Description of problem: The logs for Fedora Atomic Host Rawhide shows avc denials for auditd in the system logs. Steps to reproduce: 1. Boot any fedora atomic host 2. ostree remote add --no-gpg-verify custom https://kojipkgs.fedoraproject.org/atomic/rawhide/ 3. rpm-ostree rebase custom:fedora/rawhide/x86_64/atomic-host 55a65a66f736e7637a23ddb9b649546d7b4ea247c35e32f61047dc7882d08a93 4. systemctl reboot 5. Reconnect 6. journalctl -b | grep avc Additional Information: Log Snip: Aug 24 20:37:10 fedora.localdomain systemd-tmpfiles[664]: [/usr/lib/tmpfiles.d/var.conf:23] Duplicate line for path "/var/spool", ignoring. Aug 24 20:37:10 fedora.localdomain systemd-tmpfiles[664]: "/home" already exists and is not a directory. Aug 24 20:37:10 fedora.localdomain systemd-tmpfiles[664]: "/srv" already exists and is not a directory. Aug 24 20:37:10 fedora.localdomain systemd-tmpfiles[664]: "/tmp" already exists and is not a directory. Aug 24 20:37:10 fedora.localdomain systemd[1]: Started Create Volatile Files and Directories. Aug 24 20:37:10 fedora.localdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-tmpfiles-setup comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Aug 24 20:37:10 fedora.localdomain systemd[1]: Starting Security Auditing Service... Aug 24 20:37:10 fedora.localdomain systemd[1]: Mounting RPC Pipe File System... Aug 24 20:37:10 fedora.localdomain audit[669]: AVC avc: denied { map } for pid=669 comm="auditd" path="/etc/audit/auditd.conf" dev="dm-0" ino=6296742 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:auditd_etc_t:s0 tclass=file permissive=0 Aug 24 20:37:10 fedora.localdomain audit[669]: SYSCALL arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=310 a2=1 a3=1 items=0 ppid=1 pid=669 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="auditd" exe="/usr/sbin/auditd" subj=system_u:system_r:auditd_t:s0 key=(null) Aug 24 20:37:10 fedora.localdomain audit: PROCTITLE proctitle="/sbin/auditd" Aug 24 20:37:10 fedora.localdomain systemd[1]: Mounted RPC Pipe File System. Aug 24 20:37:10 fedora.localdomain auditd[674]: Started dispatcher: /sbin/audispd pid: 676 Aug 24 20:37:10 fedora.localdomain systemd[1]: Reached target rpc_pipefs.target. Aug 24 20:37:10 fedora.localdomain audispd[676]: priority_boost_parser called with: 4 Aug 24 20:37:10 fedora.localdomain audispd[676]: max_restarts_parser called with: 10 Aug 24 20:37:10 fedora.localdomain audispd[676]: No plugins found, exiting Aug 24 20:37:10 fedora.localdomain auditd[674]: dispatcher 676 reaped Aug 24 20:37:10 fedora.localdomain audit: CONFIG_CHANGE audit_enabled=1 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=1 Aug 24 20:37:10 fedora.localdomain audit: CONFIG_CHANGE audit_pid=674 old=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=1 Aug 24 20:37:10 fedora.localdomain auditd[674]: Init complete, auditd 2.7.7 listening for events (startup state enable) Aug 24 20:37:10 fedora.localdomain lvm[643]: 2 logical volume(s) in volume group "atomicos" now active root@fedora ~]# rpm-ostree status State: idle Deployments: ● local-branch Version: test1 (2017-08-24 20:36:41) Commit: 503828feb1c22d433c1efdd577763d70ae6b610942dbab757391d7547e1fdd07 local-branch Version: Rawhide.20170824.n.0 (2017-08-24 14:35:23) Commit: 55a65a66f736e7637a23ddb9b649546d7b4ea247c35e32f61047dc7882d08a93 [root@fedora ~]# rpm -qa selinux-policy selinux-policy-3.13.1-275.fc28.noarch
Aug 29 10:30:15 localhost.localdomain audit[489]: AVC avc: denied { map } for pid=489 comm="auditd" path="/etc/audit/auditd.conf" dev="dm-0" ino=272447 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:auditd_etc_t:s0 tclass=file permissive=0 Hit this with Fedora-27-20170827.n.0, selinux-policy-3.13.1-276.fc27. Added to the tracker.
+1 seems fixed.
selinux-policy-3.13.1-283.4.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-1fd5e1aff6
selinux-policy-3.13.1-283.4.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-1fd5e1aff6
selinux-policy-3.13.1-283.4.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.