Description of problem: This occurred on fresh F34 installation after dnf update && reboot. SELinux is preventing sssd from 'watch' accesses on the directory /run/systemd. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sssd should be allowed watch access on the systemd directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sssd' --raw | audit2allow -M my-sssd # semodule -X 300 -i my-sssd.pp Additional Information: Source Context system_u:system_r:sssd_t:s0 Target Context system_u:object_r:init_var_run_t:s0 Target Objects /run/systemd [ dir ] Source sssd Source Path sssd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-34.6-1.fc34.noarch Local Policy RPM selinux-policy-targeted-34.6-1.fc34.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.11.18-300.fc34.aarch64 #1 SMP Mon May 3 14:50:38 UTC 2021 aarch64 aarch64 Alert Count 69 First Seen 2021-05-10 14:33:33 CEST Last Seen 2021-05-10 14:44:53 CEST Local ID b471c2a5-2f02-4ca4-b890-dd04c6fd7760 Raw Audit Messages type=AVC msg=audit(1620650693.889:735): avc: denied { watch } for pid=1402 comm="sssd" path="/run/systemd" dev="tmpfs" ino=2 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0 Hash: sssd,sssd_t,init_var_run_t,dir,watch Version-Release number of selected component: selinux-policy-targeted-34.6-1.fc34.noarch Additional info: component: selinux-policy reporter: libreport-2.14.0 hashmarkername: setroubleshoot kernel: 5.11.18-300.fc34.aarch64 type: libreport
Can confirm on 5.12.10-300.fc34.x86_64 . For what it's worth, this is thus not limited to aarch64
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/785
FEDORA-2021-3df7370a94 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-3df7370a94
FEDORA-2021-3df7370a94 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-3df7370a94` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-3df7370a94 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-3df7370a94 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.