Bug 2440916

Summary:

SELinux is preventing systemd-machine from 'create' accesses on the adresář resolve.hook.

Product:

[Fedora] Fedora

Reporter:

Vít Ondruch <vondruch>

Component:

selinux-policy

Assignee:

Zdenek Pytela <zpytela>

Status:

CLOSED DUPLICATE

QA Contact:

Fedora Extras Quality Assurance <extras-qa>

Severity:

unspecified

Docs Contact:

Priority:

unspecified

Version:

rawhide

CC:

dan, lslebodn, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, vondruch, zpytela

Target Milestone:

---

Target Release:

---

Hardware:

x86_64

OS:

Unspecified

Whiteboard:

abrt_hash:717ae2dd7dedd5c523467c03975f4c8bf16d79bf8cbc8c54c5cc5f77e8743149;VARIANT_ID=workstation;

Fixed In Version:

Doc Type:

---

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2026-02-27 15:11:30 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
File: description	none
File: os_info	none

Description Vít Ondruch 2026-02-19 09:56:43 UTC

Description of problem:
SELinux is preventing systemd-machine from 'create' accesses on the adresář resolve.hook.

*****  Plugin catchall (100. confidence) suggests   **************************

Pokud jste přesvědčeni, že má systemd-machine mít ve výchozím stavu přístup create na resolve.hook directory.
Then měli byste tento problém nahlásit jako chybu.
Abyste přístup povolili, můžete vygenerovat lokální modul pravidel.
Do
prozatím tento přístup povolíte příkazy:
# ausearch -c 'systemd-machine' --raw | audit2allow -M my-systemdmachine
# semodule -X 300 -i my-systemdmachine.pp

Additional Information:
Source Context                system_u:system_r:systemd_machined_t:s0
Target Context                system_u:object_r:init_var_run_t:s0
Target Objects                resolve.hook [ dir ]
Source                        systemd-machine
Source Path                   systemd-machine
Port                          <Neznámé>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-42.23-1.fc44.noarch
Local Policy RPM              selinux-policy-targeted-42.23-1.fc44.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.19.0-59.fc45.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Mon Feb 9 16:35:21 UTC 2026 x86_64
Alert Count                   1
First Seen                    2026-02-19 10:47:50 CET
Last Seen                     2026-02-19 10:47:50 CET
Local ID                      e3530696-6ec0-4adf-be59-f7449a06c139

Raw Audit Messages
type=AVC msg=audit(1771494470.206:56): avc:  denied  { create } for  pid=1546 comm="systemd-machine" name="resolve.hook" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0


Hash: systemd-machine,systemd_machined_t,init_var_run_t,dir,create

Version-Release number of selected component:
selinux-policy-targeted-42.23-1.fc44.noarch

Additional info:
reporter:       libreport-2.17.15
reason:         SELinux is preventing systemd-machine from 'create' accesses on the adresář resolve.hook.
package:        selinux-policy-targeted-42.23-1.fc44.noarch
component:      selinux-policy
hashmarkername: setroubleshoot
type:           libreport
kernel:         6.19.0-59.fc45.x86_64
component:      selinux-policy

Comment 1 Vít Ondruch 2026-02-19 09:56:46 UTC

Created attachment 2130041 [details]
File: description

Comment 2 Vít Ondruch 2026-02-19 09:56:48 UTC

Created attachment 2130042 [details]
File: os_info

Comment 3 Lukas Slebodnik 2026-02-27 12:33:35 UTC

sh# usearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -i -ts recent
type=PROCTITLE msg=audit(02/27/2026 13:26:54.756:424) : proctitle=/usr/lib/systemd/systemd-machined
type=PATH msg=audit(02/27/2026 13:26:54.756:424) : item=1 name=/run/systemd/resolve.hook nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(02/27/2026 13:26:54.756:424) : item=0 name=/run/systemd/ inode=2 dev=00:1c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametyp
e=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/27/2026 13:26:54.756:424) : cwd=/ 
type=SYSCALL msg=audit(02/27/2026 13:26:54.756:424) : arch=x86_64 syscall=mkdirat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ffd0bb5cac0 a2=0755 a3=0x7ffd0bb5cacd items=2 ppid=1 pid=9841 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-machine exe=/usr/lib/systemd/systemd-machined subj=system_u:system_r:systemd_machined_t:s0 key=(null) 
type=AVC msg=audit(02/27/2026 13:26:54.756:424) : avc:  denied  { create } for  pid=9841 comm=systemd-machine name=resolve.hook scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0 

# And in permissive mode

sh# semanage permissive --add systemd_machined_t
sh# systemctl restart systemd-machined
sh# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -i -ts recent

----
type=PROCTITLE msg=audit(02/27/2026 13:26:54.756:424) : proctitle=/usr/lib/systemd/systemd-machined 
type=PATH msg=audit(02/27/2026 13:26:54.756:424) : item=1 name=/run/systemd/resolve.hook nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(02/27/2026 13:26:54.756:424) : item=0 name=/run/systemd/ inode=2 dev=00:1c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/27/2026 13:26:54.756:424) : cwd=/ 
type=SYSCALL msg=audit(02/27/2026 13:26:54.756:424) : arch=x86_64 syscall=mkdirat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ffd0bb5cac0 a2=0755 a3=0x7ffd0bb5cacd items=2 ppid=1 pid=9841 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-machine exe=/usr/lib/systemd/systemd-machined subj=system_u:system_r:systemd_machined_t:s0 key=(null) 
type=AVC msg=audit(02/27/2026 13:26:54.756:424) : avc:  denied  { create } for  pid=9841 comm=systemd-machine name=resolve.hook scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(02/27/2026 13:27:38.551:433) : proctitle=/usr/lib/systemd/systemd-machined 
type=PATH msg=audit(02/27/2026 13:27:38.551:433) : item=1 name=/run/systemd/resolve.hook inode=4822 dev=00:1c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(02/27/2026 13:27:38.551:433) : item=0 name=/run/systemd/ inode=2 dev=00:1c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/27/2026 13:27:38.551:433) : cwd=/
type=SYSCALL msg=audit(02/27/2026 13:27:38.551:433) : arch=x86_64 syscall=mkdirat success=yes exit=0 a0=AT_FDCWD a1=0x7ffc593e8790 a2=0755 a3=0x7ffc593e879d items=2 ppid=1 pid=10063 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-machine exe=/usr/lib/systemd/systemd-machined subj=system_u:system_r:systemd_machined_t:s0 key=(null)
type=AVC msg=audit(02/27/2026 13:27:38.551:433) : avc:  denied  { create } for  pid=10063 comm=systemd-machine name=resolve.hook scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=1
----
type=PROCTITLE msg=audit(02/27/2026 13:27:38.551:434) : proctitle=/usr/lib/systemd/systemd-machined
type=PATH msg=audit(02/27/2026 13:27:38.551:434) : item=1 name=/run/systemd/resolve.hook/io.systemd.Machine inode=4823 dev=00:1c mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(02/27/2026 13:27:38.551:434) : item=0 name=/run/systemd/resolve.hook/ inode=4822 dev=00:1c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/27/2026 13:27:38.551:434) : cwd=/
type=SOCKADDR msg=audit(02/27/2026 13:27:38.551:434) : saddr={ saddr_fam=local path=/run/systemd/resolve.hook/io.systemd.Machine }
type=SYSCALL msg=audit(02/27/2026 13:27:38.551:434) : arch=x86_64 syscall=bind success=yes exit=0 a0=0xd a1=0x7ffc593e8870 a2=0x2f a3=0x7ffc593e8864 items=2 ppid=1 pid=10063 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-machine exe=/usr/lib/systemd/systemd-machined subj=system_u:system_r:systemd_machined_t:s0 key=(null)
type=AVC msg=audit(02/27/2026 13:27:38.551:434) : avc:  denied  { create } for  pid=10063 comm=systemd-machine name=io.systemd.Machine scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file permissive=1

Comment 4 Lukas Slebodnik 2026-02-27 12:34:56 UTC

sh$ rpm -q selinux-policy-targeted systemd
selinux-policy-targeted-42.24-1.fc44.noarch
systemd-259.1-1.fc44.x86_64

Comment 5 Zdenek Pytela 2026-02-27 15:11:30 UTC


*** This bug has been marked as a duplicate of bug 2415701 ***