Description of problem ====================== When installing podman on Fedora 35, I keep getting this AVC log: # ausearch -m AVC -m USER_AVC -m SELINUX_ERR -sv no ---- time->Tue Jan 18 07:00:23 2022 type=AVC msg=audit(1642507223.152:456): avc: denied { setgid } for pid=1405 comm="sss_cache" capability=6 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 ---- time->Tue Jan 18 07:00:23 2022 type=AVC msg=audit(1642507223.152:457): avc: denied { setgid } for pid=1405 comm="sss_cache" capability=6 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 ---- time->Tue Jan 18 07:00:23 2022 type=AVC msg=audit(1642507223.161:458): avc: denied { setgid } for pid=1407 comm="sss_cache" capability=6 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 ---- time->Tue Jan 18 07:00:23 2022 type=AVC msg=audit(1642507223.161:459): avc: denied { setgid } for pid=1407 comm="sss_cache" capability=6 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 ---- time->Tue Jan 18 07:00:23 2022 type=AVC msg=audit(1642507223.208:461): avc: denied { setgid } for pid=1412 comm="sss_cache" capability=6 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 ---- time->Tue Jan 18 07:00:23 2022 type=AVC msg=audit(1642507223.209:462): avc: denied { setgid } for pid=1412 comm="sss_cache" capability=6 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 ---- time->Tue Jan 18 07:00:23 2022 type=AVC msg=audit(1642507223.220:463): avc: denied { setgid } for pid=1415 comm="sss_cache" capability=6 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 ---- time->Tue Jan 18 07:00:23 2022 type=AVC msg=audit(1642507223.220:464): avc: denied { setgid } for pid=1415 comm="sss_cache" capability=6 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 audit2allow says: #============= groupadd_t ============== allow groupadd_t self:capability setgid; #============= useradd_t ============== allow useradd_t self:capability setgid; Version-Release number of selected component ============================================ selinux-policy-35.8-1.fc35.noarch How reproducible ================ Always Steps to Reproduce ================== 1. Install Fedora 35 2. ausearch -m AVC -m USER_AVC -m SELINUX_ERR -sv no * no AVC's 3. dnf -y install podman 4. ausearch -m AVC -m USER_AVC -m SELINUX_ERR -sv no Actual results ============== AVC's Expected results ================ no AVC's Additional info =============== # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 #
With permissive mode, there's less: # ausearch -m AVC -m USER_AVC -m SELINUX_ERR -sv no ---- time->Tue Jan 18 07:16:46 2022 type=AVC msg=audit(1642508206.252:444): avc: denied { setgid } for pid=1224 comm="sss_cache" capability=6 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=1 ---- time->Tue Jan 18 07:16:46 2022 type=AVC msg=audit(1642508206.319:446): avc: denied { setgid } for pid=1231 comm="sss_cache" capability=6 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=1 # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 #
*** This bug has been marked as a duplicate of bug 2022690 ***