Bug 2223571 - avc: denied { sendto write } for pid=518 comm="systemd-network"
Summary: avc: denied { sendto write } for pid=518 comm="systemd-network"
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 38
Hardware: Unspecified
OS: Linux
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL: https://cockpit-logs.us-east-1.linode...
Whiteboard: CockpitTest
Depends On:
TreeView+ depends on / blocked
Reported: 2023-07-18 10:02 UTC by Martin Pitt
Modified: 2023-08-01 02:49 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-38.22-1.fc38
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2023-08-01 02:49:20 UTC
Type: ---

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1785 0 None Merged Allow systemd_network_generator_t notify systemd manager 2023-08-11 11:59:57 UTC

Description Martin Pitt 2023-07-18 10:02:30 UTC
With the recent updates of selinux-policy 38.21-1.fc38 [1] and systemd 253.7-1.fc38 [2], there are a lot of these two AVCs:

avc:  denied  { sendto } for  pid=518 comm="systemd-network" path="/run/systemd/journal/socket" scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0
avc:  denied  { write } for  pid=518 comm="systemd-network" name="kmsg" dev="devtmpfs" ino=10 scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0

[1] https://bodhi.fedoraproject.org/updates/FEDORA-2023-2663818afd
[2] https://bodhi.fedoraproject.org/updates/FEDORA-2023-b07a6a9665

Reproducible: Always

Full journal: https://cockpit-logs.us-east-1.linodeobjects.com/pull-5014-20230718-032330-b98bfddb-fedora-testing-daily-cockpit-project-cockpit/TestKdump-testBasic-fedora-testing-

Comment 1 Zdenek Pytela 2023-07-18 14:58:59 UTC
This seems to be a result of:

Changes in systemd and units:

    * A new service type Type=notify-reload is defined. When such a unit is
      reloaded a UNIX process signal (typically SIGHUP) is sent to the main
      service process. The manager will then wait until it receives a
      "RELOADING=1" followed by a "READY=1" notification from the unit as
      response (via sd_notify()). Otherwise, this type is the same as
      Type=notify. A new setting ReloadSignal= may be used to change the
      signal to send from the default of SIGHUP.

      user@.service, systemd-networkd.service, systemd-udevd.service, and
      systemd-logind have been updated to this type.

Comment 2 Fedora Update System 2023-07-25 17:23:31 UTC
FEDORA-2023-0b46b767d3 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-0b46b767d3

Comment 3 Fedora Update System 2023-07-26 02:09:50 UTC
FEDORA-2023-0b46b767d3 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-0b46b767d3`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-0b46b767d3

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 4 Fedora Update System 2023-08-01 02:49:20 UTC
FEDORA-2023-0b46b767d3 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.