Description of problem: SELinux is preventing /usr/lib/systemd/systemd-rfkill from read, open access on the file file. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-rfkill should be allowed read open access on the file file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-rfkill' --raw | audit2allow -M my-systemdrfkill # semodule -X 300 -i my-systemdrfkill.pp Additional Information: Source Context system_u:system_r:systemd_rfkill_t:s0 Target Context system_u:object_r:nsfs_t:s0 Target Objects file [ file ] Source systemd-rfkill Source Path /usr/lib/systemd/systemd-rfkill Port <Unknown> Host (removed) Source RPM Packages systemd-udev-257.5-2.fc43.x86_64 Target RPM Packages SELinux Policy RPM selinux-policy-targeted-41.37-1.fc43.noarch Local Policy RPM selinux-policy-targeted-41.37-1.fc43.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.15.0- 0.rc1.20250411git900241a5cc15.19.fc43.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Apr 11 19:18:58 UTC 2025 x86_64 Alert Count 6 First Seen 2025-04-08 19:02:43 IDT Last Seen 2025-04-15 19:56:19 IDT Local ID 8745de0e-e224-40a7-ae1b-6cd01c5d8d80 Raw Audit Messages type=AVC msg=audit(1744736179.846:80): avc: denied { read open } for pid=670 comm="systemd-rfkill" path="net:[4026531840]" dev="nsfs" ino=4026531840 scontext=system_u:system_r:systemd_rfkill_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1744736179.846:80): arch=x86_64 syscall=ioctl success=no exit=EACCES a0=6 a1=894c a2=7ffd977d144c a3=7ffd977d144c items=0 ppid=1 pid=670 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-rfkill exe=/usr/lib/systemd/systemd-rfkill subj=system_u:system_r:systemd_rfkill_t:s0 key=(null) Hash: systemd-rfkill,systemd_rfkill_t,nsfs_t,file,read,open Version-Release number of selected component: selinux-policy-targeted-41.37-1.fc43.noarch Additional info: reporter: libreport-2.17.15 reason: SELinux is preventing /usr/lib/systemd/systemd-rfkill from read, open access on the file file. package: selinux-policy-targeted-41.37-1.fc43.noarch component: selinux-policy hashmarkername: setroubleshoot type: libreport kernel: 6.15.0-0.rc1.20250411git900241a5cc15.19.fc43.x86_64 component: selinux-policy
Created attachment 2085224 [details] File: description
Created attachment 2085225 [details] File: os_info
Andrew, Do you happen to know what is required to trigger this denial?
Zdenek, No clue, I get those notifications on every startup. Ask me anything, will try to do my best.
FEDORA-2025-c6621cb65e (selinux-policy-41.38-1.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-c6621cb65e
FEDORA-2025-c6621cb65e has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-c6621cb65e` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-c6621cb65e See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Thanks, there are no errors/notifications since the update.
FEDORA-2025-c6621cb65e (selinux-policy-41.38-1.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report.