Running FreeIPA OpenQA tests, I see new AVCs with DNS server that haven't been there before. This is visible with tests in https://bodhi.fedoraproject.org/updates/FEDORA-2023-95e3fe4d76 update, for example. https://openqa.fedoraproject.org/tests/2024112/logfile?filename=_console_avc_crash-avcs.txt contains full list of AVCs. Some of those already known and will be fixed in FreeIPA SELinux policy but named ones have to be fixed in the main SELinux policy. Reproducible: Always time->Thu Jul 20 08:06:44 2023 type=AVC msg=audit(1689854804.286:2011): avc: denied { sqpoll } for pid=8129 comm="named" scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=io_uring permissive=0 ---- time->Thu Jul 20 08:06:44 2023 type=AVC msg=audit(1689854804.286:2012): avc: denied { sqpoll } for pid=8129 comm="named" scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=io_uring permissive=0 time->Thu Jul 20 08:15:59 2023 type=AVC msg=audit(1689855359.087:2239): avc: denied { ipc_lock } for pid=9623 comm="rndc" capability=14 scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:system_r:ndc_t:s0 tclass=capability permissive=0 ---- time->Thu Jul 20 08:15:59 2023 type=AVC msg=audit(1689855359.087:2240): avc: denied { sqpoll } for pid=9623 comm="rndc" scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:system_r:ndc_t:s0 tclass=io_uring permissive=0 ---- time->Thu Jul 20 08:15:59 2023 type=AVC msg=audit(1689855359.090:2241): avc: denied { ipc_lock } for pid=9623 comm="rndc" capability=14 scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:system_r:ndc_t:s0 tclass=capability permissive=0 ---- time->Thu Jul 20 08:28:41 2023 type=AVC msg=audit(1689856121.389:101): avc: denied { sqpoll } for pid=1071 comm="named" scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=io_uring permissive=0 ---- time->Thu Jul 20 08:28:41 2023 type=AVC msg=audit(1689856121.389:102): avc: denied { sqpoll } for pid=1071 comm="named" scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=io_uring permissive=0
Based on the SELinux denials shown in comment#0, I believe this BZ is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=2223725.
Thank you, Milos. I didn't check whether those already reported. However, this is in F38, not Rawhide.
*** This bug has been marked as a duplicate of bug 2223725 ***