SELinux is preventing /usr/bin/bash from add_name access on the directory ntp.conf.predhclient.ens3. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that bash should be allowed add_name access on the ntp.conf.predhclient.ens3 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '11-dhclient' --raw | audit2allow -M my-11dhclient # semodule -X 300 -i my-11dhclient.pp Additional Information: Source Context system_u:system_r:NetworkManager_t:s0 Target Context system_u:object_r:dhcpc_state_t:s0 Target Objects ntp.conf.predhclient.ens3 [ dir ] Source 11-dhclient Source Path /usr/bin/bash Port <Unknown> Host host.testrelm.test Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.5-10.fc32.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name host.testrelm.test Platform Linux host.testrelm.test 5.4.0-0.rc4.git1.1.fc32.x86_64 #1 SMP Tue Oct 22 14:11:41 UTC 2019 x86_64 x86_64 Alert Count 2 First Seen 2019-10-23 08:55:24 CEST Last Seen 2019-10-23 08:55:24 CEST Local ID c78682ec-41b0-432d-9c70-f38fdd87e944 Raw Audit Messages type=AVC msg=audit(1571813724.245:587): avc: denied { add_name } for pid=32883 comm="touch" name="ntp.conf.predhclient.ens3" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=dir permissive=0 Hash: 11-dhclient,NetworkManager_t,dhcpc_state_t,dir,add_name
Other AVCs in enforcing mode type=PROCTITLE msg=audit(10/23/2019 08:55:24.152:582) : proctitle=/usr/bin/bash /usr/lib/NetworkManager/dispatcher.d/11-dhclient ens3 up type=PATH msg=audit(10/23/2019 08:55:24.152:582) : item=0 name=/var/lib/dhclient/ inode=17183586 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:dhcpc_state_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(10/23/2019 08:55:24.152:582) : cwd=/ type=SYSCALL msg=audit(10/23/2019 08:55:24.152:582) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x563172747a60 a2=O_WRONLY|O_CREAT|O_APPEND a3=0x1b6 items=1 ppid=32850 pid=32868 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=11-dhclient exe=/usr/bin/bash subj=system_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(10/23/2019 08:55:24.152:582) : avc: denied { add_name } for pid=32868 comm=11-dhclient name=chrony.servers.ens3 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=dir permissive=0 ---- type=PROCTITLE msg=audit(10/23/2019 08:55:24.161:583) : proctitle=/usr/bin/bash /usr/lib/NetworkManager/dispatcher.d/11-dhclient ens3 up type=PATH msg=audit(10/23/2019 08:55:24.161:583) : item=0 name=/usr/libexec/chrony-helper inode=25664864 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chronyd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(10/23/2019 08:55:24.161:583) : cwd=/ type=SYSCALL msg=audit(10/23/2019 08:55:24.161:583) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x563172747980 a1=0x5631727476c0 a2=0x5631727471d0 a3=0x8 items=1 ppid=32868 pid=32870 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=11-dhclient exe=/usr/bin/bash subj=system_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(10/23/2019 08:55:24.161:583) : avc: denied { execute } for pid=32870 comm=11-dhclient name=chrony-helper dev="dm-0" ino=25664864 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=0 ---- type=PROCTITLE msg=audit(10/23/2019 08:55:24.163:584) : proctitle=/usr/bin/bash /usr/lib/NetworkManager/dispatcher.d/11-dhclient ens3 up type=PATH msg=audit(10/23/2019 08:55:24.163:584) : item=0 name=/usr/libexec/chrony-helper inode=25664864 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chronyd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(10/23/2019 08:55:24.163:584) : cwd=/ type=SYSCALL msg=audit(10/23/2019 08:55:24.163:584) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x563172747980 a1=0x7ffeea0f5ef0 a2=0x7ffeea0f5ef0 a3=0x8 items=1 ppid=32868 pid=32870 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=11-dhclient exe=/usr/bin/bash subj=system_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(10/23/2019 08:55:24.163:584) : avc: denied { getattr } for pid=32870 comm=11-dhclient path=/usr/libexec/chrony-helper dev="dm-0" ino=25664864 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=0 ---- type=PROCTITLE msg=audit(10/23/2019 08:55:24.164:585) : proctitle=/usr/bin/bash /usr/lib/NetworkManager/dispatcher.d/11-dhclient ens3 up type=PATH msg=audit(10/23/2019 08:55:24.164:585) : item=0 name=/usr/libexec/chrony-helper inode=25664864 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chronyd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(10/23/2019 08:55:24.164:585) : cwd=/ type=SYSCALL msg=audit(10/23/2019 08:55:24.164:585) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x563172747980 a1=0x7ffeea0f5ed0 a2=0x7ffeea0f5ed0 a3=0x8 items=1 ppid=32868 pid=32870 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=11-dhclient exe=/usr/bin/bash subj=system_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(10/23/2019 08:55:24.164:585) : avc: denied { getattr } for pid=32870 comm=11-dhclient path=/usr/libexec/chrony-helper dev="dm-0" ino=25664864 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=0 ---- type=PROCTITLE msg=audit(10/23/2019 08:55:24.245:587) : proctitle=touch /var/lib/dhclient/ntp.conf.predhclient.ens3 type=PATH msg=audit(10/23/2019 08:55:24.245:587) : item=0 name=/var/lib/dhclient/ inode=17183586 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:dhcpc_state_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(10/23/2019 08:55:24.245:587) : cwd=/ type=SYSCALL msg=audit(10/23/2019 08:55:24.245:587) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7ffd33702430 a2=O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK a3=0x1b6 items=1 ppid=32868 pid=32883 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=touch exe=/usr/bin/touch subj=system_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(10/23/2019 08:55:24.245:587) : avc: denied { add_name } for pid=32883 comm=touch name=ntp.conf.predhclient.ens3 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=dir permissive=0
AVCs in permissive mode type=PROCTITLE msg=audit(10/23/2019 08:59:17.473:601) : proctitle=/usr/bin/bash /usr/libexec/chrony-helper update-daemon type=PATH msg=audit(10/23/2019 08:59:17.473:601) : item=2 name=/lib64/ld-linux-x86-64.so.2 inode=25167897 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(10/23/2019 08:59:17.473:601) : item=1 name=/usr/bin/bash inode=16799767 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(10/23/2019 08:59:17.473:601) : item=0 name=/usr/libexec/chrony-helper inode=25664864 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chronyd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(10/23/2019 08:59:17.473:601) : cwd=/ type=EXECVE msg=audit(10/23/2019 08:59:17.473:601) : argc=3 a0=/usr/bin/bash a1=/usr/libexec/chrony-helper a2=update-daemon type=SYSCALL msg=audit(10/23/2019 08:59:17.473:601) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x5623e8ed36d0 a1=0x5623e8ed3450 a2=0x5623e8ed2f70 a3=0x8 items=3 ppid=32952 pid=32954 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chrony-helper exe=/usr/bin/bash subj=system_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(10/23/2019 08:59:17.473:601) : avc: denied { execute_no_trans } for pid=32954 comm=11-dhclient path=/usr/libexec/chrony-helper dev="dm-0" ino=25664864 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(10/23/2019 08:59:17.473:601) : avc: denied { read open } for pid=32954 comm=11-dhclient path=/usr/libexec/chrony-helper dev="dm-0" ino=25664864 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(10/23/2019 08:59:17.473:601) : avc: denied { execute } for pid=32954 comm=11-dhclient name=chrony-helper dev="dm-0" ino=25664864 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=1 ---- type=PROCTITLE msg=audit(10/23/2019 08:59:17.487:602) : proctitle=/usr/bin/bash /usr/libexec/chrony-helper update-daemon type=PATH msg=audit(10/23/2019 08:59:17.487:602) : item=0 name=/usr/libexec/chrony-helper inode=25664864 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chronyd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(10/23/2019 08:59:17.487:602) : cwd=/ type=SYSCALL msg=audit(10/23/2019 08:59:17.487:602) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x558b5c41c350 a1=0x7ffffd7b16c0 a2=0x7ffffd7b16c0 a3=0x30 items=1 ppid=32952 pid=32954 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chrony-helper exe=/usr/bin/bash subj=system_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(10/23/2019 08:59:17.487:602) : avc: denied { getattr } for pid=32954 comm=chrony-helper path=/usr/libexec/chrony-helper dev="dm-0" ino=25664864 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=1 ---- type=PROCTITLE msg=audit(10/23/2019 08:59:17.488:603) : proctitle=/usr/bin/bash /usr/libexec/chrony-helper update-daemon type=SYSCALL msg=audit(10/23/2019 08:59:17.488:603) : arch=x86_64 syscall=ioctl success=no exit=ENOTTY(Inappropriate ioctl for device) a0=0x5 a1=TCGETS a2=0x7ffffd7b16d0 a3=0x30 items=0 ppid=32952 pid=32954 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chrony-helper exe=/usr/bin/bash subj=system_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(10/23/2019 08:59:17.488:603) : avc: denied { ioctl } for pid=32954 comm=chrony-helper path=/usr/libexec/chrony-helper dev="dm-0" ino=25664864 ioctlcmd=TCGETS scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=1
It seems to be caused by dhcp-client-4.4.1-17.fc32 But some commits were reverted in dist-git https://src.fedoraproject.org/rpms/dhcp/c/6f96789cfe4177cc5d6cc8ff23f3edd41350fe3a?branch=master https://src.fedoraproject.org/rpms/dhcp/c/9c49c9e94d25898850cc98ae8afe6ebb2ec5bdb3?branch=master Moving to dhcp for investigation.
Move back to selinux-policy if it has to be allowed.
I can confirm AVCs are gone with dhcp-client-12:4.4.1-15.fc31.x86_64
(In reply to Lukas Slebodnik from comment #5) > I can confirm AVCs are gone with dhcp-client-12:4.4.1-15.fc31.x86_64 Disabling of the NM scripts just hid this AVC error. Nothing has been changed on dhcp side
(In reply to Pavel Zhukov from comment #6) > (In reply to Lukas Slebodnik from comment #5) > > I can confirm AVCs are gone with dhcp-client-12:4.4.1-15.fc31.x86_64 > > Disabling of the NM scripts just hid this AVC error. Nothing has been > changed on dhcp side Does it mean it shall be allowed? If yes could you change component?
(In reply to Lukas Slebodnik from comment #7) > (In reply to Pavel Zhukov from comment #6) > > (In reply to Lukas Slebodnik from comment #5) > > > I can confirm AVCs are gone with dhcp-client-12:4.4.1-15.fc31.x86_64 > > > > Disabling of the NM scripts just hid this AVC error. Nothing has been > > changed on dhcp side > > Does it mean it shall be allowed? > If yes could you change component? Now I got confused by your comments #3 and #4...
(In reply to Lukas Slebodnik from comment #3) > It seems to be caused by dhcp-client-4.4.1-17.fc32 > But some commits were reverted in dist-git > https://src.fedoraproject.org/rpms/dhcp/c/ > 6f96789cfe4177cc5d6cc8ff23f3edd41350fe3a?branch=master > https://src.fedoraproject.org/rpms/dhcp/c/ > 9c49c9e94d25898850cc98ae8afe6ebb2ec5bdb3?branch=master > > Moving to dhcp for investigation. I forgot to check in koji whether these commits were part of dhcp-client-12:4.4.1-17 I checked only dist-git. Sorry for confusion.
Actually there are more AVCs in permissive mode. One set when restarting NetworkManager and another one when restarting chrony selinux-policy-3.14.5-10.fc32.noarch ---- time->Thu Oct 24 06:50:49 2019 type=AVC msg=audit(1571914249.818:92): avc: denied { add_name } for pid=704 comm="11-dhclient" name="chrony.servers.ens3" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=dir permissive=1 ---- time->Thu Oct 24 06:50:49 2019 type=AVC msg=audit(1571914249.818:93): avc: denied { create } for pid=704 comm="11-dhclient" name="chrony.servers.ens3" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=file permissive=1 ---- time->Thu Oct 24 06:50:49 2019 type=AVC msg=audit(1571914249.818:94): avc: denied { append } for pid=704 comm="11-dhclient" path="/var/lib/dhclient/chrony.servers.ens3" dev="dm-0" ino=2230992 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=file permissive=1 ---- time->Thu Oct 24 06:50:49 2019 type=AVC msg=audit(1571914249.820:95): avc: denied { execute } for pid=706 comm="11-dhclient" name="chrony-helper" dev="dm-0" ino=1325082 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=1 ---- time->Thu Oct 24 06:50:49 2019 type=AVC msg=audit(1571914249.820:96): avc: denied { read open } for pid=706 comm="11-dhclient" path="/usr/libexec/chrony-helper" dev="dm-0" ino=1325082 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=1 ---- time->Thu Oct 24 06:50:49 2019 type=AVC msg=audit(1571914249.821:97): avc: denied { execute_no_trans } for pid=706 comm="11-dhclient" path="/usr/libexec/chrony-helper" dev="dm-0" ino=1325082 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=1 ---- time->Thu Oct 24 06:50:49 2019 type=AVC msg=audit(1571914249.825:98): avc: denied { getattr } for pid=706 comm="chrony-helper" path="/usr/libexec/chrony-helper" dev="dm-0" ino=1325082 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=1 ---- time->Thu Oct 24 06:50:49 2019 type=AVC msg=audit(1571914249.825:99): avc: denied { ioctl } for pid=706 comm="chrony-helper" path="/usr/libexec/chrony-helper" dev="dm-0" ino=1325082 ioctlcmd=0x5401 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=1 time->Thu Oct 24 02:58:03 2019 type=AVC msg=audit(1571900283.535:256): avc: denied { read } for pid=24312 comm="chrony-helper" name="chrony-helper" dev="tmpfs" ino=20422 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=dir permissive=1 ---- time->Thu Oct 24 02:58:03 2019 type=AVC msg=audit(1571900283.539:257): avc: denied { write } for pid=24312 comm="chrony-helper" name="lock" dev="tmpfs" ino=20423 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=file permissive=1 ---- time->Thu Oct 24 02:58:03 2019 type=AVC msg=audit(1571900283.539:258): avc: denied { open } for pid=24312 comm="chrony-helper" path="/run/chrony-helper/lock" dev="tmpfs" ino=20423 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=file permissive=1 ---- time->Thu Oct 24 02:58:03 2019 type=AVC msg=audit(1571900283.541:259): avc: denied { lock } for pid=24315 comm="flock" path="/run/chrony-helper/lock" dev="tmpfs" ino=20423 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=file permissive=1 ---- time->Thu Oct 24 02:58:03 2019 type=AVC msg=audit(1571900283.560:260): avc: denied { read } for pid=24327 comm="cat" name="added_servers" dev="tmpfs" ino=20450 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=file permissive=1 ---- time->Thu Oct 24 02:58:03 2019 type=AVC msg=audit(1571900283.561:261): avc: denied { getattr } for pid=24327 comm="cat" path="/run/chrony-helper/added_servers" dev="tmpfs" ino=20450 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=file permissive=1
*** Bug 1764912 has been marked as a duplicate of this bug. ***
I can see the same problem on f31 now.
Similar issue in https://bugzilla.redhat.com/show_bug.cgi?id=1770698 When dhcpclient gets a NTP server information in DHCP options, it runs /etc/dhcp/dhclient.d/chrony.sh which tries to create the file /usr/lib/dhclient/chrony.servers.$interface with the new NTP server information and then SELinux prevents it from doing so. If you set PEERNTP=NO in /etc/sysconfig/networks and restart NetworkManager, the issue goes away (but then you do not have automated update of NTP server information in chrony)
*** Bug 1775881 has been marked as a duplicate of this bug. ***
*** Bug 1775895 has been marked as a duplicate of this bug. ***
commit 11a7e057817f2945bd5302370e3dd3f9866a0bd4 (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Nikola Knazekova <nknazeko> Date: Fri Nov 22 23:14:46 2019 +0100 Label /usr/lib/NetworkManager/dispatcher as NetworkManager_initrc_exec_t With NetworkManager 1.20 the dispatcher scripts are moved out of /etc to /usr/lib. https://src.fedoraproject.org/rpms/dhcp/c/b25b19a69ea76e9d11b188a153b4d7214e36b017?branch=master Fixed Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1764485
selinux-policy-3.14.4-44.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-397eea28b7
selinux-policy-3.14.4-44.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.