On F31 I have systemd-resolved enabled and I get the following SELinux denial: # audit2why < /var/log/audit/audit.log type=AVC msg=audit(1573654857.753:140): avc: denied { map } for pid=1048 comm="systemd-resolve" path="/usr/share/p11-kit/modules/p11-kit-trust.module" dev="dm-1" ino=3315 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0 Was caused by: The boolean domain_can_mmap_files was set incorrectly. Description: Allow domain to can mmap files Allow access by executing: # setsebool -P domain_can_mmap_files 1 Of course I can work around the issue but I think the correct approach would be to fix this in selinux-policy.
*** Bug 1773875 has been marked as a duplicate of this bug. ***
Can you write me, how can i reproduce that scenario? Thanks, Richard.
This happened with a pretty basic F31 install. - I have systemd-networkd enabled (ipv4 DHCP, nothing special). - systemd-networkd enabled - /etc/nsswitch.conf contains "hosts: files resolve myhostname" - /etc/resolv.conf -> /run/systemd/resolve/resolv.conf
(In reply to Felix Schwarz from comment #3) > - I have systemd-networkd enabled (ipv4 DHCP, nothing special). > - systemd-networkd enabled Normally I also use systemd-networkd, but I disabled it now and after reboot systemd-resolved still triggers the AVC denial. So systemd-networkd does not seem to be necessary to reproduce.
It will be fixed in SELinux policy package. PR: https://github.com/fedora-selinux/selinux-policy/pull/297
> It will be fixed in SELinux policy package. Thank you for taking care of that so quickly.
commit 5ea253b63e222f7cab3b053bf388a1789717b7c3 (HEAD -> rawhide, origin/rawhide) Author: Richard Filo <rfilo> Date: Thu Nov 21 13:22:51 2019 +0100 Add the miscfiles_map_generic_certs macro to the sysnet_dns_name_resolve macro. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1772055
I just noticed that this change was only added to rawhide. Is it possible to merge this back to F31?
This is still happening for me with selinux-policy-targeted-3.14.4-43.fc31.noarch
It will be fixed in next build.
selinux-policy-3.14.4-45.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-bb42099a17
selinux-policy-3.14.4-45.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.