Description of problem: I upgraded my F36 Workstation and rebooted. This is the first time I see this error, so it must be related to the recent update. SELinux is preventing systemctl from 'search' accesses on the directory 1. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemctl should be allowed search access on the 1 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemctl' --raw | audit2allow -M my-systemctl # semodule -X 300 -i my-systemctl.pp Additional Information: Source Context system_u:system_r:NetworkManager_dispatcher_custom _t:s0 Target Context system_u:system_r:init_t:s0 Target Objects 1 [ dir ] Source systemctl Source Path systemctl Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-36.9-1.fc36.noarch Local Policy RPM selinux-policy-targeted-36.9-1.fc36.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.17.9-300.fc36.x86_64 #1 SMP PREEMPT Wed May 18 15:08:23 UTC 2022 x86_64 x86_64 Alert Count 1 First Seen 2022-05-23 09:25:13 CEST Last Seen 2022-05-23 09:25:13 CEST Local ID 3a2511bd-989a-43a0-99d3-ac59c8d80c3a Raw Audit Messages type=AVC msg=audit(1653290713.730:249): avc: denied { search } for pid=1396 comm="systemctl" name="1" dev="proc" ino=16751 scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=1 Hash: systemctl,NetworkManager_dispatcher_custom_t,init_t,dir,search Version-Release number of selected component: selinux-policy-targeted-36.9-1.fc36.noarch Additional info: component: selinux-policy reporter: libreport-2.17.1 hashmarkername: setroubleshoot kernel: 5.17.9-300.fc36.x86_64 type: libreport
Kamile, Do you know which script triggers this denial?
*** Bug 2089172 has been marked as a duplicate of this bug. ***
*** Bug 2089174 has been marked as a duplicate of this bug. ***
I have no idea. How can I figure it out? I have a fairly stock F36 Workstation installation. It appeared together with sendmail AVCs (bug 2089175 and others) and they have the same occurrence count. Perhaps those are related to this?
(In reply to Kamil Páral from comment #4) > I have no idea. How can I figure it out? I have a fairly stock F36 > Workstation installation. I am afraid it will not be disclosed even with full auditing enabled and it is not worth the effort put into watch audit rules. > It appeared together with sendmail AVCs (bug 2089175 and others) and they > have the same occurrence count. Perhaps those are related to this? Perhaps. Let's check again once bz#2089175 is addressed.
Similar problem has been detected: used wifi at airport hashmarkername: setroubleshoot kernel: 5.17.11-300.fc36.x86_64 package: selinux-policy-targeted-36.9-1.fc36.noarch reason: SELinux is preventing systemctl from 'read' accesses on the file labeled init_t. type: libreport
Similar problem has been detected: used airport-wifi hashmarkername: setroubleshoot kernel: 5.17.11-300.fc36.x86_64 package: selinux-policy-targeted-36.9-1.fc36.noarch reason: SELinux is preventing systemctl from 'read' accesses on the lnk_file root. type: libreport
Similar problem has been detected: used airport-wifi hashmarkername: setroubleshoot kernel: 5.17.11-300.fc36.x86_64 package: selinux-policy-targeted-36.9-1.fc36.noarch reason: SELinux is preventing systemctl from 'search' accesses on the directory 1. type: libreport
Similar problem has been detected: in the USA I switched to the University-VPN in Europe hashmarkername: setroubleshoot kernel: 5.17.11-300.fc36.x86_64 package: selinux-policy-targeted-36.9-1.fc36.noarch reason: SELinux is preventing systemctl from 'read' accesses on the file labeled init_t. type: libreport
Similar problem has been detected: in the USA I switched to the University-VPN in Europe hashmarkername: setroubleshoot kernel: 5.17.11-300.fc36.x86_64 package: selinux-policy-targeted-36.9-1.fc36.noarch reason: SELinux is preventing systemctl from 'read' accesses on the lnk_file root. type: libreport
Similar problem has been detected: in the USA I switched to the University-VPN in Europe hashmarkername: setroubleshoot kernel: 5.17.11-300.fc36.x86_64 package: selinux-policy-targeted-36.9-1.fc36.noarch reason: SELinux is preventing systemctl from 'search' accesses on the directory 1. type: libreport
Similar problem has been detected: This happens at boot, even after "fixfiles onboot", together with another 10 AVCs. hashmarkername: setroubleshoot kernel: 5.17.11-300.fc36.x86_64 package: selinux-policy-targeted-36.9-1.fc36.noarch reason: SELinux is preventing systemctl from 'search' accesses on the cartella 1. type: libreport
Similar problem has been detected: This happens at boot, even after "fixfiles onboot", together with another 10 AVCs. hashmarkername: setroubleshoot kernel: 5.17.11-300.fc36.x86_64 package: selinux-policy-targeted-36.9-1.fc36.noarch reason: SELinux is preventing systemctl from 'read' accesses on the lnk_file root. type: libreport
Similar problem has been detected: This happens at boot, even after "fixfiles onboot", together with another 10 AVCs. hashmarkername: setroubleshoot kernel: 5.17.11-300.fc36.x86_64 package: selinux-policy-targeted-36.9-1.fc36.noarch reason: SELinux is preventing systemctl from 'read' accesses on the file Sconosciuto. type: libreport
Similar problem has been detected: Running a minikube cluster using docker (from the docker repo, not podman) hashmarkername: setroubleshoot kernel: 5.17.11-300.fc36.x86_64 package: selinux-policy-targeted-36.9-1.fc36.noarch reason: SELinux is preventing systemctl from 'read' accesses on the file labeled init_t. type: libreport
I believe this issue will be gone with selinux-policy-36.10-1.fc36.noarch.
I believe this AVC has been addressed in the latest release: # sesearch -A -s NetworkManager_dispatcher_custom_t -t init_t -c dir -p search allow NetworkManager_dispatcher_custom_t init_t:dir { getattr open search }; # rpm -q selinux-policy selinux-policy-36.10-1.fc36.noarch