Description of problem: I upgraded my F36 Workstation and rebooted. This is the first time I see this error, so it must be related to the recent update. SELinux is preventing systemctl from 'map' accesses on the file /usr/bin/systemctl. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow domain to can mmap files Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean. Do setsebool -P domain_can_mmap_files 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that systemctl should be allowed map access on the systemctl file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemctl' --raw | audit2allow -M my-systemctl # semodule -X 300 -i my-systemctl.pp Additional Information: Source Context system_u:system_r:NetworkManager_dispatcher_custom _t:s0 Target Context system_u:object_r:systemd_systemctl_exec_t:s0 Target Objects /usr/bin/systemctl [ file ] Source systemctl Source Path systemctl Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages systemd-250.3-8.fc36.x86_64 SELinux Policy RPM selinux-policy-targeted-36.9-1.fc36.noarch Local Policy RPM selinux-policy-targeted-36.9-1.fc36.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.17.9-300.fc36.x86_64 #1 SMP PREEMPT Wed May 18 15:08:23 UTC 2022 x86_64 x86_64 Alert Count 1 First Seen 2022-05-23 09:25:13 CEST Last Seen 2022-05-23 09:25:13 CEST Local ID d1ea1ee1-40d8-4fe9-8f2e-3910cf3c51ac Raw Audit Messages type=AVC msg=audit(1653290713.727:248): avc: denied { map } for pid=1396 comm="systemctl" path="/usr/bin/systemctl" dev="dm-0" ino=1836519 scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1 Hash: systemctl,NetworkManager_dispatcher_custom_t,systemd_systemctl_exec_t,file,map Version-Release number of selected component: selinux-policy-targeted-36.9-1.fc36.noarch Additional info: component: selinux-policy reporter: libreport-2.17.1 hashmarkername: setroubleshoot kernel: 5.17.9-300.fc36.x86_64 type: libreport
Kamile, Do you know which script triggers this denial?
See bug 2089171 comment 4
Similar problem has been detected: used airport-wifi hashmarkername: setroubleshoot kernel: 5.17.11-300.fc36.x86_64 package: selinux-policy-targeted-36.9-1.fc36.noarch reason: SELinux is preventing systemctl from 'map' accesses on the file /usr/bin/systemctl. type: libreport
Similar problem has been detected: in the USA I switched to the University-VPN in Europe hashmarkername: setroubleshoot kernel: 5.17.11-300.fc36.x86_64 package: selinux-policy-targeted-36.9-1.fc36.noarch reason: SELinux is preventing systemctl from 'map' accesses on the file /usr/bin/systemctl. type: libreport
Similar problem has been detected: This happens at boot, even after "fixfiles onboot", together with another 10 AVCs. hashmarkername: setroubleshoot kernel: 5.17.11-300.fc36.x86_64 package: selinux-policy-targeted-36.9-1.fc36.noarch reason: SELinux is preventing systemctl from 'map' accesses on the file /usr/bin/systemctl. type: libreport
I believe this AVC has been addressed in the latest release: # sesearch -A -s NetworkManager_dispatcher_custom_t -t systemd_systemctl_exec_t -c file -p execute allow NetworkManager_dispatcher_custom_t systemd_systemctl_exec_t:file { execute execute_no_trans getattr ioctl lock map open read }; # rpm -q selinux-policy selinux-policy-36.10-1.fc36.noarch