Description of problem: I ran a dnf offline-upgrade in a F40 KDE Plasma installation which included selinux-policy-40.19-1.fc40. systemd-journald was denied reading /etc/systemd/journald.conf starting with the boot after the offline upgrade. The denial happened when systemd-journald was started during that boot. I reproduced the denial with sudo systemctl restart systemd-journald. I didn't see this denial with selinux-policy-40.18-2.fc40. SELinux is preventing systemd-journal from 'read' accesses on the file /etc/systemd/journald.conf. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-journal should be allowed read access on the journald.conf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-journal' --raw | audit2allow -M my-systemdjournal # semodule -X 300 -i my-systemdjournal.pp Additional Information: Source Context system_u:system_r:syslogd_t:s0 Target Context system_u:object_r:systemd_conf_t:s0 Target Objects /etc/systemd/journald.conf [ file ] Source systemd-journal Source Path systemd-journal Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages systemd-255.6-1.fc40.x86_64 SELinux Policy RPM selinux-policy-targeted-40.19-1.fc40.noarch Local Policy RPM selinux-policy-targeted-40.19-1.fc40.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.8.10-300.fc40.x86_64 #1 SMP PREEMPT_DYNAMIC Fri May 17 21:20:54 UTC 2024 x86_64 Alert Count 1 First Seen 2024-05-19 09:10:22 EDT Last Seen 2024-05-19 09:10:22 EDT Local ID 6d58ece4-0b5c-4849-b7ed-ea6b5c84e45d Raw Audit Messages type=AVC msg=audit(1716124222.645:387): avc: denied { read } for pid=7051 comm="systemd-journal" name="journald.conf" dev="dm-0" ino=3408555 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_conf_t:s0 tclass=file permissive=0 Hash: systemd-journal,syslogd_t,systemd_conf_t,file,read Version-Release number of selected component: selinux-policy-targeted-40.19-1.fc40.noarch Additional info: reporter: libreport-2.17.15 hashmarkername: setroubleshoot comment: I ran a dnf offline-upgrade in a F40 KDE Plasma installation which included selinux-policy-40.19-1.fc40. systemd-journald was denied reading /etc/systemd/journald.conf starting with the boot after the offline upgrade. The denial happened when systemd-journald was started during that boot. I reproduced the denial with sudo systemctl restart systemd-journald. I didn't see this denial with selinux-policy-40.18-2.fc40. type: libreport kernel: 6.8.10-300.fc40.x86_64 component: selinux-policy package: selinux-policy-targeted-40.19-1.fc40.noarch reason: SELinux is preventing systemd-journal from 'read' accesses on the file /etc/systemd/journald.conf. component: selinux-policy
Created attachment 2033967 [details] File: os_info
Created attachment 2033968 [details] File: description
FEDORA-2024-8c0636295a (selinux-policy-40.20-1.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-8c0636295a
FEDORA-2024-8c0636295a has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-8c0636295a` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-8c0636295a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-8c0636295a (selinux-policy-40.20-1.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report.