Description of problem: following reboot after dnf update SELinux is preventing (direxec) from 'execute' accesses on the file sysstat.sleep. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that (direxec) should be allowed execute access on the sysstat.sleep file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '(direxec)' --raw | audit2allow -M my-direxec # semodule -X 300 -i my-direxec.pp Additional Information: Source Context system_u:system_r:systemd_sleep_t:s0 Target Context system_u:object_r:bin_t:s0 Target Objects sysstat.sleep [ file ] Source (direxec) Source Path (direxec) Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-34.2-1.fc34.noarch Local Policy RPM selinux-policy-targeted-34.2-1.fc34.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.11.11-300.fc34.x86_64 #1 SMP Tue Mar 30 16:37:11 UTC 2021 x86_64 x86_64 Alert Count 2 First Seen 2021-04-08 20:43:43 EDT Last Seen 2021-04-09 08:27:02 EDT Local ID d58c631c-bb36-423e-ba7d-2e1b0835468c Raw Audit Messages type=AVC msg=audit(1617971222.147:1201): avc: denied { execute } for pid=186478 comm="(direxec)" name="sysstat.sleep" dev="sda3" ino=333842 scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 Hash: (direxec),systemd_sleep_t,bin_t,file,execute Version-Release number of selected component: selinux-policy-targeted-34.2-1.fc34.noarch Additional info: component: selinux-policy reporter: libreport-2.14.0 hashmarkername: setroubleshoot kernel: 5.11.12-300.fc34.x86_64 type: libreport
Similar problem has been detected: Sortie du mode veille hashmarkername: setroubleshoot kernel: 5.11.15-300.fc34.x86_64 package: selinux-policy-targeted-34.3-1.fc34.noarch reason: SELinux is preventing (direxec) from 'execute' accesses on the fichier sysstat.sleep. type: libreport
Similar problem has been detected: Happened after resume from suspend. hashmarkername: setroubleshoot kernel: 5.11.16-200.fc33.x86_64 package: selinux-policy-targeted-34.3-1.fc34.noarch reason: SELinux is preventing (direxec) from 'execute' accesses on the file sysstat.sleep. type: libreport
Similar problem has been detected: Close the lid and open again hashmarkername: setroubleshoot kernel: 5.11.16-300.fc34.x86_64 package: selinux-policy-targeted-34.3-1.fc34.noarch reason: SELinux is preventing (direxec) from 'execute' accesses on the file sysstat.sleep. type: libreport
I am seeing this in the KDE SELinux applet after upgrading from 33 to 34. SELinux is preventing (direxec) from execute access on the file /usr/lib/systemd/system-sleep/sysstat.sleep. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that (direxec) should be allowed execute access on the sysstat.sleep file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '(direxec)' --raw | audit2allow -M my-direxec # semodule -X 300 -i my-direxec.pp Additional Information: Source Context system_u:system_r:systemd_sleep_t:s0 Target Context system_u:object_r:bin_t:s0 Target Objects /usr/lib/systemd/system-sleep/sysstat.sleep [ file ] Source (direxec) Source Path (direxec) Port <Unknown> Host localhost.localdomain Source RPM Packages Target RPM Packages sysstat-12.5.3-1.fc34.x86_64 SELinux Policy RPM selinux-policy-targeted-34.3-1.fc34.noarch Local Policy RPM selinux-policy-targeted-34.3-1.fc34.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 5.11.16-300.fc34.x86_64 #1 SMP Wed Apr 21 13:18:33 UTC 2021 x86_64 x86_64 Alert Count 4 First Seen 2021-05-01 00:20:01 CST Last Seen 2021-05-01 08:21:21 CST Local ID aa2b8e2e-095d-4b29-803a-e38faaa44f5e Raw Audit Messages type=AVC msg=audit(1619828481.46:1267): avc: denied { execute } for pid=15315 comm="(direxec)" name="sysstat.sleep" dev="nvme0n1p5" ino=4723388 scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 Hash: (direxec),systemd_sleep_t,bin_t,file,execute Neofetch output: /:-------------:\ joe@fedora :-------------------:: ---------- :-----------/shhOHbmp---:\ OS: Fedora release 34 (Thirty Four) x86_64 /-----------omMMMNNNMMD ---: Host: 81NB Lenovo IdeaPad S340-14API :-----------sMMMMNMNMP. ---: Kernel: 5.11.16-300.fc34.x86_64 :-----------:MMMdP------- ---\ Uptime: 8 hours, 45 mins ,------------:MMMd-------- ---: Packages: 2433 (rpm), 25 (flatpak) :------------:MMMd------- .---: Shell: bash 5.1.0 :---- oNMMMMMMMMMNho .----: Resolution: 1920x1080 :-- .+shhhMMMmhhy++ .------/ DE: Plasma 5.21.4 :- -------:MMMd--------------: WM: kwin :- --------/MMMd-------------; WM Theme: Ant-Dark :- ------/hMMMy------------: Theme: Breeze Dark [Plasma], Adwaita [GTK2], Breeze [GTK3] :-- :dMNdhhdNMMNo------------; Icons: breeze-dark [Plasma], breeze-dark [GTK2/3] :---:sdNMMMMNds:------------: Terminal: konsole :------:://:-------------:: CPU: AMD Ryzen 5 3500U with Radeon Vega Mobile Gfx (8) @ 2.100GHz :---------------------:// GPU: AMD ATI 04:00.0 Picasso Memory: 4004MiB / 7446MiB
Similar problem has been detected: Every time I open Google Chrome hashmarkername: setroubleshoot kernel: 5.11.16-300.fc34.x86_64 package: selinux-policy-targeted-34.3-1.fc34.noarch reason: SELinux is preventing (direxec) from 'execute' accesses on the fitxer /usr/lib/systemd/system-sleep/sysstat.sleep. type: libreport
Sorry. The comment it's from another bug. This appends when resume from suspend
*** Bug 1955984 has been marked as a duplicate of this bug. ***
Similar problem has been detected: resume from suspend to ram. Suspend to ram deep (mem_sleep_default=deep kernel parameter) hashmarkername: setroubleshoot kernel: 5.11.16-300.fc34.x86_64 package: selinux-policy-targeted-34.3-1.fc34.noarch reason: SELinux is preventing (direxec) from 'execute' accesses on the file sysstat.sleep. type: libreport
*** Bug 1955227 has been marked as a duplicate of this bug. ***
*** Bug 1955634 has been marked as a duplicate of this bug. ***
*** Bug 1956142 has been marked as a duplicate of this bug. ***
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/712
FEDORA-2021-b9564e597a has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-b9564e597a
FEDORA-2021-b9564e597a has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-b9564e597a` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-b9564e597a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-b9564e597a has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.