My grub unlocks two different encrypted devices with different passwords on startup: ``` options root=UUID=AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA ro rootflags=subvol=root rd.luks.uuid=luks-BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB rd.luks.uuid=luks-CCCCCCCC-CCCC-CCCC-CCCC-CCCCCCCCCCCC rhgb quiet amd_pstate=active ``` crypttab and fstab have not been changed so far in 2024. I currently run 6.8.11-300.fc40.x86_64 and have this kernel for over a week now without issues. So far, I never had issues with that configuration. Both devices get mounted during boot so that both are mounted when the system is up. However, after I updated last night (see [1] below for the full update list in between the working and the broken boots -> it includes selinux-policy), I have the issue that one of the two drives that shall be mounted on boot is no longer mounted when the system is booted. Generally, cryptsetup was able to unlock the device, but it is not mounted. So what I need to do is only `mount /dev/mapper/luks-BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB /directory` since cryptsetup already did the mapping at this time. However, this no longer works by default, so it seems cryptsetup has an issue somewhere: I checked the logs, and with regards to the UUID (journalctl --boot=0 | grep <UUID>) of the affected device (and also the other device), the system logs are equal up to the point the system is booted. Yet, when I check the audits, then one new denial is logged during the startup: ``` Jun 13 12:08:45 fedora kernel: audit: type=1400 audit(1718273325.501:7): avc: denied { create } for pid=1575 comm="systemd-fstab-g" name=".#50-device-timeout.conf192e76e961483b00" scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=0 ``` The affected device does not contain root, which is why the system still boots, even login to the GUI works on itself. It's just the non-root device that is unlocked but not mounted. I have now tested two boots since the updates of [1], in both cases it was the same: the difference to earlier boots is the above denial, and the device is unlocked but not mounted. I did now another update, which just updated zlib-ng and zlib-compat, which obviously had on impact. I run F40 KDE Spin. The issue cannot be linked to me using a confined user account because the issue occurs before I log into my account (I also tested the condition before logging into my account, just to ensure that this is not related). root is unconfined_u. I expect that __default__ = user_u is not related. [1] ``` 2024-06-13T02:53:01+0200 DEBUG --> Starting dependency resolution 2024-06-13T02:53:02+0200 DEBUG ---> Package autocorr-de.noarch 1:24.2.3.2-2.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package autocorr-de.noarch 1:24.2.4.2-2.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package autocorr-en.noarch 1:24.2.3.2-2.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package autocorr-en.noarch 1:24.2.4.2-2.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package bolt.x86_64 0.9.7-1.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package bolt.x86_64 0.9.8-2.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package cpp.x86_64 14.1.1-4.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package cpp.x86_64 14.1.1-5.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package jose.x86_64 13-1.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package jose.x86_64 14-1.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package libatomic.x86_64 14.1.1-4.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package libatomic.x86_64 14.1.1-5.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package libgcc.x86_64 14.1.1-4.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package libgcc.x86_64 14.1.1-5.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package libgfortran.x86_64 14.1.1-4.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package libgfortran.x86_64 14.1.1-5.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package libgomp.x86_64 14.1.1-4.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package libgomp.x86_64 14.1.1-5.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package libjose.x86_64 13-1.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package libjose.x86_64 14-1.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package libobjc.x86_64 14.1.1-4.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package libobjc.x86_64 14.1.1-5.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package libquadmath.x86_64 14.1.1-4.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package libquadmath.x86_64 14.1.1-5.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-calc.x86_64 1:24.2.3.2-2.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-calc.x86_64 1:24.2.4.2-2.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-core.x86_64 1:24.2.3.2-2.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-core.x86_64 1:24.2.4.2-2.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-data.x86_64 1:24.2.3.2-2.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-data.x86_64 1:24.2.4.2-2.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-draw.x86_64 1:24.2.3.2-2.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-draw.x86_64 1:24.2.4.2-2.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-graphicfilter.x86_64 1:24.2.3.2-2.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-graphicfilter.x86_64 1:24.2.4.2-2.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-gtk3.x86_64 1:24.2.3.2-2.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-gtk3.x86_64 1:24.2.4.2-2.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-gtk4.x86_64 1:24.2.3.2-2.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-gtk4.x86_64 1:24.2.4.2-2.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-help-de.x86_64 1:24.2.3.2-2.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-help-de.x86_64 1:24.2.4.2-2.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-help-en.x86_64 1:24.2.3.2-2.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-help-en.x86_64 1:24.2.4.2-2.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-impress.x86_64 1:24.2.3.2-2.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-impress.x86_64 1:24.2.4.2-2.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-kf5.x86_64 1:24.2.3.2-2.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-kf5.x86_64 1:24.2.4.2-2.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-kf6.x86_64 1:24.2.3.2-2.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-kf6.x86_64 1:24.2.4.2-2.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-langpack-de.x86_64 1:24.2.3.2-2.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-langpack-de.x86_64 1:24.2.4.2-2.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-langpack-en.x86_64 1:24.2.3.2-2.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-langpack-en.x86_64 1:24.2.4.2-2.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-ogltrans.x86_64 1:24.2.3.2-2.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-ogltrans.x86_64 1:24.2.4.2-2.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-opensymbol-fonts.noarch 1:24.2.3.2-2.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-opensymbol-fonts.noarch 1:24.2.4.2-2.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-pdfimport.x86_64 1:24.2.3.2-2.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-pdfimport.x86_64 1:24.2.4.2-2.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-pyuno.x86_64 1:24.2.3.2-2.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-pyuno.x86_64 1:24.2.4.2-2.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-ure.x86_64 1:24.2.3.2-2.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-ure.x86_64 1:24.2.4.2-2.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-ure-common.x86_64 1:24.2.3.2-2.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-ure-common.x86_64 1:24.2.4.2-2.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-writer.x86_64 1:24.2.3.2-2.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-writer.x86_64 1:24.2.4.2-2.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-x11.x86_64 1:24.2.3.2-2.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package libreoffice-x11.x86_64 1:24.2.4.2-2.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package libstdc++.x86_64 14.1.1-4.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package libstdc++.x86_64 14.1.1-5.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package selinux-policy.noarch 40.20-1.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package selinux-policy.noarch 40.22-1.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package selinux-policy-targeted.noarch 40.20-1.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package selinux-policy-targeted.noarch 40.22-1.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG ---> Package vulkan-loader.x86_64 1.3.283.0-1.fc40 will be upgraded 2024-06-13T02:53:02+0200 DEBUG ---> Package vulkan-loader.x86_64 1.3.283.0-2.fc40 will be an upgrade 2024-06-13T02:53:02+0200 DEBUG --> Finished dependency resolution ``` Before putting a million logs of different processes in here, let me know what you need and I will provide it. Thanks :) Reproducible: Always Steps to Reproduce: 1. create devices and grub cfg as mentioned above 2. update to 40.22-1 3. boot Actual Results: Once booted, both devices are unlocked, but one no longer gets mounted automatically since the update to 40.22-1 Expected Results: Both devices get unlocked and mounted automatically.
Addition: ``` cat /proc/sys/kernel/tainted 0 ```
No other logs are needed, rather # ls -goRZ /run/systemd/generator /run/systemd/cryptsetup To work around this issue, you can run: # semanage permissive -a -t systemd_fstab_generator_t and/or # cat local_generators.cil (allow systemd_fstab_generator_t systemd_cryptsetup_generator_unit_file_t (file (create getattr))) # semodule -i local_generators.cil and collect additional denials: # systemctl daemon-reload # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today # journalctl -b -g avc:..denied Undo changes after the issue is fixed: # semanage permissive -d -t systemd_fstab_generator_t # semodule -r local_generators
To make the output easier to understand: on boot, the following two encrypted devices are unlocked to be then mounted along with further devices (the two are unlocked at grub level, the others later through crypttab): 1) *e5a4 -> the contained device is to be mounted as root once unlocked (works) 2) *0651 -> the contained device is to be mounted on /dlz once unlocked (the affected device) In the current boot, I have mounted /dlz manually, which is reflected in the output: ls -goRZ /run/systemd/generator /run/systemd/cryptsetup > /home/user/Desktop/file1 ``` /run/systemd/generator: total 76 -rw-r--r--. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 372 Jun 13 12:08 blz.mount -rw-r--r--. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 445 Jun 13 12:08 boot-efi.mount -rw-r--r--. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 571 Jun 13 12:08 boot.mount -rw-r--r--. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 372 Jun 13 12:08 bu1.mount -rw-r--r--. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 372 Jun 13 12:08 bu2.mount drwxr-xr-x. 2 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 80 Jun 13 12:08 cryptsetup.target.requires drwxr-xr-x. 2 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 140 Jun 13 12:08 cryptsetup.target.wants drwxr-xr-x. 2 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 60 Jun 13 12:08 dev-disk-by\x2duuid-13858275\x2d2ad8\x2d43d4\x2d9307\x2d9f051d93a7c1.device.d drwxr-xr-x. 2 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 60 Jun 13 12:08 dev-disk-by\x2duuid-14c65915\x2db870\x2d4c71\x2db53d\x2d6402733cade8.device.d drwxr-xr-x. 2 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 60 Jun 13 12:08 dev-disk-by\x2duuid-29153454\x2d457c\x2d4bb8\x2dabd6\x2de922c6152b94.device.d drwxr-xr-x. 2 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 60 Jun 13 12:08 dev-disk-by\x2duuid-76e59a4c\x2d00e7\x2d49df\x2d987e\x2d31db374d52f8.device.d drwxr-xr-x. 2 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 60 Jun 13 12:08 dev-disk-by\x2duuid-87bb7de6\x2d9fd5\x2d4079\x2dbb44\x2d917128260e11.device.d drwxr-xr-x. 2 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 60 Jun 13 12:08 dev-disk-by\x2duuid-f5947f00\x2db37e\x2d4076\x2da260\x2d5b0fa26c23cd.device.d drwxr-xr-x. 2 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 60 Jun 13 12:08 dev-mapper-luks\x2d0b30619e\x2deb68\x2d4f6c\x2d8335\x2d16c0b2a50651.device.d drwxr-xr-x. 2 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 60 Jun 13 12:08 dev-mapper-luks\x2d0b30619e\x2deb68\x2d4f6c\x2d8335\x2d16c0b2a50651.device.requires drwxr-xr-x. 2 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 60 Jun 13 12:08 dev-mapper-luks\x2d13858275\x2d2ad8\x2d43d4\x2d9307\x2d9f051d93a7c1.device.d drwxr-xr-x. 2 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 60 Jun 13 12:08 dev-mapper-luks\x2d13858275\x2d2ad8\x2d43d4\x2d9307\x2d9f051d93a7c1.device.requires drwxr-xr-x. 2 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 60 Jun 13 12:08 dev-mapper-luks\x2d14c65915\x2db870\x2d4c71\x2db53d\x2d6402733cade8.device.d drwxr-xr-x. 2 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 60 Jun 13 12:08 dev-mapper-luks\x2d14c65915\x2db870\x2d4c71\x2db53d\x2d6402733cade8.device.requires drwxr-xr-x. 2 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 60 Jun 13 12:08 dev-mapper-luks\x2d76e59a4c\x2d00e7\x2d49df\x2d987e\x2d31db374d52f8.device.d drwxr-xr-x. 2 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 60 Jun 13 12:08 dev-mapper-luks\x2d76e59a4c\x2d00e7\x2d49df\x2d987e\x2d31db374d52f8.device.requires drwxr-xr-x. 2 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 60 Jun 13 12:08 dev-mapper-luks\x2d87bb7de6\x2d9fd5\x2d4079\x2dbb44\x2d917128260e11.device.d drwxr-xr-x. 2 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 60 Jun 13 12:08 dev-mapper-luks\x2d87bb7de6\x2d9fd5\x2d4079\x2dbb44\x2d917128260e11.device.requires drwxr-xr-x. 2 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 60 Jun 13 12:08 dev-mapper-luks\x2ddd20b63c\x2d9072\x2d4930\x2dacbb\x2d57f70520e5a4.device.d drwxr-xr-x. 2 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 60 Jun 13 12:08 dev-mapper-luks\x2ddd20b63c\x2d9072\x2d4930\x2dacbb\x2d57f70520e5a4.device.requires drwxr-xr-x. 2 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 60 Jun 13 12:08 dev-mapper-luks\x2df5947f00\x2db37e\x2d4076\x2da260\x2d5b0fa26c23cd.device.d drwxr-xr-x. 2 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 60 Jun 13 12:08 dev-mapper-luks\x2df5947f00\x2db37e\x2d4076\x2da260\x2d5b0fa26c23cd.device.requires -rw-r--r--. 1 system_u:object_r:systemd_zram_generator_unit_file_t:s0 326 Jun 13 12:08 dev-zram0.swap -rw-r--r--. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 342 Jun 13 12:08 dlz.mount -rw-r--r--. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 377 Jun 13 12:08 ext4usb.mount -rw-r--r--. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 396 Jun 13 12:08 home.mount drwxr-xr-x. 2 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 140 Jun 13 12:08 local-fs.target.requires drwxr-xr-x. 2 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 160 Jun 13 12:08 local-fs.target.wants -rw-r--r--. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 379 Jun 13 12:08 -.mount -rw-r--r--. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 372 Jun 13 12:08 slz.mount drwxr-xr-x. 2 system_u:object_r:systemd_zram_generator_unit_file_t:s0 60 Jun 13 12:08 swap.target.wants -rw-r--r--. 1 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 1019 Jun 13 12:08 systemd-cryptsetup@luks\x2d0b30619e\x2deb68\x2d4f6c\x2d8335\x2d16c0b2a50651.service -rw-r--r--. 1 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 1000 Jun 13 12:08 systemd-cryptsetup@luks\x2d13858275\x2d2ad8\x2d43d4\x2d9307\x2d9f051d93a7c1.service -rw-r--r--. 1 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 1000 Jun 13 12:08 systemd-cryptsetup@luks\x2d14c65915\x2db870\x2d4c71\x2db53d\x2d6402733cade8.service -rw-r--r--. 1 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 1000 Jun 13 12:08 systemd-cryptsetup@luks\x2d76e59a4c\x2d00e7\x2d49df\x2d987e\x2d31db374d52f8.service -rw-r--r--. 1 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 1000 Jun 13 12:08 systemd-cryptsetup@luks\x2d87bb7de6\x2d9fd5\x2d4079\x2dbb44\x2d917128260e11.service -rw-r--r--. 1 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 1019 Jun 13 12:08 systemd-cryptsetup@luks\x2ddd20b63c\x2d9072\x2d4930\x2dacbb\x2d57f70520e5a4.service -rw-r--r--. 1 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 1000 Jun 13 12:08 systemd-cryptsetup@luks\x2df5947f00\x2db37e\x2d4076\x2da260\x2d5b0fa26c23cd.service drwxr-xr-x. 2 system_u:object_r:systemd_zram_generator_unit_file_t:s0 60 Jun 13 12:08 systemd-zram-setup.d -rw-r--r--. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 381 Jun 13 12:08 var.mount /run/systemd/generator/cryptsetup.target.requires: total 0 lrwxrwxrwx. 1 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 86 Jun 13 12:08 systemd-cryptsetup@luks\x2d0b30619e\x2deb68\x2d4f6c\x2d8335\x2d16c0b2a50651.service -> ../systemd-cryptsetup@luks\x2d0b30619e\x2deb68\x2d4f6c\x2d8335\x2d16c0b2a50651.service lrwxrwxrwx. 1 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 86 Jun 13 12:08 systemd-cryptsetup@luks\x2ddd20b63c\x2d9072\x2d4930\x2dacbb\x2d57f70520e5a4.service -> ../systemd-cryptsetup@luks\x2ddd20b63c\x2d9072\x2d4930\x2dacbb\x2d57f70520e5a4.service /run/systemd/generator/cryptsetup.target.wants: total 0 lrwxrwxrwx. 1 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 86 Jun 13 12:08 systemd-cryptsetup@luks\x2d13858275\x2d2ad8\x2d43d4\x2d9307\x2d9f051d93a7c1.service -> ../systemd-cryptsetup@luks\x2d13858275\x2d2ad8\x2d43d4\x2d9307\x2d9f051d93a7c1.service lrwxrwxrwx. 1 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 86 Jun 13 12:08 systemd-cryptsetup@luks\x2d14c65915\x2db870\x2d4c71\x2db53d\x2d6402733cade8.service -> ../systemd-cryptsetup@luks\x2d14c65915\x2db870\x2d4c71\x2db53d\x2d6402733cade8.service lrwxrwxrwx. 1 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 86 Jun 13 12:08 systemd-cryptsetup@luks\x2d76e59a4c\x2d00e7\x2d49df\x2d987e\x2d31db374d52f8.service -> ../systemd-cryptsetup@luks\x2d76e59a4c\x2d00e7\x2d49df\x2d987e\x2d31db374d52f8.service lrwxrwxrwx. 1 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 86 Jun 13 12:08 systemd-cryptsetup@luks\x2d87bb7de6\x2d9fd5\x2d4079\x2dbb44\x2d917128260e11.service -> ../systemd-cryptsetup@luks\x2d87bb7de6\x2d9fd5\x2d4079\x2dbb44\x2d917128260e11.service lrwxrwxrwx. 1 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 86 Jun 13 12:08 systemd-cryptsetup@luks\x2df5947f00\x2db37e\x2d4076\x2da260\x2d5b0fa26c23cd.service -> ../systemd-cryptsetup@luks\x2df5947f00\x2db37e\x2d4076\x2da260\x2d5b0fa26c23cd.service /run/systemd/generator/dev-disk-by\x2duuid-13858275\x2d2ad8\x2d43d4\x2d9307\x2d9f051d93a7c1.device.d: total 4 -rw-r--r--. 1 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 151 Jun 13 12:08 50-device-timeout.conf /run/systemd/generator/dev-disk-by\x2duuid-14c65915\x2db870\x2d4c71\x2db53d\x2d6402733cade8.device.d: total 4 -rw-r--r--. 1 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 151 Jun 13 12:08 50-device-timeout.conf /run/systemd/generator/dev-disk-by\x2duuid-29153454\x2d457c\x2d4bb8\x2dabd6\x2de922c6152b94.device.d: total 4 -rw-r--r--. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 164 Jun 13 12:08 50-device-timeout.conf /run/systemd/generator/dev-disk-by\x2duuid-76e59a4c\x2d00e7\x2d49df\x2d987e\x2d31db374d52f8.device.d: total 4 -rw-r--r--. 1 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 151 Jun 13 12:08 50-device-timeout.conf /run/systemd/generator/dev-disk-by\x2duuid-87bb7de6\x2d9fd5\x2d4079\x2dbb44\x2d917128260e11.device.d: total 4 -rw-r--r--. 1 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 151 Jun 13 12:08 50-device-timeout.conf /run/systemd/generator/dev-disk-by\x2duuid-f5947f00\x2db37e\x2d4076\x2da260\x2d5b0fa26c23cd.device.d: total 4 -rw-r--r--. 1 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 151 Jun 13 12:08 50-device-timeout.conf /run/systemd/generator/dev-mapper-luks\x2d0b30619e\x2deb68\x2d4f6c\x2d8335\x2d16c0b2a50651.device.d: total 4 -rw-r--r--. 1 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 89 Jun 13 12:08 40-device-timeout.conf /run/systemd/generator/dev-mapper-luks\x2d0b30619e\x2deb68\x2d4f6c\x2d8335\x2d16c0b2a50651.device.requires: total 0 lrwxrwxrwx. 1 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 86 Jun 13 12:08 systemd-cryptsetup@luks\x2d0b30619e\x2deb68\x2d4f6c\x2d8335\x2d16c0b2a50651.service -> ../systemd-cryptsetup@luks\x2d0b30619e\x2deb68\x2d4f6c\x2d8335\x2d16c0b2a50651.service /run/systemd/generator/dev-mapper-luks\x2d13858275\x2d2ad8\x2d43d4\x2d9307\x2d9f051d93a7c1.device.d: total 4 -rw-r--r--. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 184 Jun 13 12:08 50-device-timeout.conf /run/systemd/generator/dev-mapper-luks\x2d13858275\x2d2ad8\x2d43d4\x2d9307\x2d9f051d93a7c1.device.requires: total 0 lrwxrwxrwx. 1 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 86 Jun 13 12:08 systemd-cryptsetup@luks\x2d13858275\x2d2ad8\x2d43d4\x2d9307\x2d9f051d93a7c1.service -> ../systemd-cryptsetup@luks\x2d13858275\x2d2ad8\x2d43d4\x2d9307\x2d9f051d93a7c1.service /run/systemd/generator/dev-mapper-luks\x2d14c65915\x2db870\x2d4c71\x2db53d\x2d6402733cade8.device.d: total 4 -rw-r--r--. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 184 Jun 13 12:08 50-device-timeout.conf /run/systemd/generator/dev-mapper-luks\x2d14c65915\x2db870\x2d4c71\x2db53d\x2d6402733cade8.device.requires: total 0 lrwxrwxrwx. 1 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 86 Jun 13 12:08 systemd-cryptsetup@luks\x2d14c65915\x2db870\x2d4c71\x2db53d\x2d6402733cade8.service -> ../systemd-cryptsetup@luks\x2d14c65915\x2db870\x2d4c71\x2db53d\x2d6402733cade8.service /run/systemd/generator/dev-mapper-luks\x2d76e59a4c\x2d00e7\x2d49df\x2d987e\x2d31db374d52f8.device.d: total 4 -rw-r--r--. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 184 Jun 13 12:08 50-device-timeout.conf /run/systemd/generator/dev-mapper-luks\x2d76e59a4c\x2d00e7\x2d49df\x2d987e\x2d31db374d52f8.device.requires: total 0 lrwxrwxrwx. 1 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 86 Jun 13 12:08 systemd-cryptsetup@luks\x2d76e59a4c\x2d00e7\x2d49df\x2d987e\x2d31db374d52f8.service -> ../systemd-cryptsetup@luks\x2d76e59a4c\x2d00e7\x2d49df\x2d987e\x2d31db374d52f8.service /run/systemd/generator/dev-mapper-luks\x2d87bb7de6\x2d9fd5\x2d4079\x2dbb44\x2d917128260e11.device.d: total 4 -rw-r--r--. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 184 Jun 13 12:08 50-device-timeout.conf /run/systemd/generator/dev-mapper-luks\x2d87bb7de6\x2d9fd5\x2d4079\x2dbb44\x2d917128260e11.device.requires: total 0 lrwxrwxrwx. 1 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 86 Jun 13 12:08 systemd-cryptsetup@luks\x2d87bb7de6\x2d9fd5\x2d4079\x2dbb44\x2d917128260e11.service -> ../systemd-cryptsetup@luks\x2d87bb7de6\x2d9fd5\x2d4079\x2dbb44\x2d917128260e11.service /run/systemd/generator/dev-mapper-luks\x2ddd20b63c\x2d9072\x2d4930\x2dacbb\x2d57f70520e5a4.device.d: total 4 -rw-r--r--. 1 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 89 Jun 13 12:08 40-device-timeout.conf /run/systemd/generator/dev-mapper-luks\x2ddd20b63c\x2d9072\x2d4930\x2dacbb\x2d57f70520e5a4.device.requires: total 0 lrwxrwxrwx. 1 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 86 Jun 13 12:08 systemd-cryptsetup@luks\x2ddd20b63c\x2d9072\x2d4930\x2dacbb\x2d57f70520e5a4.service -> ../systemd-cryptsetup@luks\x2ddd20b63c\x2d9072\x2d4930\x2dacbb\x2d57f70520e5a4.service /run/systemd/generator/dev-mapper-luks\x2df5947f00\x2db37e\x2d4076\x2da260\x2d5b0fa26c23cd.device.d: total 4 -rw-r--r--. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 184 Jun 13 12:08 50-device-timeout.conf /run/systemd/generator/dev-mapper-luks\x2df5947f00\x2db37e\x2d4076\x2da260\x2d5b0fa26c23cd.device.requires: total 0 lrwxrwxrwx. 1 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 86 Jun 13 12:08 systemd-cryptsetup@luks\x2df5947f00\x2db37e\x2d4076\x2da260\x2d5b0fa26c23cd.service -> ../systemd-cryptsetup@luks\x2df5947f00\x2db37e\x2d4076\x2da260\x2d5b0fa26c23cd.service /run/systemd/generator/local-fs.target.requires: total 0 lrwxrwxrwx. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 17 Jun 13 12:08 boot-efi.mount -> ../boot-efi.mount lrwxrwxrwx. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 13 Jun 13 12:08 boot.mount -> ../boot.mount lrwxrwxrwx. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 13 Jun 13 12:08 home.mount -> ../home.mount lrwxrwxrwx. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 10 Jun 13 12:08 -.mount -> ../-.mount lrwxrwxrwx. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 12 Jun 13 12:08 var.mount -> ../var.mount /run/systemd/generator/local-fs.target.wants: total 0 lrwxrwxrwx. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 12 Jun 13 12:08 blz.mount -> ../blz.mount lrwxrwxrwx. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 12 Jun 13 12:08 bu1.mount -> ../bu1.mount lrwxrwxrwx. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 12 Jun 13 12:08 bu2.mount -> ../bu2.mount lrwxrwxrwx. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 16 Jun 13 12:08 ext4usb.mount -> ../ext4usb.mount lrwxrwxrwx. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 12 Jun 13 12:08 slz.mount -> ../slz.mount lrwxrwxrwx. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 50 Jun 13 12:08 systemd-remount-fs.service -> /usr/lib/systemd/system/systemd-remount-fs.service /run/systemd/generator/swap.target.wants: total 0 lrwxrwxrwx. 1 system_u:object_r:systemd_zram_generator_unit_file_t:s0 17 Jun 13 12:08 dev-zram0.swap -> ../dev-zram0.swap /run/systemd/generator/systemd-zram-setup.d: total 4 -rw-r--r--. 1 system_u:object_r:systemd_zram_generator_unit_file_t:s0 107 Jun 13 12:08 bindings.conf ``` ls -goRZ /run/systemd/generator /run/systemd/cryptsetup 2> /home/user/Desktop/file2 ``` ls: cannot access '/run/systemd/cryptsetup': No such file or directory ``` ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today > /home/user/Desktop/file3 # after systemctl daemon-reload; without workaround; user account is confined sysadm_u , x bool of sysadm_u enabled ``` ---- type=AVC msg=audit(06/13/2024 00:41:32.762:741) : avc: denied { read write } for pid=39858 comm=plymouthd name=event3 dev="devtmpfs" ino=215 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 00:41:32.763:742) : avc: denied { read write } for pid=39858 comm=plymouthd name=event8 dev="devtmpfs" ino=502 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 00:41:32.763:743) : avc: denied { read write } for pid=39858 comm=plymouthd name=event0 dev="devtmpfs" ino=212 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 00:41:32.764:744) : avc: denied { read write } for pid=39858 comm=plymouthd name=event1 dev="devtmpfs" ino=213 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 00:41:32.765:745) : avc: denied { read write } for pid=39858 comm=plymouthd name=event2 dev="devtmpfs" ino=214 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 00:41:32.765:746) : avc: denied { read write } for pid=39858 comm=plymouthd name=event13 dev="devtmpfs" ino=1029 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 00:41:32.766:747) : avc: denied { read write } for pid=39858 comm=plymouthd name=event14 dev="devtmpfs" ino=1030 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 00:41:32.766:748) : avc: denied { read write } for pid=39858 comm=plymouthd name=event15 dev="devtmpfs" ino=1031 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 00:41:32.768:749) : avc: denied { read write } for pid=39858 comm=plymouthd name=event6 dev="devtmpfs" ino=1126 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 00:41:32.768:750) : avc: denied { read write } for pid=39858 comm=plymouthd name=event18 dev="devtmpfs" ino=1128 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 00:41:32.769:751) : avc: denied { read write } for pid=39858 comm=plymouthd name=event16 dev="devtmpfs" ino=1049 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 00:41:32.769:752) : avc: denied { read write } for pid=39858 comm=plymouthd name=event17 dev="devtmpfs" ino=1050 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 00:41:32.772:753) : avc: denied { read write } for pid=39858 comm=plymouthd name=event9 dev="devtmpfs" ino=556 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 00:41:32.773:754) : avc: denied { read write } for pid=39858 comm=plymouthd name=event10 dev="devtmpfs" ino=558 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 00:41:32.773:755) : avc: denied { read write } for pid=39858 comm=plymouthd name=event4 dev="devtmpfs" ino=219 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 00:41:32.774:756) : avc: denied { read write } for pid=39858 comm=plymouthd name=event7 dev="devtmpfs" ino=251 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 00:41:32.774:757) : avc: denied { read write } for pid=39858 comm=plymouthd name=event11 dev="devtmpfs" ino=911 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 00:41:32.774:758) : avc: denied { read write } for pid=39858 comm=plymouthd name=event12 dev="devtmpfs" ino=932 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 00:41:40.875:766) : avc: denied { read write } for pid=39858 comm=plymouthd name=event3 dev="devtmpfs" ino=215 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 00:41:40.876:767) : avc: denied { read write } for pid=39858 comm=plymouthd name=event8 dev="devtmpfs" ino=502 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 00:41:40.876:768) : avc: denied { read write } for pid=39858 comm=plymouthd name=event0 dev="devtmpfs" ino=212 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 00:41:40.877:769) : avc: denied { read write } for pid=39858 comm=plymouthd name=event1 dev="devtmpfs" ino=213 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 00:42:54.111:153) : avc: denied { watch } for pid=2292 comm=systemd path=/var dev="dm-1" ino=256 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0 ---- type=SELINUX_ERR msg=audit(06/13/2024 00:42:54.555:156) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_dbusd_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 00:42:55.289:161) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 00:42:56.044:162) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_dbusd_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 00:42:56.045:163) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_dbusd_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 00:42:56.046:164) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 00:42:56.046:165) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 00:42:56.166:166) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_dbusd_t:s0-s0:c0.c1023 ---- type=AVC msg=audit(06/13/2024 00:43:03.702:185) : avc: denied { setsched } for pid=1959 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(06/13/2024 00:43:03.720:186) : avc: denied { setsched } for pid=1959 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(06/13/2024 00:43:03.737:187) : avc: denied { setsched } for pid=1959 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(06/13/2024 00:43:03.755:188) : avc: denied { setsched } for pid=1959 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(06/13/2024 00:43:03.770:189) : avc: denied { setsched } for pid=1959 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(06/13/2024 00:43:03.920:190) : avc: denied { read } for pid=2724 comm=wireplumber name=video0 dev="devtmpfs" ino=1001 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 00:43:03.920:191) : avc: denied { read } for pid=2724 comm=wireplumber name=video1 dev="devtmpfs" ino=1002 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 00:43:03.920:192) : avc: denied { read } for pid=2724 comm=wireplumber name=video2 dev="devtmpfs" ino=1005 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 00:43:03.920:193) : avc: denied { read } for pid=2724 comm=wireplumber name=video3 dev="devtmpfs" ino=1006 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 00:45:22.152:243) : avc: denied { write } for pid=4541 comm=thunderbird name=urandom dev="devtmpfs" ino=9 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 00:45:24.623:248) : avc: denied { setsched } for pid=1959 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(06/13/2024 01:38:53.787:267) : avc: denied { write } for pid=6802 comm=thunderbird name=urandom dev="devtmpfs" ino=9 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=0 ---- type=USER_AVC msg=audit(06/13/2024 01:53:05.900:278) : pid=1949 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:fprintd_t:s0 tclass=dbus permissive=0 exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' ---- type=AVC msg=audit(06/13/2024 02:13:28.624:284) : avc: denied { setsched } for pid=1959 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(06/13/2024 02:41:23.916:289) : avc: denied { setsched } for pid=1959 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(06/13/2024 02:44:11.539:294) : avc: denied { write } for pid=10362 comm=thunderbird name=urandom dev="devtmpfs" ino=9 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 02:54:03.318:366) : avc: denied { create } for pid=12252 comm=systemd-fstab-g name=.#50-device-timeout.conf63cad619fcfacd48 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=0 ---- type=AVC msg=audit(06/13/2024 02:54:22.685:516) : avc: denied { read write } for pid=12724 comm=plymouthd name=event3 dev="devtmpfs" ino=215 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 02:54:22.685:517) : avc: denied { read write } for pid=12724 comm=plymouthd name=event8 dev="devtmpfs" ino=491 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 02:54:22.685:518) : avc: denied { read write } for pid=12724 comm=plymouthd name=event0 dev="devtmpfs" ino=212 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 02:54:22.686:519) : avc: denied { read write } for pid=12724 comm=plymouthd name=event1 dev="devtmpfs" ino=213 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 02:54:22.686:520) : avc: denied { read write } for pid=12724 comm=plymouthd name=event2 dev="devtmpfs" ino=214 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 02:54:22.686:521) : avc: denied { read write } for pid=12724 comm=plymouthd name=event12 dev="devtmpfs" ino=1033 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 02:54:22.687:523) : avc: denied { read write } for pid=12724 comm=plymouthd name=event13 dev="devtmpfs" ino=1034 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 02:54:22.687:524) : avc: denied { read write } for pid=12724 comm=plymouthd name=event14 dev="devtmpfs" ino=1035 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 02:54:22.687:525) : avc: denied { read write } for pid=12724 comm=plymouthd name=event5 dev="devtmpfs" ino=243 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 02:54:22.688:526) : avc: denied { read write } for pid=12724 comm=plymouthd name=event6 dev="devtmpfs" ino=246 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 02:54:22.689:527) : avc: denied { read write } for pid=12724 comm=plymouthd name=event16 dev="devtmpfs" ino=1051 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 02:54:22.689:528) : avc: denied { read write } for pid=12724 comm=plymouthd name=event17 dev="devtmpfs" ino=1052 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 02:54:22.689:529) : avc: denied { read write } for pid=12724 comm=plymouthd name=event9 dev="devtmpfs" ino=558 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 02:54:22.690:531) : avc: denied { read write } for pid=12724 comm=plymouthd name=event10 dev="devtmpfs" ino=560 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 02:54:22.690:532) : avc: denied { read write } for pid=12724 comm=plymouthd name=event4 dev="devtmpfs" ino=219 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 02:54:22.691:533) : avc: denied { read write } for pid=12724 comm=plymouthd name=event7 dev="devtmpfs" ino=251 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 02:54:22.691:534) : avc: denied { read write } for pid=12724 comm=plymouthd name=event11 dev="devtmpfs" ino=900 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 02:54:22.691:535) : avc: denied { read write } for pid=12724 comm=plymouthd name=event15 dev="devtmpfs" ino=1046 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 11:59:55.325:152) : avc: denied { watch } for pid=2318 comm=systemd path=/var dev="dm-1" ino=256 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0 ---- type=SELINUX_ERR msg=audit(06/13/2024 11:59:55.789:155) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_dbusd_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 11:59:56.495:160) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 11:59:57.276:161) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_dbusd_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 11:59:57.277:162) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_dbusd_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 11:59:57.277:163) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 11:59:57.278:164) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 11:59:57.380:165) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_dbusd_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:00:27.808:179) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:00:27.809:180) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:00:57.801:181) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:00:57.801:182) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:01:27.811:183) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:01:27.812:184) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:01:57.783:187) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:01:57.784:188) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:02:27.810:189) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:02:27.811:190) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:02:57.810:191) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:02:57.811:192) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:03:27.810:193) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:03:27.811:194) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=AVC msg=audit(06/13/2024 12:03:47.498:218) : avc: denied { setsched } for pid=1982 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(06/13/2024 12:03:47.514:219) : avc: denied { setsched } for pid=1982 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(06/13/2024 12:03:47.528:220) : avc: denied { setsched } for pid=1982 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(06/13/2024 12:03:47.543:221) : avc: denied { setsched } for pid=1982 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(06/13/2024 12:03:47.556:222) : avc: denied { setsched } for pid=1982 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(06/13/2024 12:03:47.723:223) : avc: denied { read } for pid=2820 comm=wireplumber name=video0 dev="devtmpfs" ino=1000 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 12:03:47.723:224) : avc: denied { read } for pid=2820 comm=wireplumber name=video1 dev="devtmpfs" ino=1001 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 12:03:47.723:225) : avc: denied { read } for pid=2820 comm=wireplumber name=video2 dev="devtmpfs" ino=1003 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 12:03:47.723:226) : avc: denied { read } for pid=2820 comm=wireplumber name=video3 dev="devtmpfs" ino=1004 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 12:07:49.714:345) : avc: denied { read write } for pid=5093 comm=plymouthd name=event3 dev="devtmpfs" ino=215 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 12:07:49.714:346) : avc: denied { read write } for pid=5093 comm=plymouthd name=event8 dev="devtmpfs" ino=497 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 12:07:49.715:347) : avc: denied { read write } for pid=5093 comm=plymouthd name=event0 dev="devtmpfs" ino=212 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 12:07:49.715:348) : avc: denied { read write } for pid=5093 comm=plymouthd name=event1 dev="devtmpfs" ino=213 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 12:07:49.716:349) : avc: denied { read write } for pid=5093 comm=plymouthd name=event2 dev="devtmpfs" ino=214 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 12:07:49.716:350) : avc: denied { read write } for pid=5093 comm=plymouthd name=event13 dev="devtmpfs" ino=1033 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 12:07:49.716:351) : avc: denied { read write } for pid=5093 comm=plymouthd name=event14 dev="devtmpfs" ino=1034 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 12:07:49.717:352) : avc: denied { read write } for pid=5093 comm=plymouthd name=event15 dev="devtmpfs" ino=1035 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 12:07:49.717:353) : avc: denied { read write } for pid=5093 comm=plymouthd name=event5 dev="devtmpfs" ino=243 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 12:07:49.718:354) : avc: denied { read write } for pid=5093 comm=plymouthd name=event6 dev="devtmpfs" ino=246 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 12:07:49.718:355) : avc: denied { read write } for pid=5093 comm=plymouthd name=event16 dev="devtmpfs" ino=1052 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 12:07:49.719:356) : avc: denied { read write } for pid=5093 comm=plymouthd name=event17 dev="devtmpfs" ino=1055 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 12:07:49.719:357) : avc: denied { read write } for pid=5093 comm=plymouthd name=event9 dev="devtmpfs" ino=555 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 12:07:49.720:358) : avc: denied { read write } for pid=5093 comm=plymouthd name=event10 dev="devtmpfs" ino=557 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 12:07:49.720:359) : avc: denied { read write } for pid=5093 comm=plymouthd name=event4 dev="devtmpfs" ino=219 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 12:07:49.721:360) : avc: denied { read write } for pid=5093 comm=plymouthd name=event7 dev="devtmpfs" ino=250 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 12:07:49.721:361) : avc: denied { read write } for pid=5093 comm=plymouthd name=event11 dev="devtmpfs" ino=922 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 12:07:49.721:362) : avc: denied { read write } for pid=5093 comm=plymouthd name=event12 dev="devtmpfs" ino=1006 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 12:08:56.453:158) : avc: denied { watch } for pid=2301 comm=systemd path=/var dev="dm-1" ino=256 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:08:56.895:161) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_dbusd_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:08:57.599:166) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:08:57.824:167) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_dbusd_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:08:57.824:168) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:08:57.825:169) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:08:57.828:170) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_dbusd_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:08:57.946:171) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_dbusd_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:09:27.834:229) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:09:27.835:230) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:09:57.816:237) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:09:57.817:238) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:10:27.835:239) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:10:27.836:240) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:10:57.835:243) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:10:57.836:244) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:11:27.835:245) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:11:27.836:246) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:11:57.835:247) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:11:57.836:248) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:12:27.835:249) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:12:27.836:250) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:12:57.836:251) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:12:57.837:252) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:13:27.836:253) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:13:27.836:254) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:13:57.836:255) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:13:57.837:256) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:14:27.837:257) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:14:27.837:258) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:14:57.827:259) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:14:57.828:260) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:15:27.836:261) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/13/2024 12:15:27.837:262) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=AVC msg=audit(06/13/2024 12:15:52.565:290) : avc: denied { setsched } for pid=1968 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(06/13/2024 12:15:52.580:291) : avc: denied { setsched } for pid=1968 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(06/13/2024 12:15:52.596:292) : avc: denied { setsched } for pid=1968 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(06/13/2024 12:15:52.612:293) : avc: denied { setsched } for pid=1968 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(06/13/2024 12:15:52.629:294) : avc: denied { setsched } for pid=1968 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(06/13/2024 12:15:52.780:295) : avc: denied { read } for pid=3095 comm=wireplumber name=video0 dev="devtmpfs" ino=999 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 12:15:52.780:296) : avc: denied { read } for pid=3095 comm=wireplumber name=video1 dev="devtmpfs" ino=1000 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 12:15:52.780:297) : avc: denied { read } for pid=3095 comm=wireplumber name=video2 dev="devtmpfs" ino=1002 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 12:15:52.780:298) : avc: denied { read } for pid=3095 comm=wireplumber name=video3 dev="devtmpfs" ino=1003 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 12:17:07.057:355) : avc: denied { write } for pid=5643 comm=thunderbird name=urandom dev="devtmpfs" ino=9 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 12:17:41.084:360) : avc: denied { write } for pid=5891 comm=thunderbird name=urandom dev="devtmpfs" ino=9 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 12:28:22.353:376) : avc: denied { setsched } for pid=1968 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(06/13/2024 12:48:48.094:389) : avc: denied { write } for pid=11934 comm=thunderbird name=urandom dev="devtmpfs" ino=9 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=0 ---- type=USER_AVC msg=audit(06/13/2024 13:06:12.561:399) : pid=1958 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:fprintd_t:s0 tclass=dbus permissive=0 exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(06/13/2024 14:54:30.267:437) : pid=1958 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:fprintd_t:s0 tclass=dbus permissive=0 exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' ---- type=AVC msg=audit(06/13/2024 15:13:41.210:512) : avc: denied { write } for pid=27656 comm=thunderbird name=urandom dev="devtmpfs" ino=9 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/13/2024 15:14:15.835:521) : avc: denied { setsched } for pid=1968 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(06/13/2024 15:36:09.761:532) : avc: denied { create } for pid=37714 comm=systemd-fstab-g name=.#50-device-timeout.confcde2d7f1d601de17 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=0 ``` journalctl -b -g avc:..denied > /home/user/Desktop/file4 # after systemctl daemon-reload; without workaround; ``` Jun 13 12:08:45 fedora kernel: audit: type=1400 audit(1718273325.501:7): avc: denied { create } for pid=1575 comm="systemd-fstab-g" name=".#50-device-timeout.conf192e76e961483b00" scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=0 Jun 13 12:08:56 fedora audit[2301]: AVC avc: denied { watch } for pid=2301 comm="systemd" path="/var" dev="dm-1" ino=256 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0 Jun 13 12:15:52 fedora audit[1968]: AVC avc: denied { setsched } for pid=1968 comm="rtkit-daemon" scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 Jun 13 12:15:52 fedora audit[1968]: AVC avc: denied { setsched } for pid=1968 comm="rtkit-daemon" scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 Jun 13 12:15:52 fedora audit[1968]: AVC avc: denied { setsched } for pid=1968 comm="rtkit-daemon" scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 Jun 13 12:15:52 fedora audit[1968]: AVC avc: denied { setsched } for pid=1968 comm="rtkit-daemon" scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 Jun 13 12:15:52 fedora audit[1968]: AVC avc: denied { setsched } for pid=1968 comm="rtkit-daemon" scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 Jun 13 12:15:52 fedora audit[3095]: AVC avc: denied { read } for pid=3095 comm="wireplumber" name="video0" dev="devtmpfs" ino=999 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file permissive=0 Jun 13 12:15:52 fedora audit[3095]: AVC avc: denied { read } for pid=3095 comm="wireplumber" name="video1" dev="devtmpfs" ino=1000 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file permissive=0 Jun 13 12:15:52 fedora audit[3095]: AVC avc: denied { read } for pid=3095 comm="wireplumber" name="video2" dev="devtmpfs" ino=1002 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file permissive=0 Jun 13 12:15:52 fedora audit[3095]: AVC avc: denied { read } for pid=3095 comm="wireplumber" name="video3" dev="devtmpfs" ino=1003 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file permissive=0 Jun 13 12:17:07 fedora audit[5643]: AVC avc: denied { write } for pid=5643 comm="thunderbird" name="urandom" dev="devtmpfs" ino=9 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=0 Jun 13 12:17:41 fedora audit[5891]: AVC avc: denied { write } for pid=5891 comm="thunderbird" name="urandom" dev="devtmpfs" ino=9 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=0 Jun 13 12:28:22 fedora audit[1968]: AVC avc: denied { setsched } for pid=1968 comm="rtkit-daemon" scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 Jun 13 12:48:48 fedora audit[11934]: AVC avc: denied { write } for pid=11934 comm="thunderbird" name="urandom" dev="devtmpfs" ino=9 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=0 Jun 13 13:06:12 fedora audit[1958]: USER_AVC pid=1958 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:fprintd_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?' Jun 13 14:54:30 fedora audit[1958]: USER_AVC pid=1958 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:fprintd_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?' Jun 13 15:13:41 fedora audit[27656]: AVC avc: denied { write } for pid=27656 comm="thunderbird" name="urandom" dev="devtmpfs" ino=9 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=0 Jun 13 15:14:15 fedora audit[1968]: AVC avc: denied { setsched } for pid=1968 comm="rtkit-daemon" scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 Jun 13 15:36:09 fedora audit[37714]: AVC avc: denied { create } for pid=37714 comm="systemd-fstab-g" name=".#50-device-timeout.confcde2d7f1d601de17" scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=0 ``` Concerning workaround, I'm fine for now, I can mount /dlz manually for the time being. Let me know if I shall test a build or provide further information.
I'm seeing the same error on a slightly simpler system. There's a single luks volume containing a btrfs filesystem with subvolumes for root and home. This is probably the default from when I installed the system a few versions ago. After the upgrade to I see these errors in the journal and /home fails to mount: ``` Jun 13 08:23:07 castilla kernel: audit: type=1400 audit(1718288587.059:7): avc: denied { create } for pid=1199 comm="systemd-fstab-g" name=".#50-device-timeout.conf82f054abba55a2ff" scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=0 Jun 13 08:23:07 castilla kernel: audit: type=1400 audit(1718288587.065:8): avc: denied { create } for pid=1199 comm="systemd-fstab-g" name=".#50-device-timeout.conff4830c6685c9ab7c" scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=0 Jun 13 08:23:07 castilla kernel: zram: Added device: zram0 Jun 13 08:23:07 castilla (sd-exec-[1187]: /usr/lib/systemd/system-generators/systemd-fstab-generator failed with exit status 1. ``` I can mount /home manually by logging in on a console and running `sudo mount /home`. After applying the workaround from this bug and rebooting, /home mounts successfully during boot and the /run/systemd/generator directory is fully populated. > ls -goRZ /run/systemd/generator ``` /run/systemd/generator: total 24 -rw-r--r--. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 445 Jun 13 21:42 boot-efi.mount -rw-r--r--. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 541 Jun 13 21:42 boot.mount drwxr-xr-x. 2 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 60 Jun 13 21:42 cryptsetup.target.requires drwxr-xr-x. 2 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 80 Jun 13 21:42 dev-mapper-luks\x2d7bede7ab\x2d275b\x2d4fb1\x2d93ca\x2dcc16835eafe7.device.d drwxr-xr-x. 2 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 60 Jun 13 21:42 dev-mapper-luks\x2d7bede7ab\x2d275b\x2d4fb1\x2d93ca\x2dcc16835eafe7.device.requires -rw-r--r--. 1 system_u:object_r:systemd_zram_generator_unit_file_t:s0 326 Jun 13 21:42 dev-zram0.swap -rw-r--r--. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 381 Jun 13 21:42 home.mount drwxr-xr-x. 2 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 120 Jun 13 21:42 local-fs.target.requires drwxr-xr-x. 2 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 60 Jun 13 21:42 local-fs.target.wants -rw-r--r--. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 377 Jun 13 21:42 -.mount drwxr-xr-x. 2 system_u:object_r:systemd_zram_generator_unit_file_t:s0 60 Jun 13 21:42 swap.target.wants -rw-r--r--. 1 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 1026 Jun 13 21:42 systemd-cryptsetup@luks\x2d7bede7ab\x2d275b\x2d4fb1\x2d93ca\x2dcc16835eafe7.service drwxr-xr-x. 2 system_u:object_r:systemd_zram_generator_unit_file_t:s0 60 Jun 13 21:42 systemd-zram-setup.d /run/systemd/generator/cryptsetup.target.requires: total 0 lrwxrwxrwx. 1 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 86 Jun 13 21:42 systemd-cryptsetup@luks\x2d7bede7ab\x2d275b\x2d4fb1\x2d93ca\x2dcc16835eafe7.service -> ../systemd-cryptsetup@luks\x2d7bede7ab\x2d275b\x2d4fb1\x2d93ca\x2dcc16835eafe7.service /run/systemd/generator/dev-mapper-luks\x2d7bede7ab\x2d275b\x2d4fb1\x2d93ca\x2dcc16835eafe7.device.d: total 8 -rw-r--r--. 1 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 89 Jun 13 21:42 40-device-timeout.conf -rw-r--r--. 1 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 165 Jun 13 21:42 50-device-timeout.conf /run/systemd/generator/dev-mapper-luks\x2d7bede7ab\x2d275b\x2d4fb1\x2d93ca\x2dcc16835eafe7.device.requires: total 0 lrwxrwxrwx. 1 system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 86 Jun 13 21:42 systemd-cryptsetup@luks\x2d7bede7ab\x2d275b\x2d4fb1\x2d93ca\x2dcc16835eafe7.service -> ../systemd-cryptsetup@luks\x2d7bede7ab\x2d275b\x2d4fb1\x2d93ca\x2dcc16835eafe7.service /run/systemd/generator/local-fs.target.requires: total 0 lrwxrwxrwx. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 17 Jun 13 21:42 boot-efi.mount -> ../boot-efi.mount lrwxrwxrwx. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 13 Jun 13 21:42 boot.mount -> ../boot.mount lrwxrwxrwx. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 13 Jun 13 21:42 home.mount -> ../home.mount lrwxrwxrwx. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 10 Jun 13 21:42 -.mount -> ../-.mount /run/systemd/generator/local-fs.target.wants: total 0 lrwxrwxrwx. 1 system_u:object_r:systemd_fstab_generator_unit_file_t:s0 50 Jun 13 21:42 systemd-remount-fs.service -> /usr/lib/systemd/system/systemd-remount-fs.service /run/systemd/generator/swap.target.wants: total 0 lrwxrwxrwx. 1 system_u:object_r:systemd_zram_generator_unit_file_t:s0 17 Jun 13 21:42 dev-zram0.swap -> ../dev-zram0.swap /run/systemd/generator/systemd-zram-setup.d: total 4 -rw-r--r--. 1 system_u:object_r:systemd_zram_generator_unit_file_t:s0 107 Jun 13 21:42 bindings.conf ``` > journalctl -b -g avc:..denied ``` Jun 13 21:42:09 castilla kernel: audit: type=1400 audit(1718336529.672:7): avc: denied { create } for pid=1056 comm="systemd-fstab-g" name=".#50-device-timeout.confd5ea7bb620a2e109" scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=1 Jun 13 21:42:09 castilla kernel: audit: type=1400 audit(1718336529.672:8): avc: denied { read write open } for pid=1056 comm="systemd-fstab-g" path="/run/systemd/generator/dev-mapper-luks\x2d7bede7ab\x2d275b\x2d4fb1\x2d93ca\x2dcc16835eafe7.device.d/.#50-device-timeout.confd5ea7bb620a2e109" dev="tmpfs" ino=763 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=1 Jun 13 21:42:09 castilla kernel: audit: type=1400 audit(1718336529.672:9): avc: denied { getattr } for pid=1056 comm="systemd-fstab-g" path="/run/systemd/generator/dev-mapper-luks\x2d7bede7ab\x2d275b\x2d4fb1\x2d93ca\x2dcc16835eafe7.device.d/.#50-device-timeout.confd5ea7bb620a2e109" dev="tmpfs" ino=763 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=1 Jun 13 21:42:09 castilla kernel: audit: type=1400 audit(1718336529.672:10): avc: denied { setattr } for pid=1056 comm="systemd-fstab-g" name=".#50-device-timeout.confd5ea7bb620a2e109" dev="tmpfs" ino=763 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=1 Jun 13 21:42:09 castilla kernel: audit: type=1400 audit(1718336529.673:11): avc: denied { remove_name } for pid=1056 comm="systemd-fstab-g" name=".#50-device-timeout.confd5ea7bb620a2e109" dev="tmpfs" ino=763 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=dir permissive=1 Jun 13 21:42:09 castilla kernel: audit: type=1400 audit(1718336529.673:12): avc: denied { rename } for pid=1056 comm="systemd-fstab-g" name=".#50-device-timeout.confd5ea7bb620a2e109" dev="tmpfs" ino=763 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=1 Jun 13 21:42:09 castilla kernel: audit: type=1400 audit(1718336529.683:13): avc: denied { create } for pid=1056 comm="systemd-fstab-g" name=".#50-device-timeout.confadba44a09d25ca90" scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=1 Jun 13 21:42:09 castilla kernel: audit: type=1400 audit(1718336529.683:14): avc: denied { read write open } for pid=1056 comm="systemd-fstab-g" path="/run/systemd/generator/dev-mapper-luks\x2d7bede7ab\x2d275b\x2d4fb1\x2d93ca\x2dcc16835eafe7.device.d/.#50-device-timeout.confadba44a09d25ca90" dev="tmpfs" ino=771 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=1 ```
I'm seeing the same error too. Cannot mount 2 disks (ext4/luks) which are defined on `/etc/fstab`. Drives can be mounted after booting using `mount` command.
*** Bug 2292647 has been marked as a duplicate of this bug. ***
*** Bug 2292628 has been marked as a duplicate of this bug. ***
*** Bug 2292663 has been marked as a duplicate of this bug. ***
*** Bug 2292481 has been marked as a duplicate of this bug. ***
We have at least one more user in ask.fedora who has related issues. It is not clear when they installed selinux-policy-40.22-1.fc40 since Plasma Discover seems to not create logs, at least none I know. However, their journals document "comm=systemd-fstab-g" denials that begin on 16.6.24, which could fit selinux-policy-40.22-1.fc40. Here is an `sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today` of boot 70ba599b8d424450ba1ed372050f29cc ( https://pastebin.com/KbMce20q ) , which is a boot that is also contained in "journalctl -g avc:..denied --since "2024-06-18 00:01:00" ( https://pastebin.com/rzALWMgk ). The systemd-fstab-g issue seems to not cause issues itself at this user, except the entries in the log. They also document issues with Chrome, which are described by the user in two comments: > For the past few days, I’ve been experiencing issues with SELinux, first with Chrome, then with some mount points. > Chrome is installed via Flatpak by Flathub. Previously I have never seen these Selinux messages. > As for Chrome, I had to reset the user configuration in “/home/user/.var/…” Chrome seems to work fine after the reset. Later: > As for Chrome, just ago I found, again, problems, with error in viewing any page. When it happens, I also get a notification of the USER AGENT FEDORA that crashes. Restarted Chrome, and now it seems to be working again. Source: https://discussion.fedoraproject.org/t/repeated-security-messages-from-selinux/120424/15
I believe this is fixed in selinux-policy-40.23-1.fc40, but there still might be some scenarios which are not covered yet.
We'll check & post. Thanks!
Unfortunately, 40.23-1.fc40 does not solve my issue. The issue's behavior is unchanged, also the denial. ----- journal extract from the first boot that started with 40.23-1.fc40: journalctl --boot=0 ``` ... Jun 21 13:06:40 fedora kernel: audit: type=1404 audit(1718967999.169:5): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=selinux res=1 Jun 21 13:06:40 fedora kernel: SELinux: policy capability network_peer_controls=1 Jun 21 13:06:40 fedora kernel: SELinux: policy capability open_perms=1 Jun 21 13:06:40 fedora kernel: SELinux: policy capability extended_socket_class=1 Jun 21 13:06:40 fedora kernel: SELinux: policy capability always_check_network=0 Jun 21 13:06:40 fedora kernel: SELinux: policy capability cgroup_seclabel=1 Jun 21 13:06:40 fedora kernel: SELinux: policy capability nnp_nosuid_transition=1 Jun 21 13:06:40 fedora kernel: SELinux: policy capability genfs_seclabel_symlinks=1 Jun 21 13:06:40 fedora kernel: SELinux: policy capability ioctl_skip_cloexec=0 Jun 21 13:06:40 fedora kernel: SELinux: policy capability userspace_initial_context=0 Jun 21 13:06:40 fedora kernel: audit: type=1403 audit(1718967999.295:6): auid=4294967295 ses=4294967295 lsm=selinux res=1 Jun 21 13:06:40 fedora systemd[1]: Successfully loaded SELinux policy in 126.849ms. Jun 21 13:06:40 fedora systemd[1]: Relabeled /dev, /dev/shm, /run, /sys/fs/cgroup in 24.913ms. Jun 21 13:06:40 fedora systemd[1]: systemd 255.7-1.fc40 running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP -GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified) Jun 21 13:06:40 fedora systemd[1]: Detected architecture x86-64. Jun 21 13:06:40 fedora systemd[1]: bpf-lsm: LSM BPF program attached Jun 21 13:06:40 fedora kernel: audit: type=1400 audit(1718967999.727:7): avc: denied { read write } for pid=1482 comm="systemd-fstab-g" path="/run/systemd/generator/dev-mapper-luks\x2d0b30619e\x2deb68\x2d4f6c\x2d8335\x2d16c0b2a50651.device.d/.#50-device-timeout.confda29754026ca7e03" dev="tmpfs" ino=1026 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=0 Jun 21 13:06:40 fedora (sd-exec-[1472]: /usr/lib/systemd/system-generators/systemd-fstab-generator failed with exit status 1. Jun 21 13:06:40 fedora kernel: zram: Added device: zram0 ... ``` Major entries: Jun 21 13:06:40 fedora kernel: audit: type=1400 audit(1718967999.727:7): avc: denied { read write } for pid=1482 comm="systemd-fstab-g" path="/run/systemd/generator/dev-mapper-luks\x2d0b30619e\x2deb68\x2d4f6c\x2d8335\x2d16c0b2a50651.device.d/.#50-device-timeout.confda29754026ca7e03" dev="tmpfs" ino=1026 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=0 Jun 21 13:06:40 fedora (sd-exec-[1472]: /usr/lib/systemd/system-generators/systemd-fstab-generator failed with exit status 1. However, I am wondering that the `ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today` output does no longer document this. From the time of the boot, it does only contain: ``` ... ---- type=SELINUX_ERR msg=audit(06/21/2024 13:06:51.398:160) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_dbusd_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/21/2024 13:06:52.213:165) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/21/2024 13:06:52.549:166) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_dbusd_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/21/2024 13:06:52.549:167) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/21/2024 13:06:52.550:168) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/21/2024 13:06:52.553:169) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_dbusd_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/21/2024 13:06:52.697:170) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_dbusd_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/21/2024 13:07:22.832:203) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/21/2024 13:07:22.834:204) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/21/2024 13:07:52.831:254) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/21/2024 13:07:52.832:255) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/21/2024 13:08:22.852:266) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/21/2024 13:08:22.853:267) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/21/2024 13:08:52.821:275) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/21/2024 13:08:52.823:276) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/21/2024 13:09:22.823:277) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/21/2024 13:09:22.824:278) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/21/2024 13:09:52.850:279) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(06/21/2024 13:09:52.851:280) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ``` But the same ausearch output (it's the ausearch of today containing in total 2 boots) contains still the related entry of the last boot (that booted with 40.22-1.fc40): ``` ... ---- type=AVC msg=audit(06/21/2024 12:16:05.856:396) : avc: denied { read write } for pid=17085 comm=systemd-fstab-g path=/run/systemd/generator/dev-mapper-luks\x2d0b30619e\x2deb68\x2d4f6c\x2d8335\x2d16c0b2a50651.device.d/.#50-device-timeout.conf15428e47544860d6 dev="tmpfs" ino=3943 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=0 ---- ... ``` This change in the ausearch is the only change I can identify. For some reason it just starts logging some seconds after that.
(In reply to Christopher Klooz from comment #13) > Unfortunately, 40.23-1.fc40 does not solve my issue. The issue's behavior is > unchanged, also the denial. Same here: 40.23-1.fc40 doesn't resolve the issue.
I acknowledge the build fixes majority of reported problems, but not all. We currently do not have test for complex setups, sorry for that. Can you try the following copr build? https://dashboard.packit.dev/results/copr-builds/1672129
These are required CIL rules which solved the issue (allow systemd_fstab_generator_t systemd_cryptsetup_generator_unit_file_t (file (read write setattr rename unlink))) (allow systemd_fstab_generator_t systemd_cryptsetup_generator_unit_file_t (dir (remove_name)))
Same here. avc: denied comm="systemd-fstab-g" path="/run/systemd/generator/dev-mapper-luks...
https://dashboard.packit.dev/results/copr-builds/1672129 this copr build helped, mounted successfully
FEDORA-2024-f30b2bffdc (selinux-policy-40.24-1.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-f30b2bffdc
Installed selinux-policy-40.24-1.fc40, same error avc: denied { read write } for pid=1286 comm="systemd-fstab-g" But worked with 41.5-1 on F40
(In reply to Andrey from comment #20) > Installed selinux-policy-40.24-1.fc40, same error > avc: denied { read write } for pid=1286 comm="systemd-fstab-g" > But worked with 41.5-1 on F40 This is quite surprising, can you share the complete record?
1. Message during installation: Running scriptlet: selinux-policy-devel-40.24-1.fc40.noarch 4/13 Illegal character '"' 2. journalctl kernel: audit: type=1400 audit(1721246950.895:7): avc: denied { read write } for pid=1286 comm="systemd-fstab-g" path="/run/systemd/generator/dev-mapper-luks\... dev="tmpfs" ino=809 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=0 kernel: audit: type=1400 audit(1721246950.899:8): avc: denied { read write } for pid=1286 comm="systemd-fstab-g" path="/run/systemd/generator/dev-mapper-luks\... dev="tmpfs" ino=816 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=0 (sd-exec-[1274]: /usr/lib/systemd/system-generators/systemd-fstab-generator failed with exit status 1. 3. audit2allow -w -a type=AVC msg=audit(1721243426.746:450): avc: denied { read write } for pid=18890 comm="systemd-fstab-g" path="/run/systemd/generator/dev-mapper-luks\....device.d/.#50-device-timeout.conf952385515de02420" dev="tmpfs" ino=3021 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1721243426.747:451): avc: denied { read write } for pid=18890 comm="systemd-fstab-g" path="/run/systemd/generator/dev-mapper-luks\....device.d/.#50-device-timeout.conffbc9545f8849c585" dev="tmpfs" ino=3028 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1721243593.041:503): avc: denied { write } for pid=23579 comm="systemd-cryptse" name="dev-mapper-luks\....device.d" dev="tmpfs" ino=3084 scontext=system_u:system_r:systemd_cryptsetup_generator_t:s0 tcontext=system_u:object_r:systemd_fstab_generator_unit_file_t:s0 tclass=dir permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1721243593.041:504): avc: denied { write } for pid=23579 comm="systemd-cryptse" name="dev-mapper-luks\....device.d" dev="tmpfs" ino=3093 scontext=system_u:system_r:systemd_cryptsetup_generator_t:s0 tcontext=system_u:object_r:systemd_fstab_generator_unit_file_t:s0 tclass=dir permissive=0 Was caused by: Missing type enforcement (TE) allow rule.
Thank you, I will update the policy in the next build. > But worked with 41.5-1 on F40 The systemd-related policy is now quite different in F40 and F41.
FEDORA-2024-f30b2bffdc has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-f30b2bffdc` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-f30b2bffdc See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Sorry for being so inactive recently, full schedule. I have just tried the update FEDORA-2024-f30b2bffdc in testing. Unfortunately, the issue remains unchanged in my case. But the update is generally working except the mounting issue on boot. I could not yet test, but a timeout issue could explain something: I have several disks that even use the same password and that should be mounted on boot when available. However, the non-affected disks are not available always (they can be unplugged), so they are not mounted at the grub level but later in crypttab: first, at grub level two devices are unlocked but only the root one is mounted (works fine) while the other is just unlocked and nothing more (that is the affected device that does not mounted). The (affected) unlocked device (which is internal and thus always connected to the system) has the same password as other devices that are mounted later if available. So later no further password prompt is necessary as "all passwords" are already in the ring (otherwise I would have to enter the password for each device separately, although it is always the same password). Then, crypttab does the rest: it mounts the already unlocked device on its non-system mountpoint and the other devices that are not yet unlocked (if available). This leads to the a difference in crypttab between the affected and the non-affected devices: the crypttab options -> the other devices (that work fine) have "nofail,x-systemd.device-timeout=60". Alternatively, is it possible that SELinux intervenes because crypttab leads to mounting something that is already unlocked but not yet mounted? I assume crypttab leads automatically to some "unlock" attempt although the affected device is already unlocked since the grub level. Just some thoughts. For now, I added "nofail,x-systemd.device-timeout=60" to the crypttab entry of the affected device. I will report how it works. Ain't a critical issue anyway, more an interesting one :)
Christopher, there are some related changes in rawhide already, especially interactions between fstab generator and a few others, they are also on the way to F40. Reproducer can be helpful any time.
> Reproducer can be helpful any time. Not sure if I get your point :) If there is something to test in rawhide, I guess I have some time next week - if it is that what you mean, is there some ticket or so to know what/how to test? Or just try how my usual configuration works out in rawhide? However, I can now confirm that the issue does NOT occur if I add the options "nofail,x-systemd.device-timeout=60" in crypttab to the affected device (just tried once so far, but I verified before and after testing that I disabled my usual means to mitigate the issue). I wonder about this behavior as crypttab usually only unlocks devices and does not mount them but waits for fstab do do that, whereas the affected device was already unlocked before. I will reproduce this a few more times to see if it is really 100% reproducible with these options. I have a hard time to believe this can solve the issue.
FEDORA-2024-f30b2bffdc (selinux-policy-40.24-1.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report.
(In reply to Fedora Update System from comment #28) > FEDORA-2024-f30b2bffdc (selinux-policy-40.24-1.fc40) has been pushed to the > Fedora 40 stable repository. > If problem still persists, please make note of it in this bug report. The problem still persists after upgrade to selinux-policy-40.24-1.fc40: SELinux is preventing systemd-fstab-g from 'read, write' accesses on the file /run/systemd/generator/dev-mapper-luks\x2d6a64436f\x2d49f1\x2d4a78\x2dbae4\x2dba5a914ba31d.device.d/.#50-device-timeout.conf4df592916fde6252. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /run/systemd/generator/dev-mapper-luks\x2d6a64436f\x2d49f1\x2d4a78\x2dbae4\x2dba5a914ba31d.device.d/.#50-device-timeout.conf4df592916fde6252 default label should be systemd_unit_file_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /run/systemd/generator/dev-mapper-luks\x2d6a64436f\x2d49f1\x2d4a78\x2dbae4\x2dba5a914ba31d.device.d/.#50-device-timeout.conf4df592916fde6252 ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that systemd-fstab-g should be allowed read write access on the .#50-device-timeout.conf4df592916fde6252 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-fstab-g' --raw | audit2allow -M my-systemdfstabg # semodule -X 300 -i my-systemdfstabg.pp Additional Information: Source Context system_u:system_r:systemd_fstab_generator_t:s0 Target Context system_u:object_r:systemd_cryptsetup_generator_uni t_file_t:s0 Target Objects /run/systemd/generator/dev-mapper-luks\x2d6a64436f \x2d49f1\x2d4a78\x2dbae4\x2dba5a914ba31d.device.d/ .#50-device-timeout.conf4df592916fde6252 [ file ] Source systemd-fstab-g Source Path systemd-fstab-g Port <Unknown> Host lenovo-x1 Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-40.24-1.fc40.noarch Local Policy RPM selinux-policy-targeted-40.24-1.fc40.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name lenovo-x1 Platform Linux lenovo-x1 6.9.9-200.fc40.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Jul 11 19:29:01 UTC 2024 x86_64 Alert Count 10 First Seen 2024-06-26 18:12:20 MSK Last Seen 2024-07-19 10:13:42 MSK Local ID 7d7877ae-d4bc-46ef-9d42-9e1a121dc28b Raw Audit Messages type=AVC msg=audit(1721373222.803:326): avc: denied { read write } for pid=5062 comm="systemd-fstab-g" path="/run/systemd/generator/dev-mapper-luks\x2d6a64436f\x2d49f1\x2d4a78\x2dbae4\x2dba5a914ba31d.device.d/.#50-device-timeout.conf4df592916fde6252" dev="tmpfs" ino=2770 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=0 Hash: systemd-fstab-g,systemd_fstab_generator_t,systemd_cryptsetup_generator_unit_file_t,file,read,write
(In reply to Fedora Update System from comment #28) > FEDORA-2024-f30b2bffdc (selinux-policy-40.24-1.fc40) has been pushed to the > Fedora 40 stable repository. > If problem still persists, please make note of it in this bug report. Bug still there with selinux-policy 40.24-1fc40: systemd logs: ``` juil. 19 12:02:04 PC-DSKTP-4 kernel: Command line: BOOT_IMAGE=(hd3,gpt2)/vmlinuz-6.9.9-200.fc40.x86_64 root=UUID=bdd43696-b74a-461e-83fb-3e717081e96a ro rd.luks.uuid=luks-856c2466-ea1e-4c23-b8b9-7acc4d8dbdcf rhgb quiet juil. 19 12:02:04 PC-DSKTP-4 kernel: Kernel command line: BOOT_IMAGE=(hd3,gpt2)/vmlinuz-6.9.9-200.fc40.x86_64 root=UUID=bdd43696-b74a-461e-83fb-3e717081e96a ro rd.luks.uuid=luks-856c2466-ea1e-4c23-b8b9-7acc4d8dbdcf rhgb quiet juil. 19 12:02:04 PC-DSKTP-4 dracut-cmdline[385]: Using kernel command line parameters: BOOT_IMAGE=(hd3,gpt2)/vmlinuz-6.9.9-200.fc40.x86_64 root=UUID=bdd43696-b74a-461e-83fb-3e717081e96a ro rd.luks.uuid=luks-856c2466-ea1e-4c23-b8b9-7acc4d8dbdcf rhgb quiet juil. 19 12:02:04 PC-DSKTP-4 systemd-escape[479]: Input 'luks-856c2466-ea1e-4c23-b8b9-7acc4d8dbdcf' is not an absolute file system path, escaping is likely not going to be reversible. juil. 19 12:02:04 PC-DSKTP-4 systemd[1]: Starting systemd-cryptsetup@luks\x2d856c2466\x2dea1e\x2d4c23\x2db8b9\x2d7acc4d8dbdcf.service - Cryptography Setup for luks-856c2466-ea1e-4c23-b8b9-7acc4d8dbdcf... juil. 19 12:02:15 PC-DSKTP-4 systemd[1]: Finished systemd-cryptsetup@luks\x2d856c2466\x2dea1e\x2d4c23\x2db8b9\x2d7acc4d8dbdcf.service - Cryptography Setup for luks-856c2466-ea1e-4c23-b8b9-7acc4d8dbdcf. juil. 19 12:02:17 PC-DSKTP-4 kernel: audit: type=1400 audit(1721383337.052:4): avc: denied { read write } for pid=1069 comm="systemd-fstab-g" path="/run/systemd/generator/dev-mapper-luks\x2d856c2466\x2dea1e\x2d4c23\x2db8b9\x2d7acc4d8dbdcf.device.d/.#50-device-timeout.conf9ec0ae75501bfcee" dev="tmpfs" ino=1097 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=0 juil. 19 12:02:17 PC-DSKTP-4 kernel: audit: type=1400 audit(1721383337.053:5): avc: denied { read write } for pid=1069 comm="systemd-fstab-g" path="/run/systemd/generator/dev-mapper-luks\x2df159f0b8\x2dd50c\x2d46a7\x2daa1e\x2d1fc70b678612.device.d/.#50-device-timeout.conf8b32e22a91001ed7" dev="tmpfs" ino=1104 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=0 juil. 19 12:02:17 PC-DSKTP-4 kernel: audit: type=1400 audit(1721383337.054:6): avc: denied { read write } for pid=1069 comm="systemd-fstab-g" path="/run/systemd/generator/dev-mapper-luks\x2dddd25182\x2d5079\x2d43f1\x2d871b\x2d344c687c8b2d.device.d/.#50-device-timeout.conf30fe6bfd064fa74f" dev="tmpfs" ino=1106 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=0 juil. 19 12:02:17 PC-DSKTP-4 kernel: audit: type=1400 audit(1721383337.054:7): avc: denied { read write } for pid=1069 comm="systemd-fstab-g" path="/run/systemd/generator/dev-mapper-luks\x2d7dbcc4dd\x2d9ada\x2d4732\x2dae9b\x2de10f879700b6.device.d/.#50-device-timeout.conf8d8ccb262138b810" dev="tmpfs" ino=1108 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=0 juil. 19 12:02:17 PC-DSKTP-4 kernel: audit: type=1400 audit(1721383337.054:8): avc: denied { read write } for pid=1069 comm="systemd-fstab-g" path="/run/systemd/generator/dev-mapper-luks\x2d1e10eba5\x2d5b6f\x2d4464\x2da235\x2da7e6075d9db4.device.d/.#50-device-timeout.conf4e9435ea1e1e8194" dev="tmpfs" ino=1110 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=0 juil. 19 12:02:17 PC-DSKTP-4 systemd[1]: Reached target blockdev@dev-mapper-luks\x2d856c2466\x2dea1e\x2d4c23\x2db8b9\x2d7acc4d8dbdcf.target - Block Device Preparation for /dev/mapper/luks-856c2466-ea1e-4c23-b8b9-7acc4d8dbdcf. juil. 19 12:02:17 PC-DSKTP-4 systemd[1]: Starting systemd-cryptsetup@luks\x2d1e10eba5\x2d5b6f\x2d4464\x2da235\x2da7e6075d9db4.service - Cryptography Setup for luks-1e10eba5-5b6f-4464-a235-a7e6075d9db4... juil. 19 12:02:17 PC-DSKTP-4 systemd[1]: Starting systemd-cryptsetup@luks\x2df159f0b8\x2dd50c\x2d46a7\x2daa1e\x2d1fc70b678612.service - Cryptography Setup for luks-f159f0b8-d50c-46a7-aa1e-1fc70b678612... juil. 19 12:02:17 PC-DSKTP-4 systemd[1]: Starting systemd-cryptsetup@luks\x2dddd25182\x2d5079\x2d43f1\x2d871b\x2d344c687c8b2d.service - Cryptography Setup for luks-ddd25182-5079-43f1-871b-344c687c8b2d... juil. 19 12:02:17 PC-DSKTP-4 systemd[1]: Starting systemd-cryptsetup@luks\x2d7dbcc4dd\x2d9ada\x2d4732\x2dae9b\x2de10f879700b6.service - Cryptography Setup for luks-7dbcc4dd-9ada-4732-ae9b-e10f879700b6... juil. 19 12:02:19 PC-DSKTP-4 systemd[1]: Finished systemd-cryptsetup@luks\x2df159f0b8\x2dd50c\x2d46a7\x2daa1e\x2d1fc70b678612.service - Cryptography Setup for luks-f159f0b8-d50c-46a7-aa1e-1fc70b678612. juil. 19 12:02:19 PC-DSKTP-4 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-cryptsetup@luks\x2df159f0b8\x2dd50c\x2d46a7\x2daa1e\x2d1fc70b678612 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' juil. 19 12:02:19 PC-DSKTP-4 systemd[1]: Reached target blockdev@dev-mapper-luks\x2df159f0b8\x2dd50c\x2d46a7\x2daa1e\x2d1fc70b678612.target - Block Device Preparation for /dev/mapper/luks-f159f0b8-d50c-46a7-aa1e-1fc70b678612. juil. 19 12:02:22 PC-DSKTP-4 systemd[1]: Finished systemd-cryptsetup@luks\x2d1e10eba5\x2d5b6f\x2d4464\x2da235\x2da7e6075d9db4.service - Cryptography Setup for luks-1e10eba5-5b6f-4464-a235-a7e6075d9db4. juil. 19 12:02:22 PC-DSKTP-4 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-cryptsetup@luks\x2d1e10eba5\x2d5b6f\x2d4464\x2da235\x2da7e6075d9db4 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' juil. 19 12:02:22 PC-DSKTP-4 systemd[1]: Reached target blockdev@dev-mapper-luks\x2d1e10eba5\x2d5b6f\x2d4464\x2da235\x2da7e6075d9db4.target - Block Device Preparation for /dev/mapper/luks-1e10eba5-5b6f-4464-a235-a7e6075d9db4. juil. 19 12:02:24 PC-DSKTP-4 systemd[1]: Finished systemd-cryptsetup@luks\x2d7dbcc4dd\x2d9ada\x2d4732\x2dae9b\x2de10f879700b6.service - Cryptography Setup for luks-7dbcc4dd-9ada-4732-ae9b-e10f879700b6. juil. 19 12:02:24 PC-DSKTP-4 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-cryptsetup@luks\x2d7dbcc4dd\x2d9ada\x2d4732\x2dae9b\x2de10f879700b6 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' juil. 19 12:02:24 PC-DSKTP-4 systemd[1]: Reached target blockdev@dev-mapper-luks\x2d7dbcc4dd\x2d9ada\x2d4732\x2dae9b\x2de10f879700b6.target - Block Device Preparation for /dev/mapper/luks-7dbcc4dd-9ada-4732-ae9b-e10f879700b6. juil. 19 12:02:26 PC-DSKTP-4 systemd[1]: Finished systemd-cryptsetup@luks\x2dddd25182\x2d5079\x2d43f1\x2d871b\x2d344c687c8b2d.service - Cryptography Setup for luks-ddd25182-5079-43f1-871b-344c687c8b2d. juil. 19 12:02:26 PC-DSKTP-4 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-cryptsetup@luks\x2dddd25182\x2d5079\x2d43f1\x2d871b\x2d344c687c8b2d comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' juil. 19 12:02:26 PC-DSKTP-4 systemd[1]: Reached target blockdev@dev-mapper-luks\x2dddd25182\x2d5079\x2d43f1\x2d871b\x2d344c687c8b2d.target - Block Device Preparation for /dev/mapper/luks-ddd25182-5079-43f1-871b-344c687c8b2d. juil. 19 12:02:26 PC-DSKTP-4 audit[2149]: AVC avc: denied { read write } for pid=2149 comm="systemd-fstab-g" path="/run/systemd/generator/dev-mapper-luks\x2d856c2466\x2dea1e\x2d4c23\x2db8b9\x2d7acc4d8dbdcf.device.d/.#50-device-timeout.confb5de9540f99f71ed" dev="tmpfs" ino=2689 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=0 juil. 19 12:02:26 PC-DSKTP-4 audit[2149]: AVC avc: denied { read write } for pid=2149 comm="systemd-fstab-g" path="/run/systemd/generator/dev-mapper-luks\x2df159f0b8\x2dd50c\x2d46a7\x2daa1e\x2d1fc70b678612.device.d/.#50-device-timeout.conf6dfc956288d7c917" dev="tmpfs" ino=2696 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=0 juil. 19 12:02:26 PC-DSKTP-4 audit[2149]: AVC avc: denied { read write } for pid=2149 comm="systemd-fstab-g" path="/run/systemd/generator/dev-mapper-luks\x2dddd25182\x2d5079\x2d43f1\x2d871b\x2d344c687c8b2d.device.d/.#50-device-timeout.conff391dea45f7a76b6" dev="tmpfs" ino=2698 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=0 juil. 19 12:02:26 PC-DSKTP-4 audit[2149]: AVC avc: denied { read write } for pid=2149 comm="systemd-fstab-g" path="/run/systemd/generator/dev-mapper-luks\x2d7dbcc4dd\x2d9ada\x2d4732\x2dae9b\x2de10f879700b6.device.d/.#50-device-timeout.conf2c7d43a1fcae913b" dev="tmpfs" ino=2700 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=0 juil. 19 12:02:26 PC-DSKTP-4 audit[2149]: AVC avc: denied { read write } for pid=2149 comm="systemd-fstab-g" path="/run/systemd/generator/dev-mapper-luks\x2d1e10eba5\x2d5b6f\x2d4464\x2da235\x2da7e6075d9db4.device.d/.#50-device-timeout.conf0b2c5dd3214bd132" dev="tmpfs" ino=2702 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=0 juil. 19 12:02:29 PC-DSKTP-4 setroubleshoot[2318]: failed to retrieve rpm info for path '/run/systemd/generator/dev-mapper-luks\x2d856c2466\x2dea1e\x2d4c23\x2db8b9\x2d7acc4d8dbdcf.device.d/.#50-device-timeout.confb5de9540f99f71ed': juil. 19 12:02:29 PC-DSKTP-4 setroubleshoot[2318]: SELinux interdit à systemd-fstab-g d'utiliser les accès « read, write » sur le fichier /run/systemd/generator/dev-mapper-luks\x2d856c2466\x2dea1e\x2d4c23\x2db8b9\x2d7acc4d8dbdcf.device.d/.#50-device-timeout.confb5de9540f99f71ed. Pour des messages SELinux exhaustifs, lancez sealert -l 35b6231e-a095-459d-b428-22e23ac8955e juil. 19 12:02:29 PC-DSKTP-4 setroubleshoot[2318]: SELinux interdit à systemd-fstab-g d'utiliser les accès « read, write » sur le fichier /run/systemd/generator/dev-mapper-luks\x2d856c2466\x2dea1e\x2d4c23\x2db8b9\x2d7acc4d8dbdcf.device.d/.#50-device-timeout.confb5de9540f99f71ed. L'étiquette par défaut de /run/systemd/generator/dev-mapper-luks\x2d856c2466\x2dea1e\x2d4c23\x2db8b9\x2d7acc4d8dbdcf.device.d/.#50-device-timeout.confb5de9540f99f71ed devrait être systemd_unit_file_t. # /sbin/restorecon -v /run/systemd/generator/dev-mapper-luks\x2d856c2466\x2dea1e\x2d4c23\x2db8b9\x2d7acc4d8dbdcf.device.d/.#50-device-timeout.confb5de9540f99f71ed juil. 19 12:02:29 PC-DSKTP-4 setroubleshoot[2318]: failed to retrieve rpm info for path '/run/systemd/generator/dev-mapper-luks\x2df159f0b8\x2dd50c\x2d46a7\x2daa1e\x2d1fc70b678612.device.d/.#50-device-timeout.conf6dfc956288d7c917': juil. 19 12:02:29 PC-DSKTP-4 setroubleshoot[2318]: SELinux interdit à systemd-fstab-g d'utiliser les accès « read, write » sur le fichier /run/systemd/generator/dev-mapper-luks\x2df159f0b8\x2dd50c\x2d46a7\x2daa1e\x2d1fc70b678612.device.d/.#50-device-timeout.conf6dfc956288d7c917. Pour des messages SELinux exhaustifs, lancez sealert -l 35b6231e-a095-459d-b428-22e23ac8955e juil. 19 12:02:29 PC-DSKTP-4 setroubleshoot[2318]: SELinux interdit à systemd-fstab-g d'utiliser les accès « read, write » sur le fichier /run/systemd/generator/dev-mapper-luks\x2df159f0b8\x2dd50c\x2d46a7\x2daa1e\x2d1fc70b678612.device.d/.#50-device-timeout.conf6dfc956288d7c917. L'étiquette par défaut de /run/systemd/generator/dev-mapper-luks\x2df159f0b8\x2dd50c\x2d46a7\x2daa1e\x2d1fc70b678612.device.d/.#50-device-timeout.conf6dfc956288d7c917 devrait être systemd_unit_file_t. # /sbin/restorecon -v /run/systemd/generator/dev-mapper-luks\x2df159f0b8\x2dd50c\x2d46a7\x2daa1e\x2d1fc70b678612.device.d/.#50-device-timeout.conf6dfc956288d7c917 juil. 19 12:02:29 PC-DSKTP-4 setroubleshoot[2318]: failed to retrieve rpm info for path '/run/systemd/generator/dev-mapper-luks\x2dddd25182\x2d5079\x2d43f1\x2d871b\x2d344c687c8b2d.device.d/.#50-device-timeout.conff391dea45f7a76b6': juil. 19 12:02:29 PC-DSKTP-4 setroubleshoot[2318]: SELinux interdit à systemd-fstab-g d'utiliser les accès « read, write » sur le fichier /run/systemd/generator/dev-mapper-luks\x2dddd25182\x2d5079\x2d43f1\x2d871b\x2d344c687c8b2d.device.d/.#50-device-timeout.conff391dea45f7a76b6. Pour des messages SELinux exhaustifs, lancez sealert -l 35b6231e-a095-459d-b428-22e23ac8955e juil. 19 12:02:29 PC-DSKTP-4 setroubleshoot[2318]: SELinux interdit à systemd-fstab-g d'utiliser les accès « read, write » sur le fichier /run/systemd/generator/dev-mapper-luks\x2dddd25182\x2d5079\x2d43f1\x2d871b\x2d344c687c8b2d.device.d/.#50-device-timeout.conff391dea45f7a76b6. L'étiquette par défaut de /run/systemd/generator/dev-mapper-luks\x2dddd25182\x2d5079\x2d43f1\x2d871b\x2d344c687c8b2d.device.d/.#50-device-timeout.conff391dea45f7a76b6 devrait être systemd_unit_file_t. # /sbin/restorecon -v /run/systemd/generator/dev-mapper-luks\x2dddd25182\x2d5079\x2d43f1\x2d871b\x2d344c687c8b2d.device.d/.#50-device-timeout.conff391dea45f7a76b6 juil. 19 12:02:29 PC-DSKTP-4 setroubleshoot[2318]: failed to retrieve rpm info for path '/run/systemd/generator/dev-mapper-luks\x2d7dbcc4dd\x2d9ada\x2d4732\x2dae9b\x2de10f879700b6.device.d/.#50-device-timeout.conf2c7d43a1fcae913b': juil. 19 12:02:29 PC-DSKTP-4 setroubleshoot[2318]: SELinux interdit à systemd-fstab-g d'utiliser les accès « read, write » sur le fichier /run/systemd/generator/dev-mapper-luks\x2d7dbcc4dd\x2d9ada\x2d4732\x2dae9b\x2de10f879700b6.device.d/.#50-device-timeout.conf2c7d43a1fcae913b. Pour des messages SELinux exhaustifs, lancez sealert -l 35b6231e-a095-459d-b428-22e23ac8955e juil. 19 12:02:29 PC-DSKTP-4 setroubleshoot[2318]: SELinux interdit à systemd-fstab-g d'utiliser les accès « read, write » sur le fichier /run/systemd/generator/dev-mapper-luks\x2d7dbcc4dd\x2d9ada\x2d4732\x2dae9b\x2de10f879700b6.device.d/.#50-device-timeout.conf2c7d43a1fcae913b. L'étiquette par défaut de /run/systemd/generator/dev-mapper-luks\x2d7dbcc4dd\x2d9ada\x2d4732\x2dae9b\x2de10f879700b6.device.d/.#50-device-timeout.conf2c7d43a1fcae913b devrait être systemd_unit_file_t. # /sbin/restorecon -v /run/systemd/generator/dev-mapper-luks\x2d7dbcc4dd\x2d9ada\x2d4732\x2dae9b\x2de10f879700b6.device.d/.#50-device-timeout.conf2c7d43a1fcae913b juil. 19 12:02:29 PC-DSKTP-4 setroubleshoot[2318]: failed to retrieve rpm info for path '/run/systemd/generator/dev-mapper-luks\x2d1e10eba5\x2d5b6f\x2d4464\x2da235\x2da7e6075d9db4.device.d/.#50-device-timeout.conf0b2c5dd3214bd132': juil. 19 12:02:29 PC-DSKTP-4 setroubleshoot[2318]: SELinux interdit à systemd-fstab-g d'utiliser les accès « read, write » sur le fichier /run/systemd/generator/dev-mapper-luks\x2d1e10eba5\x2d5b6f\x2d4464\x2da235\x2da7e6075d9db4.device.d/.#50-device-timeout.conf0b2c5dd3214bd132. Pour des messages SELinux exhaustifs, lancez sealert -l 35b6231e-a095-459d-b428-22e23ac8955e juil. 19 12:02:29 PC-DSKTP-4 setroubleshoot[2318]: SELinux interdit à systemd-fstab-g d'utiliser les accès « read, write » sur le fichier /run/systemd/generator/dev-mapper-luks\x2d1e10eba5\x2d5b6f\x2d4464\x2da235\x2da7e6075d9db4.device.d/.#50-device-timeout.conf0b2c5dd3214bd132. L'étiquette par défaut de /run/systemd/generator/dev-mapper-luks\x2d1e10eba5\x2d5b6f\x2d4464\x2da235\x2da7e6075d9db4.device.d/.#50-device-timeout.conf0b2c5dd3214bd132 devrait être systemd_unit_file_t. # /sbin/restorecon -v /run/systemd/generator/dev-mapper-luks\x2d1e10eba5\x2d5b6f\x2d4464\x2da235\x2da7e6075d9db4.device.d/.#50-device-timeout.conf0b2c5dd3214bd132 juil. 19 12:02:38 PC-DSKTP-4 systemd[1]: Starting systemd-fsck@dev-mapper-luks\x2df159f0b8\x2dd50c\x2d46a7\x2daa1e\x2d1fc70b678612.service - File System Check on /dev/mapper/luks-f159f0b8-d50c-46a7-aa1e-1fc70b678612... juil. 19 12:02:38 PC-DSKTP-4 systemd[1]: Finished systemd-fsck@dev-mapper-luks\x2df159f0b8\x2dd50c\x2d46a7\x2daa1e\x2d1fc70b678612.service - File System Check on /dev/mapper/luks-f159f0b8-d50c-46a7-aa1e-1fc70b678612. juil. 19 12:02:38 PC-DSKTP-4 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-fsck@dev-mapper-luks\x2df159f0b8\x2dd50c\x2d46a7\x2daa1e\x2d1fc70b678612 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' ```
> However, I can now confirm that the issue does NOT occur if I add the options "nofail,x-systemd.device-timeout=60" in crypttab to the affected device (just tried once so far, but I verified before and after testing that I disabled my usual means to mitigate the issue). I wonder about this behavior as crypttab usually only unlocks devices and does not mount them but waits for fstab do do that, whereas the affected device was already unlocked before. I will reproduce this a few more times to see if it is really 100% reproducible with these options. I have a hard time to believe this can solve the issue. With regards to my last post, I can now confirm that the approach to add the mentioned crypttab options to the affected device is 100% reproducible on my system: when the affected device is in crypttab with "nofail,x-systemd.device-timeout=60", it is unlocked and mounted at the time my system is booted. If this option is not contained, it is unlocked but not mounted. "nofail" cannot be relevant, so it is a timeout that breaks the mount. I assume something is broken by the SELinux denial, which thus does not respond, which then leads to the timeout. Interesting case.
*** Bug 2299660 has been marked as a duplicate of this bug. ***
I have just checked the issue again with kernel 6.10.1 (whereas I have also installed many other updates in the meantime): The issue seems solved now. I have just removed the option "nofail,x-systemd.device-timeout=60" from the affected device in crypttab, and it still works out and mounts properly. Journals of the boot no longer contain the mentioned denial.
Confirmed, works again! Thanks