Description of problem: I observed it with varnish: by default it stalls in enforcing mode when the service is started. Depending on your nsswitch configuration calling getpwnam(3) may result in a systemd dynamic user lookup that gets denied. Adding this support entails chatting with systemd --system over the dbus --system bus and getting attributes of /etc/systemd/dont-synthesize-nobody if the user configured nsswitch.conf as such. Version-Release number of selected component (if applicable): $ rpm -qa selinux-policy selinux-policy-3.14.1-29.fc28.noarch How reproducible: always Steps to Reproduce: # grep systemd /etc/nsswitch.conf passwd: systemd files shadow: systemd files group: systemd files # setenforce 1 # time systemctl start varnish real 1m0.325s user 0m0.008s sys 0m0.012s # ausearch -m avc,user_avc,selinux_err -ts recent ---- time->Thu May 31 12:35:38 2018 type=USER_AVC msg=audit(1527762938.621:422): pid=1129 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=18001 scontext=system_u:system_r:varnishd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' ---- time->Thu May 31 12:36:08 2018 type=USER_AVC msg=audit(1527762968.625:423): pid=1129 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=18001 scontext=system_u:system_r:varnishd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Actual results: A denial leaving the process calling getpwnam or getgrnam hanging. Expected results: No denial as the process is not explicitly sending the DBus messages. Additional info: Diagnosed with the help of Dominick Grift. I initially thought I was doing something wrong months ago and had removed "systemd" and "nss" entries in my nsswitch.conf file since I don't need them on my workstation.
Those avc denials are incomplete. This is the other half: ---- time->Thu May 31 12:11:29 2018 type=USER_AVC msg=audit(1527761489.202:408): pid=1129 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=17093 scontext=system_u:system_r:varnishd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' ---- time->Thu May 31 12:11:29 2018 type=USER_AVC msg=audit(1527761489.203:409): pid=1129 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=17093 tpid=1 scontext=system_u:system_r:varnishd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' ---- time->Thu May 31 12:11:29 2018 type=USER_AVC msg=audit(1527761489.203:410): pid=1129 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.94 spid=1 tpid=17093 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:varnishd_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
selinux-policy-3.14.1-32.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-743a9247de
selinux-policy-3.14.1-32.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-743a9247de
selinux-policy-3.14.1-32.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.