Using Fedora Rawhide Atomic Host, we started seeing this denial show up in our automated tests. After rebasing a Fedora 27 Atomic Host to Rawhide, we would see a single denial in the journal: Apr 08 14:40:09 atomic-host-jobs-87-82f422f3.localdomain audit[1171]: AVC avc: denied { map_create } for pid=1171 comm="systemd" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=bpf permissive=0 Attempts to reproduce this manually were ineffective. Our automated tests are using Ansible to run commands on the host, so it appears the communication via Ansible is triggering this denial somehow. The system appears to function normally otherwise. $ rpm-ostree status State: idle; auto updates disabled Deployments: ● ostree://custom:fedora/rawhide/x86_64/atomic-host Version: Rawhide.20180408.n.0 (2018-04-08 09:58:43) Commit: 22bbaef186060352eb9fb186372126969846463137944b8c0b5a3e9feace6535 ostree://fedora-atomic:fedora/27/x86_64/atomic-host Version: 27.105 (2018-03-25 21:28:49) Commit: c4015063c00515ddbbaa4c484573d38376db270b09adb22a4859faa0a39d5d93 GPGSignature: Valid signature by 860E19B0AFA800A1751881A6F55E7430F5282EE4 $ rpm -q selinux-policy selinux-policy-3.14.2-12.fc29.noarch
This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle. Changing version to '29'.
selinux-policy-3.14.2-34.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-db240a1726
selinux-policy-3.14.2-34.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.