SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 selinux-policy-40.18-2.eln136.noarch ---- time->Mon May 13 12:18:28 2024 type=AVC msg=audit(1715617108.404:76): avc: denied { create } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1 ---- time->Mon May 13 12:18:28 2024 type=AVC msg=audit(1715617108.404:77): avc: denied { setopt } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1 ---- time->Mon May 13 12:18:28 2024 type=AVC msg=audit(1715617108.404:78): avc: denied { bind } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1 ---- time->Mon May 13 12:18:28 2024 type=AVC msg=audit(1715617108.404:79): avc: denied { listen } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1 ---- time->Mon May 13 12:18:28 2024 type=PROCTITLE msg=audit(1715617108.885:97): proctitle="/usr/lib/systemd/systemd-logind" type=SYSCALL msg=audit(1715617108.885:97): arch=c000003e syscall=16 success=no exit=-25 a0=6 a1=5401 a2=7ffecd918bd0 a3=ff items=0 ppid=1 pid=666 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null) type=AVC msg=audit(1715617108.885:97): avc: denied { ioctl } for pid=666 comm="systemd-logind" path="/usr/lib/systemd/logind.conf" dev="vda4" ino=100762171 ioctlcmd=0x5401 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=1 Reproducible: Always Steps to Reproduce: 1.Booting Fedora-ELN (Fedora-ELN-20240513.3) trigger the avc denials I haven't seen the same problem on Rawhide cki issue tracker: https://datawarehouse.cki-project.org/issue/2722
with audit enabled I got SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 selinux-policy-40.18-2.eln136.noarch ---- time->Tue May 14 05:59:44 2024 type=PROCTITLE msg=audit(1715680784.545:265): proctitle="/usr/lib/systemd/systemd-nsresourced" type=SYSCALL msg=audit(1715680784.545:265): arch=c000003e syscall=16 success=yes exit=0 a0=17 a1=2401 a2=0 a3=55ff35ca9f70 items=0 ppid=1 pid=565 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-nsresou" exe="/usr/lib/systemd/systemd-nsresourced" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1715680784.545:265): avc: denied { write } for pid=565 comm="systemd-nsresou" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=perf_event permissive=1 ---- time->Tue May 14 06:01:09 2024 type=AVC msg=audit(1715680869.505:77): avc: denied { create } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1 ---- time->Tue May 14 06:01:09 2024 type=AVC msg=audit(1715680869.506:78): avc: denied { setopt } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1 ---- time->Tue May 14 06:01:09 2024 type=AVC msg=audit(1715680869.506:79): avc: denied { bind } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1 ---- time->Tue May 14 06:01:09 2024 type=AVC msg=audit(1715680869.506:80): avc: denied { listen } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1 ---- time->Tue May 14 06:01:09 2024 type=PROCTITLE msg=audit(1715680869.828:102): proctitle="/usr/lib/systemd/systemd-logind" type=PATH msg=audit(1715680869.828:102): item=0 name="/usr/lib/systemd/logind.conf" inode=150304 dev=fd:04 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:init_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1715680869.828:102): cwd="/" type=SYSCALL msg=audit(1715680869.828:102): arch=c000003e syscall=257 success=yes exit=6 a0=ffffff9c a1=55f7382d3da0 a2=80000 a3=0 items=1 ppid=1 pid=691 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null) type=AVC msg=audit(1715680869.828:102): avc: denied { open } for pid=691 comm="systemd-logind" path="/usr/lib/systemd/logind.conf" dev="vda4" ino=150304 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1715680869.828:102): avc: denied { read } for pid=691 comm="systemd-logind" name="logind.conf" dev="vda4" ino=150304 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=1 ---- time->Tue May 14 06:01:09 2024 type=PROCTITLE msg=audit(1715680869.828:103): proctitle="/usr/lib/systemd/systemd-logind" type=SYSCALL msg=audit(1715680869.828:103): arch=c000003e syscall=5 success=yes exit=0 a0=6 a1=7ffdcfbf73e0 a2=55f73807c2c0 a3=0 items=0 ppid=1 pid=691 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null) type=AVC msg=audit(1715680869.828:103): avc: denied { getattr } for pid=691 comm="systemd-logind" path="/usr/lib/systemd/logind.conf" dev="vda4" ino=150304 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=1 ---- time->Tue May 14 06:01:09 2024 type=PROCTITLE msg=audit(1715680869.828:104): proctitle="/usr/lib/systemd/systemd-logind" type=SYSCALL msg=audit(1715680869.828:104): arch=c000003e syscall=16 success=no exit=-25 a0=6 a1=5401 a2=7ffdcfbf7210 a3=ff items=0 ppid=1 pid=691 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null) type=AVC msg=audit(1715680869.828:104): avc: denied { ioctl } for pid=691 comm="systemd-logind" path="/usr/lib/systemd/logind.conf" dev="vda4" ino=150304 ioctlcmd=0x5401 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=1 ---- time->Tue May 14 06:01:09 2024 type=PROCTITLE msg=audit(1715680869.905:107): proctitle="/usr/lib/systemd/systemd-hostnamed" type=PATH msg=audit(1715680869.905:107): item=0 name="/dev/vsock" inode=298 dev=00:06 mode=020666 ouid=0 ogid=0 rdev=0a:7c obj=system_u:object_r:vsock_device_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1715680869.905:107): cwd="/" type=SYSCALL msg=audit(1715680869.905:107): arch=c000003e syscall=257 success=yes exit=10 a0=ffffff9c a1=7f99753424fa a2=80000 a3=0 items=1 ppid=1 pid=701 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) type=AVC msg=audit(1715680869.905:107): avc: denied { open } for pid=701 comm="systemd-hostnam" path="/dev/vsock" dev="devtmpfs" ino=298 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1715680869.905:107): avc: denied { read } for pid=701 comm="systemd-hostnam" name="vsock" dev="devtmpfs" ino=298 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=1 ---- time->Tue May 14 06:01:09 2024 type=PROCTITLE msg=audit(1715680869.905:108): proctitle="/usr/lib/systemd/systemd-hostnamed" type=SYSCALL msg=audit(1715680869.905:108): arch=c000003e syscall=16 success=yes exit=0 a0=a a1=7b9 a2=7fff3287c5c4 a3=0 items=0 ppid=1 pid=701 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) type=AVC msg=audit(1715680869.905:108): avc: denied { ioctl } for pid=701 comm="systemd-hostnam" path="/dev/vsock" dev="devtmpfs" ino=298 ioctlcmd=0x7b9 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=1 ---- time->Tue May 14 06:02:29 2024 type=PROCTITLE msg=audit(1715680949.907:141): proctitle="/usr/lib/systemd/systemd-hostnamed" type=PATH msg=audit(1715680949.907:141): item=0 name="/dev/vsock" inode=298 dev=00:06 mode=020666 ouid=0 ogid=0 rdev=0a:7c obj=system_u:object_r:vsock_device_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1715680949.907:141): cwd="/" type=SYSCALL msg=audit(1715680949.907:141): arch=c000003e syscall=257 success=yes exit=10 a0=ffffff9c a1=7f7be99424fa a2=80000 a3=0 items=1 ppid=1 pid=18123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) type=AVC msg=audit(1715680949.907:141): avc: denied { open } for pid=18123 comm="systemd-hostnam" path="/dev/vsock" dev="devtmpfs" ino=298 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1715680949.907:141): avc: denied { read } for pid=18123 comm="systemd-hostnam" name="vsock" dev="devtmpfs" ino=298 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=1 ---- time->Tue May 14 06:02:29 2024 type=PROCTITLE msg=audit(1715680949.907:142): proctitle="/usr/lib/systemd/systemd-hostnamed" type=SYSCALL msg=audit(1715680949.907:142): arch=c000003e syscall=16 success=yes exit=0 a0=a a1=7b9 a2=7ffcbeba5db4 a3=0 items=0 ppid=1 pid=18123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) type=AVC msg=audit(1715680949.907:142): avc: denied { ioctl } for pid=18123 comm="systemd-hostnam" path="/dev/vsock" dev="devtmpfs" ino=298 ioctlcmd=0x7b9 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=1
This one is new: ---- type=PROCTITLE msg=audit(1715680784.545:265): proctitle="/usr/lib/systemd/systemd-nsresourced" type=SYSCALL msg=audit(1715680784.545:265): arch=c000003e syscall=16 success=yes exit=0 a0=17 a1=2401 a2=0 a3=55ff35ca9f70 items=0 ppid=1 pid=565 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-nsresou" exe="/usr/lib/systemd/systemd-nsresourced" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1715680784.545:265): avc: denied { write } for pid=565 comm="systemd-nsresou" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=perf_event permissive=1 ---- the rest seem to be duplicates. Anyway, I cannot reproduce this one. Do you know what is the triggering condition? Did you notice any service failing? What is the systemd version?
I can reproduce it in rawhide with systemd-256~rc2-1.fc41.x86_64. The nsresourced service did not fail. ---- type=PROCTITLE msg=audit(05/20/2024 03:34:52.933:307) : proctitle=/usr/lib/systemd/systemd-nsresourced type=SYSCALL msg=audit(05/20/2024 03:34:52.933:307) : arch=x86_64 syscall=perf_event_open success=no exit=EACCES(Permission denied) a0=0x7ffc404c6670 a1=0xffffffff a2=0x0 a3=0xffffffff items=0 ppid=1 pid=1237 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-nsresou exe=/usr/lib/systemd/systemd-nsresourced subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(05/20/2024 03:34:52.933:307) : avc: denied { open } for pid=1237 comm=systemd-nsresou scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=perf_event permissive=0 ---- systemd-nsresou 1237 [000] 2178.976986: avc:selinux_audited: requested=0x1 denied=0x1 audited=0x1 result=-13 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=perf_event ffffffff877678e6 avc_audit_post_callback+0x216 ([kernel.kallsyms]) ffffffff877678e6 avc_audit_post_callback+0x216 ([kernel.kallsyms]) ffffffff8779309b common_lsm_audit+0x2ab ([kernel.kallsyms]) ffffffff87768db3 slow_avc_audit+0xb3 ([kernel.kallsyms]) ffffffff8776966f avc_has_perm+0xbf ([kernel.kallsyms]) ffffffff87766b53 security_perf_event_open+0x33 ([kernel.kallsyms]) ffffffff873819d9 __do_sys_perf_event_open+0x99 ([kernel.kallsyms]) ffffffff8816e4b2 do_syscall_64+0x82 ([kernel.kallsyms]) ffffffff8820012f entry_SYSCALL_64_after_hwframe+0x76 ([kernel.kallsyms]) 7f06bbcfb21d syscall+0x1d (/usr/lib64/libc.so.6) 7f06bb3ddd9d [unknown] (/usr/lib64/libbpf.so.1.4.1) 7f06bb3eb997 bpf_program__attach_kprobe_opts+0x367 (/usr/lib64/libbpf.so.1.4.1) 7f06bb3ebfc0 [unknown] (/usr/lib64/libbpf.so.1.4.1) 7f06bb3ef9b1 bpf_program__attach+0x51 (/usr/lib64/libbpf.so.1.4.1) 55eeace0c80b userns_restrict_install+0x18eb (inlined) 55eeace0c80b manager_setup_bpf+0x18eb (inlined) 55eeace0c80b manager_startup+0x18eb (inlined) 55eeace0c80b run+0x18eb (inlined) 55eeace0c80b main+0x18eb (/usr/lib/systemd/systemd-nsresourced) 7f06bbc0f1c7 __libc_start_call_main+0x77 (/usr/lib64/libc.so.6) 7f06bbc0f28a __libc_start_main@@GLIBC_2.34+0x8a (/usr/lib64/libc.so.6) 55eeace0ce74 _start+0x24 (/usr/lib/systemd/systemd-nsresourced)
As you reproduced it I think you don't need any info from me anymore. We run it as permissive and we also didn't notice any service failing.
I've changed the summary as the other denials are already being worked on in different bz.
*** Bug 2280521 has been marked as a duplicate of this bug. ***