***** Plugin catchall (100. confidence) suggests ************************** If you believe that key.dns_resolve should be allowed setattr access on key labeled kernel_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'key.dns_resolve' --raw | audit2allow -M my-keydnsresolve # semodule -X 300 -i my-keydnsresolve.pp Additional Information: Source Context system_u:system_r:keyutils_dns_resolver_t:s0 Target Context system_u:system_r:kernel_t:s0 Target Objects Unknown [ key ] Source key.dns_resolve Source Path key.dns_resolve Port <Unknown> Host Worx.Tryx.org Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-40.20-1.fc40.noarch Local Policy RPM selinux-policy-targeted-40.20-1.fc40.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name Worx.Tryx.org Platform Linux Worx.Tryx.org 6.8.11-300.fc40.x86_64 #1 SMP PREEMPT_DYNAMIC Mon May 27 14:53:33 UTC 2024 x86_64 Alert Count 349 First Seen 2024-06-04 04:44:26 PDT Last Seen 2024-06-05 08:27:12 PDT Local ID 68110a33-dc63-4a23-894c-2bcb66d90d54 Raw Audit Messages type=AVC msg=audit(1717601232.320:2826): avc: denied { setattr } for pid=33815 comm="key.dns_resolve" scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0 Hash: key.dns_resolve,keyutils_dns_resolver_t,kernel_t,key,setattr Reproducible: Steps to Reproduce: I have no idea how to reproduce this. SELinux Alert Browser is almost a constant presence. /var/log/messages tell me nothing more than I have already provided in the form of the SELinux Alert Browser report above.
*** This bug has been marked as a duplicate of bug 2272646 ***