Description of problem: We start to hit the following avc denial while running tests on aarch64. SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 selinux-policy-37.1-1.fc37.noarch ---- time->Sun May 8 23:24:21 2022 type=AVC msg=audit(1652066661.437:1770): avc: denied { sys_admin } for pid=674004 comm="systemd-gpt-aut" capability=21 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=capability permissive=0 ---- time->Sun May 8 23:24:32 2022 type=AVC msg=audit(1652066672.167:1818): avc: denied { sys_admin } for pid=674050 comm="systemd-gpt-aut" capability=21 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=capability permissive=0 Version-Release number of selected component (if applicable): selinux-policy-37.1-1.fc37.noarch systemd-251~rc2-1.fc37.aarch64 How reproducible: It seems easily reproducible with test [1] Steps to Reproduce: 1. Run test [1] Additional info: more logs: https://datawarehouse.cki-project.org/kcidb/tests/3434080 cki issue tracker: https://datawarehouse.cki-project.org/issue/1193 [1] https://gitlab.com/cki-project/kernel-tests/-/tree/main/networking/netfilter
One of our automated tests also triggers these SELinux denials: * https://src.fedoraproject.org/tests/selinux/blob/main/f/selinux-policy/systemd-notify-and-similar Latest test results are visible at: * http://artifacts.dev.testing-farm.io/dbf959fd-15e6-4206-8178-45e4d0ae03e8
*** This bug has been marked as a duplicate of bug 2083900 ***