Description of problem: I believe this was caused by simply loggin into Xfce from the graphical greeter. SELinux is preventing chronyd from 'write' accesses on the sock_file io.systemd.Resolve. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that chronyd should be allowed write access on the io.systemd.Resolve sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'chronyd' --raw | audit2allow -M my-chronyd # semodule -X 300 -i my-chronyd.pp Additional Information: Source Context system_u:system_r:chronyd_t:s0 Target Context system_u:object_r:systemd_resolved_var_run_t:s0 Target Objects io.systemd.Resolve [ sock_file ] Source chronyd Source Path chronyd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.7-8.fc34.noarch Local Policy RPM selinux-policy-targeted-3.14.7-8.fc34.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 5.10.0-0.rc3.20201112git3d5e28bff7 ad.73.fc34.x86_64 #1 SMP Fri Nov 13 02:54:43 UTC 2020 x86_64 x86_64 Alert Count 2 First Seen 2020-11-21 10:25:42 AEDT Last Seen 2020-11-21 10:25:45 AEDT Local ID bf1bd648-b9aa-490f-bdce-b54d9a80e6ff Raw Audit Messages type=AVC msg=audit(1605914745.734:508): avc: denied { write } for pid=611 comm="chronyd" name="io.systemd.Resolve" dev="tmpfs" ino=1032 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=sock_file permissive=1 Hash: chronyd,chronyd_t,systemd_resolved_var_run_t,sock_file,write Version-Release number of selected component: selinux-policy-targeted-3.14.7-8.fc34.noarch Additional info: component: selinux-policy reporter: libreport-2.14.0 hashmarkername: setroubleshoot kernel: 5.10.0-0.rc3.20201112git3d5e28bff7ad.73.fc34.x86_64 type: libreport
This started to happen after update of systemd 246.6-3.fc34.x86_64 => systemd-247~rc2-1.fc34.x86_64
And bug 1900175 is probably the same issue.
I actually have a ton of these from different things but all to io.systemd.Resolve. I have pool-geoclue , NetworkManager , chronyd , openvpn , rpc.gssd , krb5_child , maybe more.
*** Bug 1900175 has been marked as a duplicate of this bug. ***
I've submitted a Fedora PR to address the issue for nsswitch_domain: https://github.com/fedora-selinux/selinux-policy/pull/503
*** Bug 1907125 has been marked as a duplicate of this bug. ***
FEDORA-2020-f33aa1146d has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-f33aa1146d
FEDORA-2020-f33aa1146d has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-f33aa1146d` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-f33aa1146d See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-f33aa1146d has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.