Description of problem: I started virt-manager. SELinux is preventing /usr/lib/systemd/systemd-homed from 'read' accesses on the directory /var/cache/systemd/home/. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow systemd-homed to have read access on the directory Then you need to change the label on /var/cache/systemd/home/ Do # semanage fcontext -a -t FILE_TYPE '/var/cache/systemd/home/' where FILE_TYPE is one of the following: NetworkManager_etc_rw_t, NetworkManager_etc_t, abrt_etc_t, admin_home_t, aiccu_etc_t, alsa_etc_rw_t, alsa_home_t, antivirus_conf_t, antivirus_home_t, asterisk_etc_t, audio_home_t, auth_home_t, avahi_conf_t, bin_t, bitlbee_conf_t, bluetooth_conf_t, boot_t, boothd_etc_t, bootloader_etc_t, cache_home_t, cert_t, cgconfig_etc_t, cgrules_etc_t, chrome_sandbox_home_t, cluster_conf_t, cobbler_etc_t, condor_conf_t, config_home_t, conntrackd_conf_t, container_config_t, container_file_t, container_home_t, container_ro_file_t, container_runtime_tmpfs_t, couchdb_conf_t, courier_etc_t, cpucontrol_conf_t, cupsd_etc_t, cupsd_rw_etc_t, cvs_home_t, data_home_t, dbus_home_t, dbusd_etc_t, ddclient_etc_t, device_t, devpts_t, dhcp_etc_t, dictd_etc_t, dnsmasq_etc_t, dovecot_cert_t, dovecot_etc_t, etc_mail_t, etc_runtime_t, etc_t, exports_t, fdo_conf_rw_t, fdo_conf_t, fdo_home_t, fetchmail_etc_t, fetchmail_home_t, file_context_t, fingerd_etc_t, firewalld_etc_rw_t, firstboot_etc_t, fonts_cache_t, fonts_t, ftpd_etc_t, fwupd_cert_t, gconf_etc_t, gconf_home_t, gdomap_conf_t, getty_etc_t, git_user_content_t, gkeyringd_gnome_home_t, gnome_home_t, gpg_secret_t, gpm_conf_t, gstreamer_home_t, hddtemp_etc_t, home_bin_t, home_cert_t, home_root_t, hostname_etc_t, httpd_config_t, httpd_user_content_t, httpd_user_script_exec_t, ibacm_conf_t, icc_data_home_t, iceauth_home_t, init_var_lib_t, init_var_run_t, innd_etc_t, insights_client_etc_rw_t, insights_client_etc_t, irc_conf_t, irc_home_t, irc_tmp_t, irssi_etc_t, irssi_home_t, kdump_etc_t, kismet_home_t, krb5_conf_t, krb5_home_t, krb5_host_rcache_t, krb5kdc_conf_t, kubernetes_file_t, l2tp_conf_t, lib_t, likewise_etc_t, lircd_etc_t, local_login_home_t, locale_t, lvm_etc_t, machineid_t, mail_home_rw_t, mail_home_t, mail_spool_t, man_cache_t, man_t, mandb_home_t, mcelog_etc_t, mdadm_conf_t, mdevctl_conf_t, minidlna_conf_t, minissdpd_conf_t, mock_etc_t, modules_conf_t, mozilla_conf_t, mozilla_home_t, mozilla_plugin_rw_t, mpd_etc_t, mpd_home_t, mpd_user_data_t, mplayer_etc_t, mplayer_home_t, mptcpd_etc_t, mrtg_etc_t, mscan_etc_t, munin_etc_t, mysqld_etc_t, mysqld_home_t, nagios_etc_t, named_conf_t, nbdkit_home_t, net_conf_t, nrpe_etc_t, nscd_var_run_t, nslcd_conf_t, ntop_etc_t, ntp_conf_t, nut_conf_t, opendnssec_conf_t, openshift_var_lib_t, openvpn_etc_rw_t, openvpn_etc_t, openvswitch_rw_t, oracleasm_conf_t, pads_config_t, passt_etc_t, pdns_conf_t, pegasus_conf_t, pingd_etc_t, pkcs11_modules_conf_t, pki_tomcat_cert_t, polipo_cache_home_t, polipo_config_home_t, polipo_etc_t, portreserve_etc_t, postfix_etc_t, postgresql_etc_t, postgrey_etc_t, pppd_etc_t, prelude_correlator_config_t, printconf_t, proc_t, procmail_home_t, psad_etc_t, ptal_etc_t, pulseaudio_home_t, puppet_etc_t, qatlib_conf_t, qmail_etc_t, rabbitmq_conf_t, radiusd_etc_t, radvd_etc_t, redis_conf_t, rhnsd_conf_t, rhsmcertd_config_t, rlogind_home_t, root_t, rssh_ro_t, rssh_rw_t, rsync_etc_t, samba_cert_t, samba_etc_t, sandbox_file_t, sanlock_conf_t, screen_home_t, shell_exec_t, shorewall_etc_t, slapd_cert_t, slapd_etc_t, snapperd_conf_t, snort_etc_t, soundd_etc_t, spamc_home_t, spamd_etc_t, speech_dispatcher_home_t, squid_conf_t, src_t, ssh_home_t, sslh_config_t, sssd_conf_t, sssd_public_t, stunnel_etc_t, svc_conf_t, svirt_home_t, sysfs_t, syslog_conf_t, system_conf_t, system_db_t, systemd_conf_t, systemd_home_t, systemd_homed_crypto_luks_t, systemd_homed_library_dir_t, systemd_homed_runtime_dir_t, systemd_hwdb_etc_t, systemd_userdbd_runtime_t, targetclid_home_t, telepathy_cache_home_t, telepathy_data_home_t, telepathy_gabble_cache_home_t, telepathy_logger_cache_home_t, telepathy_logger_data_home_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_data_home_t, telepathy_mission_control_home_t, telepathy_sunshine_home_t, texlive_home_t, textrel_shlib_t, tftpd_etc_t, thumb_home_t, tmp_t, tmpfs_t, tor_etc_t, tuned_etc_t, tuned_rw_etc_t, tvtime_home_t, udev_etc_t, udev_var_run_t, ulogd_etc_t, uml_ro_t, uml_rw_t, unlabeled_t, user_fonts_cache_t, user_fonts_config_t, user_fonts_t, user_home_dir_t, user_home_t, user_tmp_t, userhelper_conf_t, usr_t, var_lib_t, var_run_t, varnishd_etc_t, virt_content_t, virt_etc_t, virt_home_t, virt_var_lib_t, virtlogd_etc_t, vmware_conf_t, vmware_file_t, vmware_sys_conf_t, webalizer_etc_t, wine_home_t, wireshark_home_t, xauth_home_t, xdm_etc_t, xdm_home_t, xdm_rw_etc_t, xserver_etc_t, ypserv_conf_t, zarafa_etc_t, zebra_conf_t. Then execute: restorecon -v '/var/cache/systemd/home/' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that systemd-homed should be allowed read access on the directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-homed' --raw | audit2allow -M my-systemdhomed # semodule -X 300 -i my-systemdhomed.pp Additional Information: Source Context system_u:system_r:systemd_homed_t:s0 Target Context system_u:object_r:var_t:s0 Target Objects /var/cache/systemd/home/ [ dir ] Source systemd-homed Source Path /usr/lib/systemd/systemd-homed Port <Unknown> Host (removed) Source RPM Packages systemd-udev-256.6-1.fc41.x86_64 Target RPM Packages SELinux Policy RPM selinux-policy-targeted-41.20-1.fc41.noarch Local Policy RPM selinux-policy-targeted-41.20-1.fc41.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.11.2-300.fc41.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Oct 4 16:44:08 UTC 2024 x86_64 Alert Count 2 First Seen 2024-10-10 06:42:25 CST Last Seen 2024-10-10 13:18:27 CST Local ID 93219e08-e925-4d05-9273-b34a1868f8f0 Raw Audit Messages type=AVC msg=audit(1728587907.461:100): avc: denied { read } for pid=1194 comm="systemd-homed" name="home" dev="nvme1n1p2" ino=1467021 scontext=system_u:system_r:systemd_homed_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1728587907.461:100): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=55cb52dedf3e a2=90800 a3=0 items=1 ppid=1 pid=1194 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-homed exe=/usr/lib/systemd/systemd-homed subj=system_u:system_r:systemd_homed_t:s0 key=(null) type=CWD msg=audit(1728587907.461:100): cwd=/ type=PATH msg=audit(1728587907.461:100): item=0 name=/var/cache/systemd/home/ inode=1467021 dev=00:27 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 Hash: systemd-homed,systemd_homed_t,var_t,dir,read Version-Release number of selected component: selinux-policy-targeted-41.20-1.fc41.noarch Additional info: reporter: libreport-2.17.15 reason: SELinux is preventing /usr/lib/systemd/systemd-homed from 'read' accesses on the directory /var/cache/systemd/home/. package: selinux-policy-targeted-41.20-1.fc41.noarch component: selinux-policy hashmarkername: setroubleshoot type: libreport kernel: 6.11.2-300.fc41.x86_64 comment: I started virt-manager. component: selinux-policy
Created attachment 2051445 [details] File: description
Created attachment 2051446 [details] File: os_info
*** This bug has been marked as a duplicate of bug 2036108 ***
I also had this problem, I could fix it with setting SELINUX to permissive, restart systemd-homed.service. This created the necessary folder /var/cache/systemd/home/. Then I ran restorecon -vR on /var/cache/systemd/home/ Now after I set SELINUX to enforce again, the error does not occur anymore.
(In reply to Martin Wolf from comment #4) > I also had this problem, I could fix it with setting SELINUX to permissive, > restart systemd-homed.service. > This created the necessary folder /var/cache/systemd/home/. Then I ran > restorecon -vR on /var/cache/systemd/home/ > Now after I set SELINUX to enforce again, the error does not occur anymore. This is the correct solution for the current state. There are various upgrade paths, hopefully with the latest build the result will always be correct for any of them.