Installing a package which installs a man page on Rawhide generates an AVC event such as: type=AVC msg=audit(1701272352.152:886): avc: denied { map_read map_write } for pid=41878 comm="mandb" scontext=system_u:system_r:mandb_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 This results in failed installability jobs in Fedora CI, such as: https://artifacts.dev.testing-farm.io/17ad5128-e494-44c1-999d-11b2a18950e8/ https://src.fedoraproject.org/rpms/osbuild-composer/pull-request/182 Reproducible: Always Steps to Reproduce: On Rawhide: 1. ausearch -c mandb 2. dnf install -y osbuild-composer 3. ausearch -c mandb Actual Results: type=AVC msg=audit(1701272352.152:886): avc: denied { map_read map_write } for pid=41878 comm="mandb" scontext=system_u:system_r:mandb_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 Expected Results: No AVC events related to mandb man-db-2.12.0-3.fc40.x86_64 selinux-policy-targeted-40.5-1.fc40.noarch
Also reproducible simply by running "systemctl start man-db-cache-update". It seems like just executing /usr/bin/mandb from a systemd unit causes this, not sure why.
Thank you for the report, `man-db` package hasn't been updated for more than 2 months are you sure, it's caused by it and not by some changes in either your package or `selinux-policy`? In `selinux-policy` I see there has been some addition of the same capabilities that are in the error log: https://src.fedoraproject.org/rpms/selinux-policy/c/2d11fcc9abd766fa03f1adbab2a8675c083d2fe2?branch=rawhide Zdenku, do you have some idea what could be causing this issue? I still struggle with SELinux, so I might need some help here, if it's related to man-db, would you be able to help me, please?
This is a duplicate of bz#2250930.
Thank you for confirming, closing this BZ as DUPLICATE *** This bug has been marked as a duplicate of bug 2250930 ***
(In reply to Lukas Javorsky from comment #2) > Thank you for the report, > > `man-db` package hasn't been updated for more than 2 months are you sure, > it's caused by it and not by some changes in either your package or > `selinux-policy`? Hi Lukas. I didn't claim that a change in "man-db" caused this problem... I merely reported the issue that we were hitting in CI for our component. I verified that this happens on vanilla Rawhide system as well. The AVC is generated by "mandb", so yeah, I'm pretty sure that this is the component causing the AVC. While it is expected that this issue has something to do with the SELinux policy (that's why I noted the NVR of it in the description), this is something to figure out for the maintainer. You can't expect users to fully debug all aspects of the component in question, such as when there was the last update and if it is the root cause.
Hi Tomas, Yes, I agree sorry for the wording in that comment, I only wanted to find out, if this could be caused by something else. Looks like it is, and I closed this as a duplicate of the (hopefully) real bug which is related to systemd.