usernetctl currently does nothing with the gid and egid of the invoking user, so /sbin/ifup and all further processes are executed with gid of the invoking user. This seems to be potentially insecure (e.g. creating files readable and writable by the invoking user); currently this causes a SELinux denial in the following situation: Steps to Reproduce: 1.eth0 has USERNETCTL=yes, BOOTPROTO=dhcp 2.user runs /sbin/ifup eth0 3.this eventually runs /sbin/dhclient-script, with egid=$user euid=0 gid=$user uid=0 4.this eventually runs (cp -fp /etc/resolv.conf /etc/resolv.conf.predhclient) 5.cp creates /etc/resolv.conf.predhclient, which is now owned by root:$user 6.cp attempts to fchown()s /etc/resolv.conf.predhclient to root:root, which is prohibited by SELinux Version-Release number of selected component (if applicable): initscripts-8.45.7-1
Fixed, will be in 8.53-1.