81716 > Temps de fin : ven. 03 févr. 2023 05:41:32 (21 secondes) > Fin de RPMDB : > 12ba79557295978e554e669238e3dc64938ba1ee8e12de5b4a17a55d59ca760e > Utilisateur : Nicosss <nicosss> > Code de retour : Réussi > Version : 37 > Ligne de commande : upgrade --refresh --enablerepo=*testing > Commentaire : > Paquets modifiés : > Upgrade cifs-utils-7.0-1.fc37.x86_64 @updates-testing > Upgraded cifs-utils-6.15-2.fc37.x86_64 @@System > Upgrade cifs-utils-info-7.0-1.fc37.x86_64 @updates-testing > Upgraded cifs-utils-info-6.15-2.fc37.x86_64 @@System > Upgrade gnome-shell-43.2-2.fc37.x86_64 @updates-testing > Upgraded gnome-shell-43.2-1.fc37.x86_64 @@System > Upgrade libhandy-1.8.1-1.fc37.x86_64 @updates-testing > Upgraded libhandy-1.8.0-1.fc37.x86_64 @@System > Upgrade libpwquality-1.4.5-3.fc37.x86_64 @updates-testing > Upgraded libpwquality-1.4.5-1.fc37.x86_64 @@System > Upgrade llvm11-libs-11.1.0-10.fc37.x86_64 @updates-testing > Upgraded llvm11-libs-11.1.0-6.fc35.x86_64 @@System > Upgrade mutter-43.2-2.fc37.x86_64 @updates-testing > Upgraded mutter-43.2-1.fc37.x86_64 @@System > Upgrade perl-HTML-Parser-3.81-1.fc37.x86_64 @updates-testing > Upgraded perl-HTML-Parser-3.80-1.fc37.x86_64 @@System > Upgrade python3-pwquality-1.4.5-3.fc37.x86_64 @updates-testing > Upgraded python3-pwquality-1.4.5-1.fc37.x86_64 @@System > Upgrade systemd-251.11-1.fc37.x86_64 @updates-testing > Upgraded systemd-251.10-588.fc37.x86_64 @@System > Upgrade systemd-container-251.11-1.fc37.x86_64 @updates-testing > Upgraded systemd-container-251.10-588.fc37.x86_64 @@System > Upgrade systemd-libs-251.11-1.fc37.x86_64 @updates-testing > Upgraded systemd-libs-251.10-588.fc37.x86_64 @@System > Upgrade systemd-networkd-251.11-1.fc37.x86_64 @updates-testing > Upgraded systemd-networkd-251.10-588.fc37.x86_64 @@System > Upgrade systemd-oomd-defaults-251.11-1.fc37.noarch @updates-testing > Upgraded systemd-oomd-defaults-251.10-588.fc37.noarch @@System > Upgrade systemd-pam-251.11-1.fc37.x86_64 @updates-testing > Upgraded systemd-pam-251.10-588.fc37.x86_64 @@System > Upgrade systemd-resolved-251.11-1.fc37.x86_64 @updates-testing > Upgraded systemd-resolved-251.10-588.fc37.x86_64 @@System > Upgrade systemd-rpm-macros-251.11-1.fc37.noarch @updates-testing > Upgraded systemd-rpm-macros-251.10-588.fc37.noarch @@System > Upgrade systemd-udev-251.11-1.fc37.x86_64 @updates-testing > Upgraded systemd-udev-251.10-588.fc37.x86_64 @@System > Upgrade thunderbird-102.7.1-2.fc37.x86_64 @updates-testing > Upgraded thunderbird-102.6.0-2.fc37.x86_64 @@System > Upgrade thunderbird-librnp-rnp-102.7.1-2.fc37.x86_64 @updates-testing > Upgraded thunderbird-librnp-rnp-102.6.0-2.fc37.x86_64 @@System > Upgrade thunderbird-wayland-102.7.1-2.fc37.x86_64 @updates-testing > Upgraded thunderbird-wayland-102.6.0-2.fc37.x86_64 @@System > Upgrade tpm2-tss-3.2.2-1.fc37.x86_64 @updates-testing > Upgraded tpm2-tss-3.2.1-1.fc37.x86_64 @@System > > hashmarkername: setroubleshoot > kernel: 6.1.9-200.fc37.x86_64 > package: selinux-policy-targeted-37.18-1.fc37.noarch > reason: SELinux is preventing (sd-worker) from using the > 'sys_resource' capabilities. > type: libreport Sorry, there are no more alerts after applying the new F37 version of selinux-policy. FEDORA-2023-7bf3639a5d has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-7bf3639a5d` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-7bf3639a5d See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2023-7bf3639a5d has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report. |
Description of problem: I ran sudo dnf offline-upgrade download (with upgrades-testing enabled) then sudo dnf offline-upgrade reboot in a Fedora 37 KDE Plasma installation. The upgrade included systemd-251.11-1.fc37.x86_64 and subpackages. On the next 2 boots after the completed update, processes like sd-worker and systemd-userwork were denied using the sys_resource capability when systemd-userdbd.service was started as shown in the following journal output. Feb 01 22:05:37 systemd[1]: Starting systemd-userdbd.service - User Database Manager... Feb 01 22:05:37 auditd[832]: Email option is specified but /usr/lib/sendmail doesn't seem executable. Feb 01 22:05:37 auditd[832]: q_depth should be larger than 512 for safety margin Feb 01 22:05:37 auditd[837]: Error - plugin (/etc/audit/plugins.d//syslog.conf) is active but no path given Feb 01 22:05:37 auditd[837]: Skipping syslog.conf plugin due to errors Feb 01 22:05:37 auditd[837]: audit dispatcher initialized with q_depth=400 and 1 active plugins Feb 01 22:05:37 audit: CONFIG_CHANGE op=set audit_enabled=1 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=1 Feb 01 22:05:37 audit[837]: SYSCALL arch=c000003e syscall=44 success=yes exit=60 a0=3 a1=7ffc7bb19b10 a2=3c a3=0 items=0 ppid=832 pid=837 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="auditd" exe="/usr/sbin/auditd" subj=system_u:system_r:auditd_t:s0 key=(null) Feb 01 22:05:37 kernel: audit: type=1305 audit(1675307137.491:159): op=set audit_enabled=1 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=1 Feb 01 22:05:37 kernel: audit: type=1300 audit(1675307137.491:159): arch=c000003e syscall=44 success=yes exit=60 a0=3 a1=7ffc7bb19b10 a2=3c a3=0 items=0 ppid=832 pid=837 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="auditd" exe="/usr/sbin/auditd" subj=system_u:system_r:auditd_t:s0 key=(null) Feb 01 22:05:37 audit: PROCTITLE proctitle="/sbin/auditd" Feb 01 22:05:37 audit: CONFIG_CHANGE op=set audit_pid=837 old=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=1 Feb 01 22:05:37 audit[837]: SYSCALL arch=c000003e syscall=44 success=yes exit=60 a0=3 a1=7ffc7bb177d0 a2=3c a3=0 items=0 ppid=832 pid=837 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="auditd" exe="/usr/sbin/auditd" subj=system_u:system_r:auditd_t:s0 key=(null) Feb 01 22:05:37 audit: PROCTITLE proctitle="/sbin/auditd" Feb 01 22:05:37 auditd[837]: Init complete, auditd 3.0.9 listening for events (startup state enable) Feb 01 22:05:37 audit[843]: AVC avc: denied { sys_resource } for pid=843 comm="(sd-worker)" capability=24 scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:system_r:systemd_userdbd_t:s0 tclass=capability permissive=0 Feb 01 22:05:37 audit[843]: SYSCALL arch=c000003e syscall=157 success=no exit=-1 a0=23 a1=8 a2=7f5ed8824000 a3=0 items=0 ppid=836 pid=843 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(sd-worker)" exe="/usr/lib/systemd/systemd-userdbd" subj=system_u:system_r:systemd_userdbd_t:s0 key=(null) Feb 01 22:05:37 audit: PROCTITLE proctitle="(sd-worker)" Feb 01 22:05:37 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-userdbd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Feb 01 22:05:37 systemd[1]: Started systemd-userdbd.service - User Database Manager. Feb 01 22:05:37 sedispatch[839]: Connection Error (Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory): AVC Will be dropped Feb 01 22:05:37 audit[844]: AVC avc: denied { sys_resource } for pid=844 comm="(sd-worker)" capability=24 scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:system_r:systemd_userdbd_t:s0 tclass=capability permissive=0 Feb 01 22:05:37 audit[844]: SYSCALL arch=c000003e syscall=157 success=no exit=-1 a0=23 a1=8 a2=7f5ed8824000 a3=0 items=0 ppid=836 pid=844 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(sd-worker)" exe="/usr/lib/systemd/systemd-userdbd" subj=system_u:system_r:systemd_userdbd_t:s0 key=(null) Feb 01 22:05:37 audit: PROCTITLE proctitle="(sd-worker)" Feb 01 22:05:37 audit[845]: AVC avc: denied { sys_resource } for pid=845 comm="(sd-worker)" capability=24 scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:system_r:systemd_userdbd_t:s0 tclass=capability permissive=0 Feb 01 22:05:37 sedispatch[839]: Connection Error (Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory): AVC Will be dropped Feb 01 22:05:37 audit[845]: SYSCALL arch=c000003e syscall=157 success=no exit=-1 a0=23 a1=8 a2=7f5ed8824000 a3=0 items=0 ppid=836 pid=845 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(sd-worker)" exe="/usr/lib/systemd/systemd-userdbd" subj=system_u:system_r:systemd_userdbd_t:s0 key=(null) Feb 01 22:05:37 audit: PROCTITLE proctitle="(sd-worker)" Feb 01 22:05:37 sedispatch[839]: Connection Error (Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory): AVC Will be dropped Feb 01 22:05:37 audit[844]: AVC avc: denied { sys_resource } for pid=844 comm="systemd-userwor" capability=24 scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:system_r:systemd_userdbd_t:s0 tclass=capability permissive=0 Feb 01 22:05:37 audit[844]: SYSCALL arch=c000003e syscall=157 success=no exit=-1 a0=23 a1=8 a2=7ff4893bc000 a3=0 items=0 ppid=836 pid=844 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-userwor" exe="/usr/lib/systemd/systemd-userwork" subj=system_u:system_r:systemd_userdbd_t:s0 key=(null) Feb 01 22:05:37 audit: PROCTITLE proctitle="(sd-worker)" Feb 01 22:05:37 audit[843]: AVC avc: denied { sys_resource } for pid=843 comm="systemd-userwor" capability=24 scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:system_r:systemd_userdbd_t:s0 tclass=capability permissive=0 Feb 01 22:05:37 audit[846]: AVC avc: denied { sys_resource } for pid=846 comm="(sd-worker)" capability=24 scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:system_r:systemd_userdbd_t:s0 tclass=capability permissive=0 Feb 01 22:05:37 audit[843]: SYSCALL arch=c000003e syscall=157 success=no exit=-1 a0=23 a1=8 a2=7f1574a9c000 a3=0 items=0 ppid=836 pid=843 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-userwor" exe="/usr/lib/systemd/systemd-userwork" subj=system_u:system_r:systemd_userdbd_t:s0 key=(null) Feb 01 22:05:37 audit: PROCTITLE proctitle="(sd-worker)" Feb 01 22:05:37 audit[846]: SYSCALL arch=c000003e syscall=157 success=no exit=-1 a0=23 a1=8 a2=7f5ed8824000 a3=0 items=0 ppid=836 pid=846 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(sd-worker)" exe="/usr/lib/systemd/systemd-userdbd" subj=system_u:system_r:systemd_userdbd_t:s0 key=(null) Feb 01 22:05:37 audit: PROCTITLE proctitle="(sd-worker)" Feb 01 22:05:37 sedispatch[839]: Connection Error (Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory): AVC Will be dropped Feb 01 22:05:37 audit[845]: AVC avc: denied { sys_resource } for pid=845 comm="systemd-userwor" capability=24 scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:system_r:systemd_userdbd_t:s0 tclass=capability permissive=0 Feb 01 22:05:37 audit[845]: SYSCALL arch=c000003e syscall=157 success=no exit=-1 a0=23 a1=8 a2=7f33e089c000 a3=0 items=0 ppid=836 pid=845 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-userwor" exe="/usr/lib/systemd/systemd-userwork" subj=system_u:system_r:systemd_userdbd_t:s0 key=(null) Feb 01 22:05:37 audit: PROCTITLE proctitle="(sd-worker)" Feb 01 22:05:37 sedispatch[839]: Connection Error (Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory): AVC Will be dropped Feb 01 22:05:37 sedispatch[839]: Connection Error (Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory): AVC Will be dropped Feb 01 22:05:37 audit[846]: AVC avc: denied { sys_resource } for pid=846 comm="systemd-userwor" capability=24 scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:system_r:systemd_userdbd_t:s0 tclass=capability permissive=0 Feb 01 22:05:37 audit[846]: SYSCALL arch=c000003e syscall=157 success=no exit=-1 a0=23 a1=8 a2=7fdec0159000 a3=0 items=0 ppid=836 pid=846 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-userwor" exe="/usr/lib/systemd/systemd-userwork" subj=system_u:system_r:systemd_userdbd_t:s0 key=(null) Feb 01 22:05:37 audit: PROCTITLE proctitle="(sd-worker)" Feb 01 22:05:37 sedispatch[839]: Connection Error (Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory): AVC Will be dropped Feb 01 22:05:37 sedispatch[839]: Connection Error (Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory): AVC Will be dropped I also saw SELinux denial notifications at various times while using Plasma. The same sorts of sys_resource denials were shown in the journal at those times. The denials didn't happen before the update including systemd-251.11-1.fc37 so likely some change in that is related to them. I'm using the targeted policy in enforcing mode from selinux-policy-37.18-1.fc37. SELinux is preventing (sd-worker) from using the 'sys_resource' capabilities. ***** Plugin sys_resource (91.4 confidence) suggests ********************** If you do not want processes to require capabilities to use up all the system resources on your system; Then you need to diagnose why your system is running out of system resources and fix the problem. According to /usr/include/linux/capability.h, sys_resource is required to: /* Override resource limits. Set resource limits. */ /* Override quota limits. */ /* Override reserved space on ext2 filesystem */ /* Modify data journaling mode on ext3 filesystem (uses journaling resources) */ /* NOTE: ext2 honors fsuid when checking for resource overrides, so you can override using fsuid too */ /* Override size restrictions on IPC message queues */ /* Allow more than 64hz interrupts from the real-time clock */ /* Override max number of consoles on console allocation */ /* Override max number of keymaps */ Do fix the cause of the SYS_RESOURCE on your system. ***** Plugin catchall (9.59 confidence) suggests ************************** If you believe that (sd-worker) should have the sys_resource capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '(sd-worker)' --raw | audit2allow -M my-sdworker # semodule -X 300 -i my-sdworker.pp Additional Information: Source Context system_u:system_r:systemd_userdbd_t:s0 Target Context system_u:system_r:systemd_userdbd_t:s0 Target Objects Unknown [ capability ] Source (sd-worker) Source Path (sd-worker) Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-37.18-1.fc37.noarch Local Policy RPM selinux-policy-targeted-37.18-1.fc37.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.1.8-200.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Jan 24 20:32:16 UTC 2023 x86_64 x86_64 Alert Count 12 First Seen 2023-02-01 22:10:46 EST Last Seen 2023-02-01 22:16:10 EST Local ID be2b891b-ec94-4342-94bf-21c34a711eaa Raw Audit Messages type=AVC msg=audit(1675307770.565:398): avc: denied { sys_resource } for pid=3450 comm="systemd-userwor" capability=24 scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:system_r:systemd_userdbd_t:s0 tclass=capability permissive=0 Hash: (sd-worker),systemd_userdbd_t,systemd_userdbd_t,capability,sys_resource Version-Release number of selected component: selinux-policy-targeted-37.18-1.fc37.noarch Additional info: component: selinux-policy reporter: libreport-2.17.4 hashmarkername: setroubleshoot kernel: 6.1.8-200.fc37.x86_64 type: libreport