2230226 – SELinux is preventing systemd-network-generator from operating

Bug 2230226 - SELinux is preventing systemd-network-generator from operating

Summary: SELinux is preventing systemd-network-generator from operating

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	39
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	AcceptedFreezeException
Duplicates (1):	2236394 (view as bug list)
Depends On:
Blocks:	F39BetaFreezeException
TreeView+	depends on / blocked

Reported:	2023-08-09 03:13 UTC by Dusty Mabe
Modified:	2023-09-21 00:15 UTC (History)
CC List:	12 users (show)
Fixed In Version:	selinux-policy-38.27-1.fc39 selinux-policy-38.28-1.fc39
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-09-21 00:15:59 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1852	0	None	open	Change file transition for systemd-network-generator	2023-08-24 17:13:55 UTC
Github	fedora-selinux selinux-policy pull 1867	0	None	open	Change systemd-network-generator transition to include the file class	2023-09-08 20:13:04 UTC

Description Dusty Mabe 2023-08-09 03:13:49 UTC

With systemd-254-1.fc39.x86_64 and selinux-policy-38.24-1.fc39.noarch the systemd-network-generator.service fails to start because of a denial:


```
Aug  8 20:58:06.081554 systemd[1]: Starting systemd-network-generator.service - Generate network units from Kernel command line...                                                                                                                                                                                       
Aug  8 20:58:06.081565 kernel: audit: type=1400 audit(1691528286.055:4): avc:  denied  { create } for  pid=1261 comm="systemd-network" name=".#networkf2c8a3f9bd4c10fb" scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=0                  
Aug  8 20:58:06.081575 systemd[1]: systemd-pcrmachine.service - TPM2 PCR Machine ID Measurement was skipped because of an unmet condition check (ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f).                                                                 
Aug  8 20:58:06.081599 systemd-journald[1259]: Collecting audit messages is disabled.                                                                                                                                                                                                                                    
Aug  8 20:58:06.081619 systemd[1]: Starting systemd-remount-fs.service - Remount Root and Kernel File Systems...                                                                                                                                                                                                         
Aug  8 20:58:06.081629 systemd-journald[1259]: Journal started                                                                                                                                                                                                                                                           
Aug  8 20:58:06.088731 systemd-journald[1259]: Runtime Journal (/run/log/journal/32079e7261794fdd93a0114d3d1a4a87) is 2.3M, max 18.9M, 16.5M free.                                                                                                                                                                       
Aug  8 20:58:06.088791 systemd[1]: Starting systemd-udev-trigger.service - Coldplug All udev Devices...                                                                                                                                                                                                                  
Aug  8 20:58:05.843566 systemd[1]: Queued start job for default target multi-user.target.                                                                                                                                                                                                                                
Aug  8 20:58:05.845859 systemd[1]: systemd-journald.service: Deactivated successfully.                                                                                                                                                                                                                                   
Aug  8 20:58:06.061723 systemd-network-generator[1261]: Failed to create temporary unit file in '/run/systemd/network': Permission denied                                                                                                                                                                                
Aug  8 20:58:06.065087 systemd-modules-load[1260]: Module 'msr' is built in                                                                                                                                                                                                                                              
Aug  8 20:58:06.091836 systemd[1]: Started systemd-journald.service - Journal Service.                                                                                                                                                                                                                                   
Aug  8 20:58:06.095439 systemd[1]: Mounted dev-hugepages.mount - Huge Pages File System.                                                                                                                                                                                                                                 
Aug  8 20:58:06.096936 systemd[1]: Mounted dev-mqueue.mount - POSIX Message Queue File System.                                                                                                                                                                                                                           
Aug  8 20:58:06.097755 systemd[1]: Mounted sys-kernel-debug.mount - Kernel Debug File System.                                                                                                                                                                                                                            
Aug  8 20:58:06.098707 systemd[1]: Mounted sys-kernel-tracing.mount - Kernel Trace File System.                                                                                                                                                                                                                          
Aug  8 20:58:06.099412 systemd[1]: Mounted tmp.mount - Temporary Directory /tmp.                                                                                                                                                                                                                                         
Aug  8 20:58:06.101926 systemd[1]: Finished coreos-printk-quiet.service - CoreOS: Set printk To Level 4 (warn).                                                                                                                                                                                                          
Aug  8 20:58:06.104815 systemd[1]: Finished kmod-static-nodes.service - Create List of Static Device Nodes.                                                                                                                                                                                                              
Aug  8 20:58:06.108857 systemd[1]: Finished lvm2-monitor.service - Monitoring of LVM2 mirrors, snapshots etc. using dmeventd or progress polling.                                                                                                                                                                        
Aug  8 20:58:06.110102 systemd[1]: modprobe: Deactivated successfully.                                                                                                                                                                                                                                  
Aug  8 20:58:06.111828 systemd[1]: Finished modprobe - Load Kernel Module configfs.                                                                                                                                                                                                                     
Aug  8 20:58:06.112876 systemd[1]: modprobe: Deactivated successfully.                                                                                                                                                                                                                                       
Aug  8 20:58:06.113811 systemd[1]: Finished modprobe - Load Kernel Module drm.                                                                                                                                                                                                                               
Aug  8 20:58:06.114672 systemd[1]: modprobe: Deactivated successfully.                                                                                                                                                                                                                                
Aug  8 20:58:06.115801 systemd[1]: Finished modprobe - Load Kernel Module efi_pstore.                                                                                                                                                                                                                 
Aug  8 20:58:06.116828 systemd[1]: modprobe: Deactivated successfully.                                                                                                                                                                                                                                      
Aug  8 20:58:06.117784 systemd[1]: Finished modprobe - Load Kernel Module fuse.                                                                                                                                                                                                                             
Aug  8 20:58:06.119796 systemd[1]: Finished systemd-modules-load.service - Load Kernel Modules.                                                                                                                                                                                                                          
Aug  8 20:58:06.121082 systemd[1]: systemd-network-generator.service: Main process exited, code=exited, status=1/FAILURE                                                                                                                                                                                                 
Aug  8 20:58:06.121187 systemd[1]: systemd-network-generator.service: Failed with result 'exit-code'.                                                                                                                                                                                                                    
Aug  8 20:58:06.122841 systemd[1]: Failed to start systemd-network-generator.service - Generate network units from Kernel command line.
```

Reproducible: Always

Steps to Reproduce:
1. Boot with nameserver=8.8.8.8 kernel argument, which activates systemd-network-generator.service
Actual Results:  
SELinux denial and failed service.

Comment 1 Dusty Mabe 2023-08-09 03:15:08 UTC

Here are the logs when `enforcing=0` is set:

```
Aug 09 03:08:26 localhost systemd[1]: Starting systemd-network-generator.service - Generate network units from Kernel command line...                                                                                                                                                                                                                                                                                             
Aug 09 03:08:26 localhost systemd[1]: systemd-pcrmachine.service - TPM2 PCR Machine ID Measurement was skipped because of an unmet condition check (ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f).                                                                                                                                                                       
Aug 09 03:08:26 localhost systemd[1]: Starting systemd-remount-fs.service - Remount Root and Kernel File Systems...                                                                                              
Aug 09 03:08:26 localhost kernel: audit: type=1400 audit(1691550506.685:3): avc:  denied  { create } for  pid=1407 comm="systemd-network" name=".#networkd5359e0a3f14b5fc" scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1                                                                                                                        
Aug 09 03:08:26 localhost kernel: audit: type=1400 audit(1691550506.685:4): avc:  denied  { read write open } for  pid=1407 comm="systemd-network" path="/run/systemd/.#networkd5359e0a3f14b5fc" dev="tmpfs" ino=923 scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1
Aug 09 03:08:26 localhost kernel: audit: type=1400 audit(1691550506.685:5): avc:  denied  { setattr } for  pid=1407 comm="systemd-network" name=".#networkd5359e0a3f14b5fc" dev="tmpfs" ino=923 scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1
Aug 09 03:08:26 localhost kernel: audit: type=1400 audit(1691550506.685:6): avc:  denied  { getattr } for  pid=1407 comm="systemd-network" path="/run/systemd/.#networkd5359e0a3f14b5fc" dev="tmpfs" ino=923 scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1
Aug 09 03:08:26 localhost kernel: audit: type=1400 audit(1691550506.685:7): avc:  denied  { rename } for  pid=1407 comm="systemd-network" name=".#networkd5359e0a3f14b5fc" dev="tmpfs" ino=923 scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1
Aug 09 03:08:26 localhost systemd-journald[1405]: Collecting audit messages is disabled.                                                                                                                                                                                                                                 
Aug 09 03:08:26 localhost systemd[1]: Starting systemd-udev-trigger.service - Coldplug All udev Devices...                                                                                                       
Aug 09 03:08:26 localhost systemd[1]: Mounted dev-hugepages.mount - Huge Pages File System.                                                                                                                      
Aug 09 03:08:26 localhost systemd[1]: Mounted dev-mqueue.mount - POSIX Message Queue File System.                                                                                                                
Aug 09 03:08:26 localhost systemd[1]: Mounted sys-kernel-debug.mount - Kernel Debug File System.                                                                                                                                                           
Aug 09 03:08:26 localhost systemd[1]: Mounted sys-kernel-tracing.mount - Kernel Trace File System.                                                                                                                                                         
Aug 09 03:08:26 localhost systemd-journald[1405]: Journal started                                                                                                                                                                                          
Aug 09 03:08:26 localhost systemd-journald[1405]: Runtime Journal (/run/log/journal/a624e2326a624b8096a49b1024083a65) is 2.3M, max 18.8M, 16.5M free.                                                                                                      
Aug 09 03:08:26 localhost systemd[1]: Queued start job for default target multi-user.target.                                                                                                                                                                                                                             
Aug 09 03:08:26 localhost systemd[1]: Unnecessary job was removed for dev-virtio\\x2dports-mantlejournal.device.                                                                                                 
Aug 09 03:08:26 localhost systemd[1]: systemd-journald.service: Deactivated successfully.                                                                                                                        
Aug 09 03:08:26 localhost systemd-modules-load[1406]: Module 'msr' is built in                                                                                                                                   
Aug 09 03:08:26 localhost systemd[1]: Started systemd-journald.service - Journal Service.                                                                                                                        
Aug 09 03:08:26 localhost systemd[1]: Mounted tmp.mount - Temporary Directory /tmp.                                                                                                                                                                                                                                      
Aug 09 03:08:26 localhost systemd[1]: Finished coreos-printk-quiet.service - CoreOS: Set printk To Level 4 (warn).                                                                                                                                         
Aug 09 03:08:26 localhost systemd[1]: Finished kmod-static-nodes.service - Create List of Static Device Nodes.                                                                                                                                                                                                                                                                                                                    
Aug 09 03:08:26 localhost systemd[1]: Finished lvm2-monitor.service - Monitoring of LVM2 mirrors, snapshots etc. using dmeventd or progress polling.                                                                                                                                                                     
Aug 09 03:08:26 localhost systemd[1]: modprobe: Deactivated successfully.                                                                                                                                                                                                                               
Aug 09 03:08:26 localhost systemd[1]: Finished modprobe - Load Kernel Module configfs.                                                                                                                                                                                                                  
Aug 09 03:08:26 localhost systemd[1]: modprobe: Deactivated successfully.                                                                                                                                                                                                                                    
Aug 09 03:08:26 localhost systemd[1]: Finished modprobe - Load Kernel Module drm.                                                                                                                                                                                                                            
Aug 09 03:08:26 localhost systemd[1]: modprobe: Deactivated successfully.                                                                                                                                                                                                                             
Aug 09 03:08:26 localhost systemd[1]: Finished modprobe - Load Kernel Module efi_pstore.                                                                                                                                                                                                              
Aug 09 03:08:26 localhost systemd[1]: modprobe: Deactivated successfully.                                                                                                                           
Aug 09 03:08:26 localhost systemd[1]: Finished modprobe - Load Kernel Module fuse.                                                                                                                  
Aug 09 03:08:26 localhost systemd[1]: Finished systemd-modules-load.service - Load Kernel Modules.
Aug 09 03:08:26 localhost systemd[1]: Finished systemd-network-generator.service - Generate network units from Kernel command line.

```

Comment 2 Dusty Mabe 2023-08-09 03:18:04 UTC

cc @zbyszek

Comment 3 Milos Malik 2023-08-09 07:03:51 UTC

SELinux denial caught in enforcing mode:
----
type=PROCTITLE msg=audit(08/09/2023 03:02:23.438:115) : proctitle=/usr/lib/systemd/systemd-network-generator 
type=PATH msg=audit(08/09/2023 03:02:23.438:115) : item=0 name=/run/systemd/ inode=2 dev=00:19 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(08/09/2023 03:02:23.438:115) : cwd=/ 
type=SYSCALL msg=audit(08/09/2023 03:02:23.438:115) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x56136b2b2ca0 a2=O_RDWR|O_CREAT|O_EXCL|O_NOCTTY|O_CLOEXEC a3=0x180 items=1 ppid=1 pid=860 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-network exe=/usr/lib/systemd/systemd-network-generator subj=system_u:system_r:systemd_network_generator_t:s0 key=(null) 
type=AVC msg=audit(08/09/2023 03:02:23.438:115) : avc:  denied  { create } for  pid=860 comm=systemd-network name=.#network3c9a49d41d41a1c0 scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=0 
----

# rpm -qa selinux\* systemd\* | sort
selinux-policy-38.22-1.fc39.noarch
selinux-policy-targeted-38.22-1.fc39.noarch
systemd-254-1.fc39.x86_64
systemd-libs-254-1.fc39.x86_64
systemd-networkd-254-1.fc39.x86_64
systemd-pam-254-1.fc39.x86_64
systemd-resolved-254-1.fc39.x86_64
systemd-udev-254-1.fc39.x86_64
#

Comment 4 Milos Malik 2023-08-09 07:06:46 UTC

SELinux denials caught in permissive mode:
----
type=PROCTITLE msg=audit(08/09/2023 03:04:03.671:119) : proctitle=/usr/lib/systemd/systemd-network-generator 
type=PATH msg=audit(08/09/2023 03:04:03.671:119) : item=1 name=/run/systemd/.#network9498d551e123e9f4 inode=1144 dev=00:19 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(08/09/2023 03:04:03.671:119) : item=0 name=/run/systemd/ inode=2 dev=00:19 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(08/09/2023 03:04:03.671:119) : cwd=/ 
type=SYSCALL msg=audit(08/09/2023 03:04:03.671:119) : arch=x86_64 syscall=openat success=yes exit=4 a0=AT_FDCWD a1=0x559b2aa89ca0 a2=O_RDWR|O_CREAT|O_EXCL|O_NOCTTY|O_CLOEXEC a3=0x180 items=2 ppid=1 pid=889 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-network exe=/usr/lib/systemd/systemd-network-generator subj=system_u:system_r:systemd_network_generator_t:s0 key=(null) 
type=AVC msg=audit(08/09/2023 03:04:03.671:119) : avc:  denied  { read write open } for  pid=889 comm=systemd-network path=/run/systemd/.#network9498d551e123e9f4 dev="tmpfs" ino=1144 scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1 
type=AVC msg=audit(08/09/2023 03:04:03.671:119) : avc:  denied  { create } for  pid=889 comm=systemd-network name=.#network9498d551e123e9f4 scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(08/09/2023 03:04:03.672:120) : proctitle=/usr/lib/systemd/systemd-network-generator 
type=PATH msg=audit(08/09/2023 03:04:03.672:120) : item=0 name=(null) inode=1144 dev=00:19 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(08/09/2023 03:04:03.672:120) : cwd=/ 
type=SYSCALL msg=audit(08/09/2023 03:04:03.672:120) : arch=x86_64 syscall=fchmod success=yes exit=0 a0=0x4 a1=0644 a2=0xfbada484 a3=0x180 items=1 ppid=1 pid=889 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-network exe=/usr/lib/systemd/systemd-network-generator subj=system_u:system_r:systemd_network_generator_t:s0 key=(null) 
type=AVC msg=audit(08/09/2023 03:04:03.672:120) : avc:  denied  { setattr } for  pid=889 comm=systemd-network name=.#network9498d551e123e9f4 dev="tmpfs" ino=1144 scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(08/09/2023 03:04:03.672:121) : proctitle=/usr/lib/systemd/systemd-network-generator 
type=PATH msg=audit(08/09/2023 03:04:03.672:121) : item=0 name= inode=1144 dev=00:19 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(08/09/2023 03:04:03.672:121) : cwd=/ 
type=SYSCALL msg=audit(08/09/2023 03:04:03.672:121) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=0x4 a1=0x7fc5757a0bce a2=0x7ffc33919c90 a3=0x1000 items=1 ppid=1 pid=889 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-network exe=/usr/lib/systemd/systemd-network-generator subj=system_u:system_r:systemd_network_generator_t:s0 key=(null) 
type=AVC msg=audit(08/09/2023 03:04:03.672:121) : avc:  denied  { getattr } for  pid=889 comm=systemd-network path=/run/systemd/.#network9498d551e123e9f4 dev="tmpfs" ino=1144 scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(08/09/2023 03:04:03.672:122) : proctitle=/usr/lib/systemd/systemd-network-generator 
type=PATH msg=audit(08/09/2023 03:04:03.672:122) : item=3 name=/run/systemd/network/91-default.network inode=1144 dev=00:19 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(08/09/2023 03:04:03.672:122) : item=2 name=/run/systemd/.#network9498d551e123e9f4 inode=1144 dev=00:19 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(08/09/2023 03:04:03.672:122) : item=1 name=/run/systemd/ inode=2 dev=00:19 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(08/09/2023 03:04:03.672:122) : item=0 name=/run/systemd/network/ inode=496 dev=00:19 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(08/09/2023 03:04:03.672:122) : cwd=/ 
type=SYSCALL msg=audit(08/09/2023 03:04:03.672:122) : arch=x86_64 syscall=renameat success=yes exit=0 a0=AT_FDCWD a1=0x559b2aa89ca0 a2=AT_FDCWD a3=0x559b2aa8b010 items=4 ppid=1 pid=889 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-network exe=/usr/lib/systemd/systemd-network-generator subj=system_u:system_r:systemd_network_generator_t:s0 key=(null) 
type=AVC msg=audit(08/09/2023 03:04:03.672:122) : avc:  denied  { rename } for  pid=889 comm=systemd-network name=.#network9498d551e123e9f4 dev="tmpfs" ino=1144 scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1 
----

# ls -RlZ /run/systemd/network/
/run/systemd/network/:
total 4
-rw-r--r--. 1 root root system_u:object_r:init_var_run_t:s0 110 Aug  9 03:04 91-default.network
#

Comment 5 Milos Malik 2023-08-09 07:08:05 UTC

One more thing:

# restorecon -Rv /run/systemd/
Relabeled /run/systemd/network/91-default.network from system_u:object_r:init_var_run_t:s0 to system_u:object_r:net_conf_t:s0
#

Comment 6 Zdenek Pytela 2023-08-09 11:54:13 UTC

The policy contains the following file transition:

f38# sesearch -T -s systemd_network_generator_t -t init_var_run_t
type_transition systemd_network_generator_t init_var_run_t:dir net_conf_t network;

but it supposedly does not apply since a file with an unpredictable name is used before renaming:

type=PATH msg=audit(08/09/2023 03:04:03.671:119) : item=1 name=/run/systemd/.#network9498d551e123e9f4 inode=1144 dev=00:19 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=CREATE cap_fp=none cap_fi=none

Comment 7 Fedora Release Engineering 2023-08-16 08:14:06 UTC

This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.

Comment 8 Fedora Blocker Bugs Application 2023-08-21 16:10:11 UTC

Proposed as a Freeze Exception for 39-beta by Fedora user dustymabe using the blocker tracking app because:

 Selinux denials exist when providing kernel arguments affecting networking configuration. For example, `nameserver=8.8.8.8`.

Comment 9 Adam Williamson 2023-08-27 16:36:20 UTC

+4 in https://pagure.io/fedora-qa/blocker-review/issue/1179 , marking accepted.

Comment 10 Michael Armijo 2023-08-30 18:20:13 UTC

Just an update, today we are still seeing these denials.

$ rpm -qa selinux\* systemd\* | sort
selinux-policy-38.25-1.fc39.noarch
selinux-policy-targeted-38.25-1.fc39.noarch
systemd-254.1-2.fc39.x86_64
systemd-container-254.1-2.fc39.x86_64
systemd-libs-254.1-2.fc39.x86_64
systemd-pam-254.1-2.fc39.x86_64
systemd-resolved-254.1-2.fc39.x86_64
systemd-udev-254.1-2.fc39.x86_64


Output seen in enforcing mode:

Aug 30 18:10:58 localhost systemd[1]: Starting systemd-network-generator.service - Generate network units from Kernel command line...
Aug 30 18:10:58 localhost systemd[1]: systemd-pcrmachine.service - TPM2 PCR Machine ID Measurement was skipped because of an unmet condition check (ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f).
Aug 30 18:10:58 localhost systemd[1]: Starting systemd-remount-fs.service - Remount Root and Kernel File Systems...
Aug 30 18:10:58 localhost kernel: audit: type=1400 audit(1693419058.397:4): avc:  denied  { create } for  pid=1357 comm="systemd-network" name=".#network4de9c616e0b3b481" scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=0
Aug 30 18:10:58 localhost systemd-journald[1355]: Collecting audit messages is disabled.
Aug 30 18:10:58 localhost systemd[1]: Starting systemd-udev-trigger.service - Coldplug All udev Devices...
Aug 30 18:10:58 localhost systemd-journald[1355]: Journal started
Aug 30 18:10:58 localhost systemd-journald[1355]: Runtime Journal (/run/log/journal/7a020d25ee27478d965c184ad58a4f1b) is 2.3M, max 18.9M, 16.5M free.
Aug 30 18:10:58 localhost systemd[1]: Queued start job for default target multi-user.target.
Aug 30 18:10:58 localhost systemd[1]: Unnecessary job was removed for dev-virtio\\x2dports-mantlejournal.device.
Aug 30 18:10:58 localhost systemd[1]: systemd-journald.service: Deactivated successfully.
Aug 30 18:10:58 localhost systemd-network-generator[1357]: Failed to create temporary unit file in '/run/systemd/network': Permission denied
Aug 30 18:10:58 localhost systemd-modules-load[1356]: Module 'msr' is built in
Aug 30 18:10:58 localhost systemd[1]: Started systemd-journald.service - Journal Service.
Aug 30 18:10:58 localhost systemd[1]: Mounted dev-hugepages.mount - Huge Pages File System.
Aug 30 18:10:58 localhost systemd[1]: Mounted dev-mqueue.mount - POSIX Message Queue File System.
Aug 30 18:10:58 localhost systemd[1]: Mounted sys-kernel-debug.mount - Kernel Debug File System.
Aug 30 18:10:58 localhost systemd[1]: Mounted sys-kernel-tracing.mount - Kernel Trace File System.
Aug 30 18:10:58 localhost systemd[1]: Mounted tmp.mount - Temporary Directory /tmp.
Aug 30 18:10:58 localhost systemd[1]: Finished coreos-printk-quiet.service - CoreOS: Set printk To Level 4 (warn).
Aug 30 18:10:58 localhost systemd[1]: Finished kmod-static-nodes.service - Create List of Static Device Nodes.
Aug 30 18:10:58 localhost systemd[1]: Finished lvm2-monitor.service - Monitoring of LVM2 mirrors, snapshots etc. using dmeventd or progress polling.
Aug 30 18:10:58 localhost systemd[1]: modprobe: Deactivated successfully.
Aug 30 18:10:58 localhost systemd[1]: Finished modprobe - Load Kernel Module configfs.
Aug 30 18:10:58 localhost systemd[1]: modprobe: Deactivated successfully.
Aug 30 18:10:58 localhost systemd[1]: Finished modprobe - Load Kernel Module drm.
Aug 30 18:10:58 localhost systemd[1]: modprobe: Deactivated successfully.
Aug 30 18:10:58 localhost systemd[1]: Finished modprobe - Load Kernel Module efi_pstore.
Aug 30 18:10:58 localhost systemd[1]: modprobe: Deactivated successfully.
Aug 30 18:10:58 localhost systemd[1]: Finished modprobe - Load Kernel Module fuse.
Aug 30 18:10:58 localhost systemd[1]: Finished systemd-modules-load.service - Load Kernel Modules. 
Aug 30 18:10:58 localhost systemd[1]: systemd-network-generator.service: Main process exited, code=exited, status=1/FAILURE
Aug 30 18:10:58 localhost systemd[1]: systemd-network-generator.service: Failed with result 'exit-code'.
Aug 30 18:10:58 localhost systemd[1]: Failed to start systemd-network-generator.service - Generate network units from Kernel command line.

Comment 11 Michael Armijo 2023-08-30 18:20:37 UTC

Running in permissive mode, I see these denials:


Aug 30 18:17:58 localhost systemd[1]: Starting systemd-network-generator.service - Generate network units from Kernel command line...
Aug 30 18:17:58 localhost systemd[1]: systemd-pcrmachine.service - TPM2 PCR Machine ID Measurement was skipped because of an unmet condition check (ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f).
Aug 30 18:17:58 localhost systemd-journald[1364]: Collecting audit messages is disabled.
Aug 30 18:17:58 localhost kernel: audit: type=1400 audit(1693419478.475:3): avc:  denied  { create } for  pid=1366 comm="systemd-network" name=".#network4d917899fcd776aa" scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1
Aug 30 18:17:58 localhost systemd[1]: Starting systemd-remount-fs.service - Remount Root and Kernel File Systems...
Aug 30 18:17:58 localhost kernel: audit: type=1400 audit(1693419478.475:4): avc:  denied  { read write open } for  pid=1366 comm="systemd-network" path="/run/systemd/.#network4d917899fcd776aa" dev="tmpfs" ino=920 scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1
Aug 30 18:17:58 localhost kernel: audit: type=1400 audit(1693419478.475:5): avc:  denied  { setattr } for  pid=1366 comm="systemd-network" name=".#network4d917899fcd776aa" dev="tmpfs" ino=920 scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1
Aug 30 18:17:58 localhost kernel: audit: type=1400 audit(1693419478.475:6): avc:  denied  { getattr } for  pid=1366 comm="systemd-network" path="/run/systemd/.#network4d917899fcd776aa" dev="tmpfs" ino=920 scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1
Aug 30 18:17:58 localhost kernel: audit: type=1400 audit(1693419478.475:7): avc:  denied  { rename } for  pid=1366 comm="systemd-network" name=".#network4d917899fcd776aa" dev="tmpfs" ino=920 scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1
Aug 30 18:17:58 localhost systemd-journald[1364]: Journal started
Aug 30 18:17:58 localhost systemd-journald[1364]: Runtime Journal (/run/log/journal/1468a1f608d64aabb80509cfe531725f) is 2.3M, max 18.9M, 16.5M free.
Aug 30 18:17:58 localhost systemd[1]: Queued start job for default target multi-user.target.
Aug 30 18:17:58 localhost systemd[1]: Unnecessary job was removed for dev-virtio\\x2dports-mantlejournal.device.
Aug 30 18:17:58 localhost systemd[1]: systemd-journald.service: Deactivated successfully.   
Aug 30 18:17:58 localhost systemd-modules-load[1365]: Module 'msr' is built in
Aug 30 18:17:58 localhost systemd[1]: Starting systemd-udev-trigger.service - Coldplug All udev Devices...
Aug 30 18:17:58 localhost systemd[1]: Started systemd-journald.service - Journal Service.
Aug 30 18:17:58 localhost systemd[1]: Mounted dev-hugepages.mount - Huge Pages File System.
Aug 30 18:17:58 localhost systemd[1]: Mounted dev-mqueue.mount - POSIX Message Queue File System.
Aug 30 18:17:58 localhost systemd[1]: Mounted sys-kernel-debug.mount - Kernel Debug File System.
Aug 30 18:17:58 localhost systemd[1]: Mounted sys-kernel-tracing.mount - Kernel Trace File System.
Aug 30 18:17:58 localhost systemd[1]: Mounted tmp.mount - Temporary Directory /tmp.
Aug 30 18:17:58 localhost systemd[1]: Finished coreos-printk-quiet.service - CoreOS: Set printk To Level 4 (warn).
Aug 30 18:17:58 localhost systemd[1]: Finished kmod-static-nodes.service - Create List of Static Device Nodes.
Aug 30 18:17:58 localhost systemd[1]: Finished lvm2-monitor.service - Monitoring of LVM2 mirrors, snapshots etc. using dmeventd or progress polling.
Aug 30 18:17:58 localhost systemd[1]: modprobe: Deactivated successfully.
Aug 30 18:17:58 localhost systemd[1]: Finished modprobe - Load Kernel Module configfs.
Aug 30 18:17:58 localhost systemd[1]: modprobe: Deactivated successfully.
Aug 30 18:17:58 localhost systemd[1]: Finished modprobe - Load Kernel Module drm.
Aug 30 18:17:58 localhost systemd[1]: modprobe: Deactivated successfully.
Aug 30 18:17:58 localhost systemd[1]: Finished modprobe - Load Kernel Module efi_pstore.
Aug 30 18:17:58 localhost systemd[1]: modprobe: Deactivated successfully.
Aug 30 18:17:58 localhost systemd[1]: Finished modprobe - Load Kernel Module fuse.
Aug 30 18:17:58 localhost systemd[1]: Finished systemd-modules-load.service - Load Kernel Modules.
Aug 30 18:17:58 localhost systemd[1]: Finished systemd-network-generator.service - Generate network units from Kernel command line.

Comment 12 Michael Armijo 2023-08-30 18:56:44 UTC

Quick update, the output above is from an f39 system. 
Please see below for a rawhide output with similar denials, but note the new "avc:  denied  { dac_override }"


rpm -qa selinux\* systemd\* | sort
selinux-policy-38.26-1.fc40.noarch
selinux-policy-targeted-38.26-1.fc40.noarch
systemd-254.1-2.fc40.x86_64
systemd-container-254.1-2.fc40.x86_64
systemd-libs-254.1-2.fc40.x86_64
systemd-pam-254.1-2.fc40.x86_64
systemd-resolved-254.1-2.fc40.x86_64
systemd-udev-254.1-2.fc40.x86_64


Seen in enforcing mode:

Aug 30 18:54:08 localhost systemd[1]: Starting systemd-network-generator.service - Generate network units from Kernel command line...
Aug 30 18:54:08 localhost systemd[1]: systemd-pcrmachine.service - TPM2 PCR Machine ID Measurement was skipped because of an unmet condition check (ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f).
Aug 30 18:54:08 localhost kernel: audit: type=1400 audit(1693421648.496:4): avc:  denied  { create } for  pid=1374 comm="systemd-network" name=".#network88b194ebc022aac1" scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=0
Aug 30 18:54:08 localhost systemd[1]: Starting systemd-remount-fs.service - Remount Root and Kernel File Systems...
Aug 30 18:54:08 localhost systemd-journald[1372]: Collecting audit messages is disabled.
Aug 30 18:54:08 localhost systemd-journald[1372]: Journal started
Aug 30 18:54:08 localhost systemd-journald[1372]: Runtime Journal (/run/log/journal/573e6165b06149b5a12204c35a2d82ea) is 2.3M, max 19.1M, 16.7M free.
Aug 30 18:54:08 localhost systemd[1]: Queued start job for default target multi-user.target.
Aug 30 18:54:08 localhost systemd[1]: Unnecessary job was removed for dev-virtio\\x2dports-mantlejournal.device.
Aug 30 18:54:08 localhost systemd[1]: systemd-journald.service: Deactivated successfully.
Aug 30 18:54:08 localhost systemd-modules-load[1373]: Module 'msr' is built in
Aug 30 18:54:08 localhost systemd-network-generator[1374]: Failed to create temporary unit file in '/run/systemd/network': Permission denied
Aug 30 18:54:08 localhost systemd[1]: Starting systemd-udev-trigger.service - Coldplug All udev Devices...
Aug 30 18:54:08 localhost systemd[1]: Started systemd-journald.service - Journal Service.
Aug 30 18:54:08 localhost systemd[1]: Mounted dev-hugepages.mount - Huge Pages File System.
Aug 30 18:54:08 localhost systemd[1]: Mounted dev-mqueue.mount - POSIX Message Queue File System.
Aug 30 18:54:08 localhost systemd[1]: Mounted sys-kernel-debug.mount - Kernel Debug File System.
Aug 30 18:54:08 localhost systemd[1]: Mounted sys-kernel-tracing.mount - Kernel Trace File System.
Aug 30 18:54:08 localhost systemd[1]: Mounted tmp.mount - Temporary Directory /tmp.
Aug 30 18:54:08 localhost systemd[1]: Finished coreos-printk-quiet.service - CoreOS: Set printk To Level 4 (warn).
Aug 30 18:54:08 localhost systemd[1]: Finished kmod-static-nodes.service - Create List of Static Device Nodes.
Aug 30 18:54:08 localhost systemd[1]: Finished lvm2-monitor.service - Monitoring of LVM2 mirrors, snapshots etc. using dmeventd or progress polling.
Aug 30 18:54:08 localhost systemd[1]: modprobe: Deactivated successfully.
Aug 30 18:54:08 localhost systemd[1]: Finished modprobe - Load Kernel Module configfs.
Aug 30 18:54:08 localhost systemd[1]: modprobe: Deactivated successfully.
Aug 30 18:54:08 localhost systemd[1]: Finished modprobe - Load Kernel Module drm.
Aug 30 18:54:08 localhost systemd[1]: modprobe: Deactivated successfully.
Aug 30 18:54:08 localhost systemd[1]: Finished modprobe - Load Kernel Module efi_pstore.
Aug 30 18:54:08 localhost systemd[1]: modprobe: Deactivated successfully.
Aug 30 18:54:08 localhost systemd[1]: Finished modprobe - Load Kernel Module fuse.
Aug 30 18:54:08 localhost systemd[1]: Finished systemd-modules-load.service - Load Kernel Modules.
Aug 30 18:54:08 localhost systemd[1]: systemd-network-generator.service: Main process exited, code=exited, status=1/FAILURE
Aug 30 18:54:08 localhost systemd[1]: systemd-network-generator.service: Failed with result 'exit-code'.
Aug 30 18:54:08 localhost systemd[1]: Failed to start systemd-network-generator.service - Generate network units from Kernel command line.
Aug 30 18:54:08 localhost systemd[1]: Finished systemd-remount-fs.service - Remount Root and Kernel File Systems.
Aug 30 18:54:08 localhost systemd[1]: Finished systemd-udev-trigger.service - Coldplug All udev Devices.
Aug 30 18:54:08 localhost systemd[1]: Reached target network-pre.target - Preparation for Network.
Aug 30 18:54:08 localhost systemd[1]: Mounting sys-fs-fuse-connections.mount - FUSE Control File System...
Aug 30 18:54:08 localhost systemd[1]: iscsi-onboot.service - Special handling of early boot iSCSI sessions was skipped because of an unmet condition check (ConditionDirectoryNotEmpty=/sys/class/iscsi_session).
Aug 30 18:54:08 localhost systemd[1]: multipathd.service - Device-Mapper Multipath Device Controller was skipped because of an unmet condition check (ConditionPathExists=/etc/multipath.conf).
Aug 30 18:54:08 localhost systemd[1]: Starting systemd-hwdb-update.service - Rebuild Hardware Database...
Aug 30 18:54:08 localhost systemd[1]: Starting systemd-sysctl.service - Apply Kernel Variables...
Aug 30 18:54:08 localhost systemd[1]: Starting systemd-sysusers.service - Create System Users...
Aug 30 18:54:08 localhost systemd[1]: Starting systemd-tmpfiles-setup-dev.service - Create Static Device Nodes in /dev...
Aug 30 18:54:08 localhost systemd[1]: Mounted sys-fs-fuse-connections.mount - FUSE Control File System.
Aug 30 18:54:08 localhost systemd-sysusers[1396]: /usr/lib/sysusers.d/20-setup-groups.conf:24: Conflict with earlier configuration for group 'nobody' in /usr/lib/sysusers.d/00-coreos-nobody.conf:8, ignoring line.
Aug 30 18:54:08 localhost systemd-sysusers[1396]: /usr/lib/sysusers.d/20-setup-users.conf:13: Conflict with earlier configuration for user 'nobody' in /usr/lib/sysusers.d/00-coreos-nobody.conf:9, ignoring line.
Aug 30 18:54:08 localhost systemd-sysusers[1396]: /usr/lib/sysusers.d/basic.conf:13: Conflict with earlier configuration for group 'nobody' in /usr/lib/sysusers.d/00-coreos-nobody.conf:8, ignoring line.
Aug 30 18:54:08 localhost systemd-sysusers[1396]: /usr/lib/sysusers.d/basic.conf:14: Conflict with earlier configuration for user 'nobody' in /usr/lib/sysusers.d/00-coreos-nobody.conf:9, ignoring line.
Aug 30 18:54:08 localhost systemd-sysusers[1396]: /usr/lib/sysusers.d/chrony.conf:2: Conflict with earlier configuration for user 'chrony' in /usr/lib/sysusers.d/00-coreos-static.conf:21, ignoring line.
Aug 30 18:54:08 localhost systemd-sysusers[1396]: /usr/lib/sysusers.d/dbus.conf:2: Conflict with earlier configuration for user 'dbus' in /usr/lib/sysusers.d/10-static-extra.conf:19, ignoring line.
Aug 30 18:54:08 localhost systemd-sysusers[1396]: /usr/lib/sysusers.d/openssh-server.conf:2: Conflict with earlier configuration for user 'sshd' in /usr/lib/sysusers.d/10-static-extra.conf:23, ignoring line.
Aug 30 18:54:08 localhost systemd-sysusers[1396]: /usr/lib/sysusers.d/systemd-resolve.conf:8: Conflict with earlier configuration for user 'systemd-resolve' in /usr/lib/sysusers.d/00-coreos-static.conf:31, ignoring line.
Aug 30 18:54:08 localhost systemd-sysusers[1396]: /usr/lib/sysusers.d/systemd-timesync.conf:8: Conflict with earlier configuration for user 'systemd-timesync' in /usr/lib/sysusers.d/00-coreos-static.conf:32, ignoring line.
Aug 30 18:54:08 localhost systemd[1]: Finished systemd-sysctl.service - Apply Kernel Variables.
Aug 30 18:54:08 localhost systemd[1]: Finished systemd-tmpfiles-setup-dev.service - Create Static Device Nodes in /dev.
Aug 30 18:54:08 localhost systemd[1]: Reached target local-fs-pre.target - Preparation for Local File Systems.
Aug 30 18:54:08 localhost systemd[1]: Mounting var.mount - /var...
Aug 30 18:54:08 localhost systemd[1]: Starting systemd-userdbd.service - User Database Manager...
Aug 30 18:54:08 localhost systemd[1]: Mounted var.mount - /var.
Aug 30 18:54:08 localhost systemd[1]: var-lib-machines.mount - Virtual Machine and Container Storage (Compatibility) was skipped because of an unmet condition check (ConditionPathExists=/var/lib/machines.raw).
Aug 30 18:54:08 localhost systemd[1]: Reached target machines.target - Containers.
Aug 30 18:54:08 localhost systemd[1]: Starting coreos-populate-lvmdevices.service - CoreOS Populate LVM Devices File...
Aug 30 18:54:08 localhost systemd[1]: iscsi-starter.service was skipped because of an unmet condition check (ConditionDirectoryNotEmpty=/var/lib/iscsi/nodes).
Aug 30 18:54:08 localhost systemd[1]: Starting ostree-remount.service - OSTree Remount OS/ Bind Mounts...
Aug 30 18:54:08 localhost systemd[1]: systemd-pstore.service - Platform Persistent Storage Archival was skipped because of an unmet condition check (ConditionDirectoryNotEmpty=/sys/fs/pstore).
Aug 30 18:54:08 localhost systemd[1]: Finished ostree-remount.service - OSTree Remount OS/ Bind Mounts.
Aug 30 18:54:08 localhost systemd[1]: Started systemd-userdbd.service - User Database Manager.
Aug 30 18:54:08 localhost systemd[1]: Starting systemd-journal-flush.service - Flush Journal to Persistent Storage...
Aug 30 18:54:08 localhost systemd[1]: Starting systemd-random-seed.service - Load/Save OS Random Seed...
Aug 30 18:54:08 localhost systemd-journald[1372]: Time spent on flushing to /var/log/journal/573e6165b06149b5a12204c35a2d82ea is 9.155ms for 1285 entries.
Aug 30 18:54:08 localhost systemd-journald[1372]: System Journal (/var/log/journal/573e6165b06149b5a12204c35a2d82ea) is 8.0M, max 966.3M, 958.3M free.
Aug 30 18:54:08 localhost systemd-journald[1372]: Received client request to flush runtime journal.
Aug 30 18:54:08 localhost coreos-populate-lvmdevices[1408]: No LVM devices detected. Exiting.
Aug 30 18:54:08 localhost systemd[1]: Finished systemd-sysusers.service - Create System Users.
Aug 30 18:54:08 localhost systemd[1]: Finished systemd-journal-flush.service - Flush Journal to Persistent Storage.
Aug 30 18:54:08 localhost systemd[1]: Finished systemd-random-seed.service - Load/Save OS Random Seed.
Aug 30 18:54:08 localhost systemd[1]: Finished coreos-populate-lvmdevices.service - CoreOS Populate LVM Devices File.
Aug 30 18:54:08 localhost kernel: audit: type=1400 audit(1693421648.925:5): avc:  denied  { dac_override } for  pid=1394 comm="systemd-hwdb" capability=1  scontext=system_u:system_r:systemd_hwdb_t:s0 tcontext=system_u:system_r:systemd_hwdb_t:s0 tclass=capability permissive=0





Seen in permissive mode:


Aug 30 18:51:57 localhost systemd[1]: Starting systemd-network-generator.service - Generate network units from Kernel command line...
Aug 30 18:51:57 localhost systemd[1]: systemd-pcrmachine.service - TPM2 PCR Machine ID Measurement was skipped because of an unmet condition check (ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f).
Aug 30 18:51:57 localhost kernel: audit: type=1400 audit(1693421517.400:3): avc:  denied  { create } for  pid=1364 comm="systemd-network" name=".#network2e1b458055d36b78" scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=f
ile permissive=1
Aug 30 18:51:57 localhost systemd[1]: Starting systemd-remount-fs.service - Remount Root and Kernel File Systems...
Aug 30 18:51:57 localhost kernel: audit: type=1400 audit(1693421517.400:4): avc:  denied  { read write open } for  pid=1364 comm="systemd-network" path="/run/systemd/.#network2e1b458055d36b78" dev="tmpfs" ino=919 scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=sy
stem_u:object_r:init_var_run_t:s0 tclass=file permissive=1
Aug 30 18:51:57 localhost kernel: audit: type=1400 audit(1693421517.400:5): avc:  denied  { setattr } for  pid=1364 comm="systemd-network" name=".#network2e1b458055d36b78" dev="tmpfs" ino=919 scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_
var_run_t:s0 tclass=file permissive=1
Aug 30 18:51:57 localhost kernel: audit: type=1400 audit(1693421517.400:6): avc:  denied  { getattr } for  pid=1364 comm="systemd-network" path="/run/systemd/.#network2e1b458055d36b78" dev="tmpfs" ino=919 scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:o
bject_r:init_var_run_t:s0 tclass=file permissive=1
Aug 30 18:51:57 localhost kernel: audit: type=1400 audit(1693421517.400:7): avc:  denied  { rename } for  pid=1364 comm="systemd-network" name=".#network2e1b458055d36b78" dev="tmpfs" ino=919 scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_v
ar_run_t:s0 tclass=file permissive=1
Aug 30 18:51:57 localhost systemd-journald[1362]: Collecting audit messages is disabled.
Aug 30 18:51:57 localhost systemd[1]: Starting systemd-udev-trigger.service - Coldplug All udev Devices...
Aug 30 18:51:57 localhost systemd-journald[1362]: Journal started
Aug 30 18:51:57 localhost systemd-journald[1362]: Runtime Journal (/run/log/journal/20e68272d45a4be980e3b9b2ca965859) is 2.3M, max 19.1M, 16.7M free.
Aug 30 18:51:57 localhost systemd[1]: Queued start job for default target multi-user.target.
Aug 30 18:51:57 localhost systemd[1]: Unnecessary job was removed for dev-virtio\\x2dports-mantlejournal.device.
Aug 30 18:51:57 localhost systemd[1]: systemd-journald.service: Deactivated successfully.
Aug 30 18:51:57 localhost systemd-modules-load[1363]: Module 'msr' is built in
Aug 30 18:51:57 localhost systemd[1]: Started systemd-journald.service - Journal Service.
Aug 30 18:51:57 localhost systemd[1]: Mounted dev-hugepages.mount - Huge Pages File System.
Aug 30 18:51:57 localhost systemd[1]: Mounted dev-mqueue.mount - POSIX Message Queue File System.
Aug 30 18:51:57 localhost systemd[1]: Mounted sys-kernel-debug.mount - Kernel Debug File System.
Aug 30 18:51:57 localhost systemd[1]: Mounted sys-kernel-tracing.mount - Kernel Trace File System.
Aug 30 18:51:57 localhost systemd[1]: Mounted tmp.mount - Temporary Directory /tmp.
Aug 30 18:51:57 localhost systemd[1]: Finished coreos-printk-quiet.service - CoreOS: Set printk To Level 4 (warn).
Aug 30 18:51:57 localhost systemd[1]: Finished kmod-static-nodes.service - Create List of Static Device Nodes.
Aug 30 18:51:57 localhost systemd[1]: Finished lvm2-monitor.service - Monitoring of LVM2 mirrors, snapshots etc. using dmeventd or progress polling.
Aug 30 18:51:57 localhost systemd[1]: modprobe: Deactivated successfully.
Aug 30 18:51:57 localhost systemd[1]: Finished modprobe - Load Kernel Module configfs.
Aug 30 18:51:57 localhost systemd[1]: modprobe: Deactivated successfully.
Aug 30 18:51:57 localhost systemd[1]: Finished modprobe - Load Kernel Module drm.
Aug 30 18:51:57 localhost systemd[1]: modprobe: Deactivated successfully.
Aug 30 18:51:57 localhost systemd[1]: Finished modprobe - Load Kernel Module efi_pstore.
Aug 30 18:51:57 localhost systemd[1]: modprobe: Deactivated successfully.
Aug 30 18:51:57 localhost systemd[1]: Finished modprobe - Load Kernel Module fuse.
Aug 30 18:51:57 localhost systemd[1]: Finished systemd-modules-load.service - Load Kernel Modules.
Aug 30 18:51:57 localhost systemd[1]: Finished systemd-network-generator.service - Generate network units from Kernel command line.
Aug 30 18:51:57 localhost systemd[1]: Finished systemd-remount-fs.service - Remount Root and Kernel File Systems.
Aug 30 18:51:57 localhost systemd[1]: Finished systemd-udev-trigger.service - Coldplug All udev Devices.
Aug 30 18:51:57 localhost systemd[1]: Reached target network-pre.target - Preparation for Network.
Aug 30 18:51:57 localhost systemd[1]: Mounting sys-fs-fuse-connections.mount - FUSE Control File System...
Aug 30 18:51:57 localhost systemd[1]: iscsi-onboot.service - Special handling of early boot iSCSI sessions was skipped because of an unmet condition check (ConditionDirectoryNotEmpty=/sys/class/iscsi_session).
Aug 30 18:51:57 localhost systemd[1]: multipathd.service - Device-Mapper Multipath Device Controller was skipped because of an unmet condition check (ConditionPathExists=/etc/multipath.conf).
Aug 30 18:51:57 localhost systemd[1]: Starting systemd-hwdb-update.service - Rebuild Hardware Database...
Aug 30 18:51:57 localhost systemd[1]: Starting systemd-sysctl.service - Apply Kernel Variables...
Aug 30 18:51:57 localhost systemd[1]: Starting systemd-sysusers.service - Create System Users...
Aug 30 18:51:57 localhost systemd[1]: Starting systemd-tmpfiles-setup-dev.service - Create Static Device Nodes in /dev...
Aug 30 18:51:57 localhost systemd[1]: Mounted sys-fs-fuse-connections.mount - FUSE Control File System.
Aug 30 18:51:57 localhost systemd-sysusers[1386]: /usr/lib/sysusers.d/20-setup-groups.conf:24: Conflict with earlier configuration for group 'nobody' in /usr/lib/sysusers.d/00-coreos-nobody.conf:8, ignoring line.
Aug 30 18:51:57 localhost systemd-sysusers[1386]: /usr/lib/sysusers.d/20-setup-users.conf:13: Conflict with earlier configuration for user 'nobody' in /usr/lib/sysusers.d/00-coreos-nobody.conf:9, ignoring line.
Aug 30 18:51:57 localhost systemd-sysusers[1386]: /usr/lib/sysusers.d/basic.conf:13: Conflict with earlier configuration for group 'nobody' in /usr/lib/sysusers.d/00-coreos-nobody.conf:8, ignoring line.
Aug 30 18:51:57 localhost systemd-sysusers[1386]: /usr/lib/sysusers.d/basic.conf:14: Conflict with earlier configuration for user 'nobody' in /usr/lib/sysusers.d/00-coreos-nobody.conf:9, ignoring line.
Aug 30 18:51:57 localhost systemd-sysusers[1386]: /usr/lib/sysusers.d/chrony.conf:2: Conflict with earlier configuration for user 'chrony' in /usr/lib/sysusers.d/00-coreos-static.conf:21, ignoring line.
Aug 30 18:51:57 localhost systemd-sysusers[1386]: /usr/lib/sysusers.d/dbus.conf:2: Conflict with earlier configuration for user 'dbus' in /usr/lib/sysusers.d/10-static-extra.conf:19, ignoring line.
Aug 30 18:51:57 localhost systemd-sysusers[1386]: /usr/lib/sysusers.d/openssh-server.conf:2: Conflict with earlier configuration for user 'sshd' in /usr/lib/sysusers.d/10-static-extra.conf:23, ignoring line.
Aug 30 18:51:57 localhost systemd-sysusers[1386]: /usr/lib/sysusers.d/systemd-resolve.conf:8: Conflict with earlier configuration for user 'systemd-resolve' in /usr/lib/sysusers.d/00-coreos-static.conf:31, ignoring line.
Aug 30 18:51:57 localhost systemd-sysusers[1386]: /usr/lib/sysusers.d/systemd-timesync.conf:8: Conflict with earlier configuration for user 'systemd-timesync' in /usr/lib/sysusers.d/00-coreos-static.conf:32, ignoring line.
Aug 30 18:51:57 localhost systemd[1]: Finished systemd-sysctl.service - Apply Kernel Variables.
Aug 30 18:51:57 localhost systemd[1]: Finished systemd-tmpfiles-setup-dev.service - Create Static Device Nodes in /dev.
Aug 30 18:51:57 localhost systemd[1]: Reached target local-fs-pre.target - Preparation for Local File Systems.
Aug 30 18:51:57 localhost systemd[1]: Mounting var.mount - /var...
Aug 30 18:51:57 localhost systemd[1]: Starting systemd-userdbd.service - User Database Manager...
Aug 30 18:51:57 localhost systemd[1]: Mounted var.mount - /var.
Aug 30 18:51:57 localhost systemd[1]: var-lib-machines.mount - Virtual Machine and Container Storage (Compatibility) was skipped because of an unmet condition check (ConditionPathExists=/var/lib/machines.raw).
Aug 30 18:51:57 localhost systemd[1]: Reached target machines.target - Containers.
Aug 30 18:51:57 localhost systemd[1]: Starting coreos-populate-lvmdevices.service - CoreOS Populate LVM Devices File...
Aug 30 18:51:57 localhost systemd[1]: iscsi-starter.service was skipped because of an unmet condition check (ConditionDirectoryNotEmpty=/var/lib/iscsi/nodes).
Aug 30 18:51:57 localhost systemd[1]: Starting ostree-remount.service - OSTree Remount OS/ Bind Mounts...
Aug 30 18:51:57 localhost systemd[1]: systemd-pstore.service - Platform Persistent Storage Archival was skipped because of an unmet condition check (ConditionDirectoryNotEmpty=/sys/fs/pstore).
Aug 30 18:51:57 localhost systemd[1]: Finished ostree-remount.service - OSTree Remount OS/ Bind Mounts.
Aug 30 18:51:57 localhost systemd[1]: Starting systemd-journal-flush.service - Flush Journal to Persistent Storage...
Aug 30 18:51:57 localhost systemd[1]: Starting systemd-random-seed.service - Load/Save OS Random Seed...
Aug 30 18:51:57 localhost systemd[1]: Started systemd-userdbd.service - User Database Manager.
Aug 30 18:51:57 localhost systemd-journald[1362]: Time spent on flushing to /var/log/journal/20e68272d45a4be980e3b9b2ca965859 is 12.583ms for 1285 entries.
Aug 30 18:51:57 localhost systemd-journald[1362]: System Journal (/var/log/journal/20e68272d45a4be980e3b9b2ca965859) is 8.0M, max 966.3M, 958.3M free.
Aug 30 18:51:57 localhost systemd-journald[1362]: Received client request to flush runtime journal.
Aug 30 18:51:57 localhost coreos-populate-lvmdevices[1398]: No LVM devices detected. Exiting.
Aug 30 18:51:57 localhost systemd[1]: Finished systemd-random-seed.service - Load/Save OS Random Seed.
Aug 30 18:51:57 localhost systemd[1]: Finished systemd-journal-flush.service - Flush Journal to Persistent Storage.
Aug 30 18:51:57 localhost systemd[1]: Finished coreos-populate-lvmdevices.service - CoreOS Populate LVM Devices File.
Aug 30 18:51:57 localhost systemd[1]: Finished systemd-sysusers.service - Create System Users.
Aug 30 18:51:57 localhost kernel: audit: type=1400 audit(1693421517.841:8): avc:  denied  { dac_override } for  pid=1384 comm="systemd-hwdb" capability=1  scontext=system_u:system_r:systemd_hwdb_t:s0 tcontext=system_u:system_r:systemd_hwdb_t:s0 tclass=capability permissive=1

Comment 13 Fedora Update System 2023-09-01 10:52:53 UTC

FEDORA-2023-b5926774b7 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-b5926774b7

Comment 14 Fedora Update System 2023-09-02 02:11:17 UTC

FEDORA-2023-b5926774b7 has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-b5926774b7`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-b5926774b7

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 15 Fedora Update System 2023-09-07 22:59:36 UTC

FEDORA-2023-b5926774b7 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 16 Dusty Mabe 2023-09-08 15:08:39 UTC

Considering the information in https://bugzilla.redhat.com/show_bug.cgi?id=2230226#c12 I don't think this bug is fixed.

@zpytela - could you take a look?

Comment 17 Zdenek Pytela 2023-09-08 20:13:05 UTC

The important information is kind-of hidden in the comment, but I can now confirm it.

Comment 18 Zdenek Pytela 2023-09-08 22:19:25 UTC

*** Bug 2236394 has been marked as a duplicate of this bug. ***

Comment 19 Fedora Update System 2023-09-17 20:20:23 UTC

FEDORA-2023-22190b6562 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-22190b6562

Comment 20 Fedora Update System 2023-09-18 02:05:12 UTC

FEDORA-2023-22190b6562 has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-22190b6562`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-22190b6562

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 21 Fedora Update System 2023-09-21 00:15:59 UTC

FEDORA-2023-22190b6562 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.