$ ls -alZ /usr/libexec/cockpit-* -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 51384 Nov 13 13:41 /usr/libexec/cockpit-askpass -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 5918 Nov 13 13:40 /usr/libexec/cockpit-desktop -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 207752 Nov 13 13:41 /usr/libexec/cockpit-pcp -rwsr-x---. 1 root cockpit-wsinstance system_u:object_r:cockpit_session_exec_t:s0 55216 Nov 13 13:41 /usr/libexec/cockpit-session -rwxr-xr-x. 1 root root system_u:object_r:cockpit_session_exec_t:s0 142152 Nov 13 13:41 /usr/libexec/cockpit-ssh -rwxr-xr-x. 1 root root system_u:object_r:cockpit_ws_exec_t:s0 51416 Nov 13 13:41 /usr/libexec/cockpit-tls -rwxr-xr-x. 1 root root system_u:object_r:cockpit_ws_exec_t:s0 307832 Nov 13 13:41 /usr/libexec/cockpit-ws -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 16912 Nov 13 13:41 /usr/libexec/cockpit-wsinstance-factory please backport to 31: https://github.com/fedora-selinux/selinux-policy-contrib/commit/49d1174326bc01742fc6b3303d228b6d2d3b570f#diff-a3b88c737403942b8bc0f67cd86a132a and make sure you restorecon /usr/libexec/cockpit-wsinstance-factory in rpm %post scriptlet symptom: Cockpit fails to connect to socket. time->Sun Nov 24 12:49:37 2019 type=AVC msg=audit(1574617777.942:1408): avc: denied { connectto } for pid=54844 comm="cockpit-tls" path="/run/cockpit/wsinstance/https-factory.sock" scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1 reproduce: restorecon -v /usr/libexec/cockpit-wsinstance-factory fix: chcon -t cockpit_ws_exec_t /usr/libexec/cockpit-wsinstance-factory
This commit seems to have already been backported: * Wed Nov 13 2019 Lukas Vrabec <lvrabec> - 3.14.4-41 - Fix typo bugs in rtas_errd_read_lock() interface - Allow timedatex_t domain to systemctl chronyd domains - Allow ipa_helper_t to read kr5_keytab_t files - cockpit: Allow cockpit-session to read cockpit-tls state directory - Allow stratisd_t domain to read nvme and fixed disk devices - Update lldpad_t policy module - Dontaudit tmpreaper_t getting attributes from sysctl_type files - cockpit: Support https instance factory so awaiting the latest build to be available in stable repos.
Reopening as it may take some time till the update will is available. https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e
selinux-policy-3.14.4-45.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-bb42099a17
selinux-policy-3.14.4-45.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.