My log is full of junk like this: audit[1]: <audit-1107> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=1000 uid=0 gid=0 path="/usr/lib/systemd/system/firewalld.service" cmdline="systemctl status firewalld" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:firewalld_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' This is manifestly bogus. uid 0 with type unconfined_t should *not* be denied access to systemd. This is Fedora 22, fully up-to-date. # rpm -qa \*selinux\* \*polkit\* \*Policy\* \*dbus\* python3-dbus-1.2.0-7.fc22.x86_64 libselinux-python3-2.3-10.fc22.x86_64 dbus-1.8.20-1.fc22.x86_64 selinux-policy-targeted-3.13.1-128.13.fc22.noarch polkit-0.113-4.fc22.x86_64 qt-qdbusviewer-4.8.6-30.fc22.x86_64 libselinux-devel-2.3-10.fc22.x86_64 dbusmenu-qt-0.9.3-0.10.20150604.fc22.x86_64 polkit-qt-0.112.0-3.fc22.x86_64 rpm-plugin-selinux-4.12.0.1-12.fc22.x86_64 polkit-docs-0.113-4.fc22.noarch selinux-policy-doc-3.13.1-128.13.fc22.noarch selinux-policy-devel-3.13.1-128.13.fc22.noarch libselinux-debuginfo-2.2.1-6.fc20.x86_64 polkit-qt5-1-0.112.0-3.fc22.x86_64 libselinux-2.3-10.fc22.x86_64 python3-slip-dbus-0.6.4-1.fc22.noarch abrt-dbus-2.6.1-5.fc22.x86_64 dbus-devel-1.8.20-1.fc22.x86_64 dbus-x11-1.8.20-1.fc22.x86_64 selinux-policy-3.13.1-128.13.fc22.noarch polkit-devel-0.113-4.fc22.x86_64 libselinux-python-2.3-10.fc22.x86_64 libselinux-2.3-10.fc22.i686 dbus-glib-devel-0.104-1.fc22.x86_64 libdbusmenu-12.10.2-8.fc22.x86_64 dbus-libs-1.8.20-1.fc22.i686 dbusmenu-qt5-0.9.3-0.10.20150604.fc22.x86_64 libdbusmenu-gtk3-12.10.2-8.fc22.x86_64 kf5-kdbusaddons-5.13.0-1.fc22.x86_64 dbus-glib-0.104-1.fc22.x86_64 polkit-gnome-0.105-7.fc22.x86_64 libselinux-utils-2.3-10.fc22.x86_64 dbus-python-1.2.0-7.fc22.x86_64 dleyna-connector-dbus-0.2.0-4.fc22.x86_64 python-slip-dbus-0.6.4-1.fc22.noarch dbus-libs-1.8.20-1.fc22.x86_64 polkit-pkla-compat-0.1-5.fc22.x86_64 polkit-libs-0.113-4.fc22.x86_64 selinux-policy-sandbox-3.13.1-128.13.fc22.noarch audit2why says: type=USER_AVC msg=audit(1443831631.319:2498): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=1000 uid=0 gid=0 path="/usr/lib/systemd/system/firewalld.service" cmdline="systemctl status firewalld" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:firewalld_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Was caused by: Unknown - would be allowed by active policy Possible mismatch between this policy and the one under which the audit message was generated. Possible mismatch between current in-memory boolean settings vs. permanent ones. which suggests that something is rather broken internally. I haven't done anything explicit to my selinux setup except to setenforce 0 briefly so I could actually use my system.
I think systemctl daemon-reexec Fixes this problem. This is a known issue which is being worked on.
In case it helps: I hit this by updating from 3.13.1-128.6.fc22 to 3.13.1-128.13.fc22
This just happened to my laptop, and systemctl daemon-reexec fixed it for me.
Oh, yes, I can confirm the workaround as well.
Yes, this is known issue and we have this workaround in the policy update. It is a part of selinux-policy-3.13.1-128.16.fc22 so you would also update your system.