Using selinux-policy-targeted-3.14.4-50.fc31.noarch The inode points to "/run/systemd" AVC avc: denied { read } for pid=781 comm="sssd" name="systemd" dev="tmpfs" ino=15223 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=1 This seems related to https://bugzilla.redhat.com/show_bug.cgi?id=1811556
Anthony, Apart from the denial, did you also see any functionality issue? I also see the system was in permissive mode, no additional denial was audited?
(In reply to Zdenek Pytela from comment #1) > Anthony, > > Apart from the denial, did you also see any functionality issue? > > I also see the system was in permissive mode, no additional denial was > audited? Hi Zdenek. sssd does continue to start in enforcing mode, but I am not certain if there is an effective functionality decrease. No additional AVCs are generated in permissive or enforcing mode.
Confirmed still happening as of selinux-policy-targeted-3.14.5-43.fc32.noarch, but everything appears to be in working order besides the nuisance avc denial in seapplet
This message is a reminder that Fedora 31 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 31 on 2020-11-24. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '31'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 31 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
*** Bug 1907574 has been marked as a duplicate of this bug. ***
Needs backporting: commit 7e0a0dae48a7aa066bfd76e26e99f04b1d8170dc Author: Zdenek Pytela <zpytela> Date: Tue Dec 15 23:18:22 2020 +0100 Allow sssd read /run/systemd directory The nsswitch_domain is already allowed search /run/systemd, sssd however requires the read permission, granted by the list_dir_perms pattern. The reason is that sssd is using an asynchronous resolver library (c-ares) and monitors /etc/resolv.conf for changes. If /etc/resolv.conf is replaced with a symlink, SSSD tries to follow it to set an inotify watch to be aware of the target file changes. The resolv.conf file changes can be made by a user, NetworkManager, or systemd-resolved. Resolves: rhbz#1903335
F32: https://github.com/fedora-selinux/selinux-policy-contrib/pull/387 F33: https://github.com/fedora-selinux/selinux-policy-contrib/pull/388
FEDORA-2021-3036e7bf00 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2021-3036e7bf00
FEDORA-2021-3036e7bf00 has been pushed to the Fedora 32 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-3036e7bf00` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-3036e7bf00 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-3036e7bf00 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.