Description of problem: Same as https://bugzilla.redhat.com/show_bug.cgi?id=1941445: Upgraded from F33->F34, touch /.autorelabel, closed laptop lid, came back, opened it back up and got a ton new alerts (~28 before, now at ~114!). SELinux is preventing grep from 'map' accesses on the file /usr/bin/grep. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow domain to can mmap files Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean. Do setsebool -P domain_can_mmap_files 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that grep should be allowed map access on the grep file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'grep' --raw | audit2allow -M my-grep # semodule -X 300 -i my-grep.pp Additional Information: Source Context system_u:system_r:systemd_sleep_t:s0 Target Context system_u:object_r:bin_t:s0 Target Objects /usr/bin/grep [ file ] Source grep Source Path grep Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages grep-3.6-2.fc34.x86_64 SELinux Policy RPM selinux-policy-targeted-34.3-1.fc34.noarch Local Policy RPM selinux-policy-targeted-34.3-1.fc34.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 5.11.16-300.fc34.x86_64 #1 SMP Wed Apr 21 13:18:33 UTC 2021 x86_64 x86_64 Alert Count 1 First Seen 2021-05-02 20:01:03 EDT Last Seen 2021-05-02 20:01:03 EDT Local ID 5bc09591-ed60-44f1-a3a5-67c16cadf3e6 Raw Audit Messages type=AVC msg=audit(1620000063.649:1352): avc: denied { map } for pid=9908 comm="grep" path="/usr/bin/grep" dev="dm-1" ino=1879835 scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 Hash: grep,systemd_sleep_t,bin_t,file,map Version-Release number of selected component: selinux-policy-targeted-34.3-1.fc34.noarch Additional info: component: selinux-policy reporter: libreport-2.14.0 hashmarkername: setroubleshoot kernel: 5.11.16-300.fc34.x86_64 type: libreport
*** This bug has been marked as a duplicate of bug 1948070 ***