SELinux is preventing /usr/bin/python3.6 from search access on the directory system. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that python3.6 should be allowed search access on the system directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ipa-dnskeysyncd' --raw | audit2allow -M my-ipadnskeysyncd # semodule -X 300 -i my-ipadnskeysyncd.pp Additional Information: Source Context system_u:system_r:ipa_dnskey_t:s0 Target Context system_u:object_r:systemd_unit_file_t:s0 Target Objects system [ dir ] Source ipa-dnskeysyncd Source Path /usr/bin/python3.6 Port <Unknown> Host host.example.test Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.1-32.fc28.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name host.example.test Platform Linux host.example.test 4.17.9-200.fc28.x86_64 #1 SMP Mon Jul 23 21:41:29 UTC 2018 x86_64 x86_64 Alert Count 4 First Seen 2018-07-28 04:30:43 EDT Last Seen 2018-07-28 04:31:13 EDT Local ID b5a417ab-b885-4126-ad74-4ebc4f211599 Raw Audit Messages type=AVC msg=audit(1532766673.727:638): avc: denied { search } for pid=371 comm="ipa-dnskeysync-" name="system" dev="dm-0" ino=8438526 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir permissive=0 Hash: ipa-dnskeysyncd,ipa_dnskey_t,systemd_unit_file_t,dir,search
The exception is different but the cause is the same: the test for existence of /usr/lib/systemd/system/fedora-domainname.service in the ipaplatform code. I disabled this code in my install and used ipactl to restart the world and the AVC went away. *** This bug has been marked as a duplicate of bug 1609475 ***