Description of problem: Multiple denial messages Version-Release number of selected component (if applicable): selinux-policy-3.14.5-24.fc32.noarch kernel-5.6.0-0.rc1.git2.1.fc32.x86_64 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: 5 AVC avc: denied { connectto } for comm="agetty" path=002F6F72672F667265656465736B746F702F706C796D6F75746864 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:plymouthd_t:s0 tclass=unix_stream_socket permissive=1 4 AVC avc: denied { create } for comm="systemd-user-ru" name="blk" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=blk_file permissive=1 4 AVC avc: denied { create } for comm="systemd-user-ru" name="chr" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1 3 AVC avc: denied { dac_override } for comm="plymouthd" capability=1 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:system_r:plymouthd_t:s0 tclass=capability permissive=1 1 AVC avc: denied { getattr } for comm="login" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1 4 AVC avc: denied { getattr } for comm="systemd-hostnam" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 4 AVC avc: denied { getattr } for comm="systemd-localed" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_localed_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 1 AVC avc: denied { getattr } for comm="systemd-machine" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 1 AVC avc: denied { getattr } for comm="systemd-modules" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 2 AVC avc: denied { getattr } for comm="systemd-rfkill" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_rfkill_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 1 AVC avc: denied { getattr } for comm="systemd-sysctl" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 1 AVC avc: denied { getattr } for comm="systemd-timedat" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 2 AVC avc: denied { getattr } for comm="systemd-tty-ask" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 4 AVC avc: denied { mknod } for comm="systemd-user-ru" capability=27 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=capability permissive=1 4 AVC avc: denied { open } for comm="systemd-hostnam" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 4 AVC avc: denied { open } for comm="systemd-localed" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_localed_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 1 AVC avc: denied { open } for comm="systemd-machine" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 1 AVC avc: denied { open } for comm="systemd-modules" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 2 AVC avc: denied { open } for comm="systemd-rfkill" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_rfkill_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 1 AVC avc: denied { open } for comm="systemd-sysctl" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 1 AVC avc: denied { open } for comm="systemd-timedat" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 2 AVC avc: denied { open } for comm="systemd-tty-ask" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 1 AVC avc: denied { read } for comm="avahi-daemon" name="userdb" dev="tmpfs" ino=1321 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=1 44 AVC avc: denied { read } for comm="pkla-check-auth" name="userdb" dev="tmpfs" ino=1321 scontext=system_u:system_r:policykit_auth_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=1 4 AVC avc: denied { read } for comm="systemd-hostnam" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:at-spi-dbus-bus.service" dev="tmpfs" ino=125908 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:at-spi-dbus-bus.service" dev="tmpfs" ino=71101 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:dbus-:1.19-org.a11y.atspi.Registry" dev="tmpfs" ino=103897 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:dbus-:1.19-org.a11y.atspi.Registry" dev="tmpfs" ino=51048 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 2 AVC avc: denied { read } for comm="systemd-journal" name="invocation:dbus-:1.1-com.gexperts.Tilix" dev="tmpfs" ino=145403 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:dbus-:1.1-com.intel.dleyna-renderer" dev="tmpfs" ino=212436 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:dbus-:1.2-org.gnome.Identity" dev="tmpfs" ino=70557 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:dbus-:1.2-org.gnome.OnlineAccounts" dev="tmpfs" ino=72219 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:dbus-broker.service" dev="tmpfs" ino=147638 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:dbus-broker.service" dev="tmpfs" ino=39712 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:dbus-broker.service" dev="tmpfs" ino=49418 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:dbus-broker.service" dev="tmpfs" ino=86831 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:dbus-broker.service" dev="tmpfs" ino=99476 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 2 AVC avc: denied { read } for comm="systemd-journal" name="invocation:gnome-launched-gnome-software-service.desktop-5954.scope" dev="tmpfs" ino=149567 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:gnome-launched-libcanberra-login-sound.desktop-2934.scope" dev="tmpfs" ino=77748 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:gnome-launched-org.gnome.Evolution.desktop-7167.scope" dev="tmpfs" ino=152560 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:gnome-session-manager" dev="tmpfs" ino=43939 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:gnome-session-manager" dev="tmpfs" ino=98437 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:gnome-session-manager" dev="tmpfs" ino=69670 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:gnome-session-monitor.service" dev="tmpfs" ino=124553 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 4 AVC avc: denied { read } for comm="systemd-journal" name="invocation:gnome-shell-wayland.service" dev="tmpfs" ino=125653 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 2 AVC avc: denied { read } for comm="systemd-journal" name="invocation:gnome-shell-wayland.service" dev="tmpfs" ino=41827 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 3 AVC avc: denied { read } for comm="systemd-journal" name="invocation:gnome-shell-wayland.service" dev="tmpfs" ino=98443 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:gsd-color.service" dev="tmpfs" ino=77466 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:gsd-media-keys.service" dev="tmpfs" ino=137571 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:gsd-media-keys.service" dev="tmpfs" ino=56437 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:gsd-media-keys.service" dev="tmpfs" ino=97233 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:obex.service" dev="tmpfs" ino=212093 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:pulseaudio.service" dev="tmpfs" ino=43906 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:tracker-store.service" dev="tmpfs" ino=79411 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 4 AVC avc: denied { read } for comm="systemd-localed" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_localed_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 1 AVC avc: denied { read } for comm="systemd-machine" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 1 AVC avc: denied { read } for comm="systemd-modules" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 2 AVC avc: denied { read } for comm="systemd-rfkill" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_rfkill_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 1 AVC avc: denied { read } for comm="systemd-sysctl" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 1 AVC avc: denied { read } for comm="systemd-timedat" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 2 AVC avc: denied { read } for comm="systemd-tty-ask" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 1 AVC avc: denied { setattr } for comm="systemd-user-ru" name="blk" dev="tmpfs" ino=39377 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=blk_file permissive=1 1 AVC avc: denied { setattr } for comm="systemd-user-ru" name="blk" dev="tmpfs" ino=42872 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=blk_file permissive=1 1 AVC avc: denied { setattr } for comm="systemd-user-ru" name="blk" dev="tmpfs" ino=65787 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=blk_file permissive=1 1 AVC avc: denied { setattr } for comm="systemd-user-ru" name="blk" dev="tmpfs" ino=98338 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=blk_file permissive=1 1 AVC avc: denied { setattr } for comm="systemd-user-ru" name="chr" dev="tmpfs" ino=39376 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1 1 AVC avc: denied { setattr } for comm="systemd-user-ru" name="chr" dev="tmpfs" ino=42871 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1 1 AVC avc: denied { setattr } for comm="systemd-user-ru" name="chr" dev="tmpfs" ino=65786 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1 1 AVC avc: denied { setattr } for comm="systemd-user-ru" name="chr" dev="tmpfs" ino=98337 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1 1 AVC avc: denied { setsched } for comm="accounts-daemon" scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=process permissive=1 1 AVC avc: denied { setsched } for comm="boltd" scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:system_r:boltd_t:s0 tclass=process permissive=1 4 AVC avc: denied { setsched } for comm="colord" scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:colord_t:s0 tclass=process permissive=1 4 AVC avc: denied { setsched } for comm="geoclue" scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:system_r:geoclue_t:s0 tclass=process permissive=1 1 AVC avc: denied { setsched } for comm="ModemManager" scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=process permissive=1 1 AVC avc: denied { setsched } for comm="pcscd" scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=process permissive=1 1 AVC avc: denied { setsched } for comm="tpm2-abrmd" scontext=system_u:system_r:tabrmd_t:s0 tcontext=system_u:system_r:tabrmd_t:s0 tclass=process permissive=1 1 AVC avc: denied { sys_nice } for comm="accounts-daemon" capability=23 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=1 1 AVC avc: denied { sys_nice } for comm="pcscd" capability=23 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=capability permissive=1 1 AVC avc: denied { unlink } for comm="systemd-user-ru" name="blk" dev="tmpfs" ino=42872 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=blk_file permissive=1 1 AVC avc: denied { unlink } for comm="systemd-user-ru" name="blk" dev="tmpfs" ino=65787 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=blk_file permissive=1 1 AVC avc: denied { unlink } for comm="systemd-user-ru" name="blk" dev="tmpfs" ino=98338 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=blk_file permissive=1 1 AVC avc: denied { unlink } for comm="systemd-user-ru" name="chr" dev="tmpfs" ino=42871 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1 1 AVC avc: denied { unlink } for comm="systemd-user-ru" name="chr" dev="tmpfs" ino=65786 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1 1 AVC avc: denied { unlink } for comm="systemd-user-ru" name="chr" dev="tmpfs" ino=98337 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1 Expected results: Additional info:
Hi Andrey, Could you please reproduce it with the latest selinux-policy build from koji? https://koji.fedoraproject.org/koji/buildinfo?buildID=1462575 Thanks, Lukas.
rpm -qa | grep selinux-policy selinux-policy-targeted-3.14.5-26.fc32.noarch selinux-policy-3.14.5-26.fc32.noarch 2 AVC avc: denied { create } for comm="systemd-user-ru" name="blk" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=blk_file permissive=1 2 AVC avc: denied { create } for comm="systemd-user-ru" name="chr" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1 2 AVC avc: denied { dac_override } for comm="plymouthd" capability=1 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:system_r:plymouthd_t:s0 tclass=capability permissive=1 1 AVC avc: denied { getattr } for comm="systemd-modules" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20526 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 2 AVC avc: denied { getattr } for comm="systemd-tty-ask" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20526 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 2 AVC avc: denied { mknod } for comm="systemd-user-ru" capability=27 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=capability permissive=1 1 AVC avc: denied { open } for comm="systemd-modules" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20526 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 2 AVC avc: denied { open } for comm="systemd-tty-ask" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20526 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:dbus-:1.19-org.a11y.atspi.Registry" dev="tmpfs" ino=56336 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:dbus-:1.2-com.gexperts.Tilix" dev="tmpfs" ino=75336 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:dbus-:1.2-org.gnome.Identity" dev="tmpfs" ino=61404 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:dbus-:1.2-org.gnome.OnlineAccounts" dev="tmpfs" ino=60094 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:dbus-:1.2-org.gnome.Shell.CalendarServer" dev="tmpfs" ino=59304 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:dbus-broker.service" dev="tmpfs" ino=40230 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:dbus-broker.service" dev="tmpfs" ino=49191 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:gnome-launched-gnome-software-service.desktop-2481.scope" dev="tmpfs" ino=65006 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 3 AVC avc: denied { read } for comm="systemd-journal" name="invocation:gnome-shell-wayland.service" dev="tmpfs" ino=48355 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:gnome-shell-wayland.service" dev="tmpfs" ino=58761 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:gsd-color.service" dev="tmpfs" ino=64454 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:pulseaudio.service" dev="tmpfs" ino=40219 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:pulseaudio.service" dev="tmpfs" ino=47241 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:tracker-store.service" dev="tmpfs" ino=69869 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-modules" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20526 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 2 AVC avc: denied { read } for comm="systemd-tty-ask" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20526 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 1 AVC avc: denied { setattr } for comm="systemd-user-ru" name="blk" dev="tmpfs" ino=33735 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=blk_file permissive=1 1 AVC avc: denied { setattr } for comm="systemd-user-ru" name="blk" dev="tmpfs" ino=46237 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=blk_file permissive=1 1 AVC avc: denied { setattr } for comm="systemd-user-ru" name="chr" dev="tmpfs" ino=33734 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1 1 AVC avc: denied { setattr } for comm="systemd-user-ru" name="chr" dev="tmpfs" ino=46236 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1 1 AVC avc: denied { setsched } for comm="accounts-daemon" scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=process permissive=1 1 AVC avc: denied { setsched } for comm="boltd" scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:system_r:boltd_t:s0 tclass=process permissive=1 2 AVC avc: denied { setsched } for comm="colord" scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:colord_t:s0 tclass=process permissive=1 2 AVC avc: denied { setsched } for comm="geoclue" scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:system_r:geoclue_t:s0 tclass=process permissive=1 1 AVC avc: denied { setsched } for comm="ModemManager" scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=process permissive=1 1 AVC avc: denied { setsched } for comm="pcscd" scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=process permissive=1 1 AVC avc: denied { setsched } for comm="tpm2-abrmd" scontext=system_u:system_r:tabrmd_t:s0 tcontext=system_u:system_r:tabrmd_t:s0 tclass=process permissive=1 1 AVC avc: denied { sys_nice } for comm="accounts-daemon" capability=23 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=1 1 AVC avc: denied { sys_nice } for comm="pcscd" capability=23 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=capability permissive=1 1 AVC avc: denied { unlink } for comm="systemd-user-ru" name="blk" dev="tmpfs" ino=46237 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=blk_file permissive=1 1 AVC avc: denied { unlink } for comm="systemd-user-ru" name="chr" dev="tmpfs" ino=46236 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1
Hi, These issues will be handle by this commit: commit 5474b82f5d1280e11a7a47ce7dc2feb50df049cb (HEAD -> rawhide, origin/rawhide) Author: Lukas Vrabec <lvrabec> Date: Tue Feb 18 17:53:01 2020 +0100 Allow systemd_logind_t domain to manage user_tmp_t char and block devices Resolves: rhbz#1798912
(In reply to Lukas Vrabec from comment #3) > Hi, > > These issues will be handle by this commit: > There are about five or six other SELinux issues unrelated to systemd-logind_t. > commit 5474b82f5d1280e11a7a47ce7dc2feb50df049cb (HEAD -> rawhide, > origin/rawhide) > Author: Lukas Vrabec <lvrabec> > Date: Tue Feb 18 17:53:01 2020 +0100 > > Allow systemd_logind_t domain to manage user_tmp_t char and block > devices > > Resolves: rhbz#1798912