Description of problem: SELinux is preventing tuned-ppd from 'getattr' accesses on the filesystem /. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that tuned-ppd should be allowed getattr access on the filesystem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'tuned-ppd' --raw | audit2allow -M my-tunedppd # semodule -X 300 -i my-tunedppd.pp Additional Information: Source Context system_u:system_r:tuned_ppd_t:s0 Target Context system_u:object_r:fs_t:s0 Target Objects / [ filesystem ] Source tuned-ppd Source Path tuned-ppd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-42.4-1.fc42.noarch Local Policy RPM selinux-policy-targeted-42.4-1.fc42.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 6.15.9-201.fc42.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Aug 2 11:37:34 UTC 2025 x86_64 Alert Count 8 First Seen 2025-07-30 15:42:02 CEST Last Seen 2025-08-11 11:33:54 CEST Local ID 8b2179c0-eaaa-4dba-a668-ea608fa6f69a Raw Audit Messages type=AVC msg=audit(1754904834.436:525): avc: denied { getattr } for pid=1778 comm="tuned-ppd" name="/" dev="nvme0n1p3" ino=2 scontext=system_u:system_r:tuned_ppd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 Hash: tuned-ppd,tuned_ppd_t,fs_t,filesystem,getattr Version-Release number of selected component: selinux-policy-targeted-42.4-1.fc42.noarch Additional info: reporter: libreport-2.17.15 component: selinux-policy type: libreport hashmarkername: setroubleshoot package: selinux-policy-targeted-42.4-1.fc42.noarch kernel: 6.15.9-201.fc42.x86_64 reason: SELinux is preventing tuned-ppd from 'getattr' accesses on the filesystem /. component: selinux-policy
Created attachment 2103241 [details] File: os_info
Created attachment 2103242 [details] File: description
Hello, Is there any configuration change needed to trigger this denial? Can you set your system to permissive mode (setenforce 0) and try again to collect all denials (ausearch -m avc -i -ts today)? Can you also provide output of (mount)?
Hi, no config change except regular dnf updates, one of which brought new version of selinux-policy-targeted rpm. My system is already in Enforcing Mode Permissive $ mount /dev/nvme0n1p3 on / type ext4 (rw,relatime,seclabel) rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime) devtmpfs on /dev type devtmpfs (rw,nosuid,seclabel,size=15741412k,nr_inodes=3935353,mode=755,inode64) tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,seclabel,inode64) devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,seclabel,gid=5,mode=620,ptmxmode=000) sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime,seclabel) securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime) cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,seclabel,nsdelegate,memory_recursiveprot) none on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime,seclabel) efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime) bpf on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700) configfs on /sys/kernel/config type configfs (rw,nosuid,nodev,noexec,relatime) proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) tmpfs on /run type tmpfs (rw,nosuid,nodev,seclabel,size=6315788k,nr_inodes=819200,mode=755,inode64) selinuxfs on /sys/fs/selinux type selinuxfs (rw,nosuid,noexec,relatime) systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=37,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=13311) debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,relatime,seclabel) tracefs on /sys/kernel/tracing type tracefs (rw,nosuid,nodev,noexec,relatime,seclabel) mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime,seclabel) hugetlbfs on /dev/hugepages type hugetlbfs (rw,nosuid,nodev,relatime,seclabel,pagesize=2M) tmpfs on /run/credentials/systemd-journald.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,inode64,noswap) fusectl on /sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime) tmpfs on /tmp type tmpfs (rw,nosuid,nodev,seclabel,size=15789464k,nr_inodes=1048576,inode64) /dev/nvme0n1p1 on /boot/efi type vfat (rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=winnt,errors=remount-ro) binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,nosuid,nodev,noexec,relatime) tmpfs on /run/credentials/systemd-resolved.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,inode64,noswap) tmpfs on /run/user/968 type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=3157892k,nr_inodes=789473,mode=700,uid=968,gid=965,inode64) tmpfs on /run/credentials/getty type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,inode64,noswap) tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=3157892k,nr_inodes=789473,mode=700,uid=1000,gid=1000,inode64) portal on /run/user/1000/doc type fuse.portal (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000) Since I reported the bug I applied a local selinux policy as suggested by the SElinux Troubleshooter tool, as I got annoyed by the AVC denial messages. So nothing from tuned-ppd today, but I have older AVCs: $ sudo ausearch -m avc -i | grep tuned type=AVC msg=audit(30/07/25 17:38:09.440:132036) : avc: denied { getattr } for pid=1487 comm=tuned-ppd name=/ dev="nvme0n1p3" ino=2 scontext=system_u:system_r:tuned_ppd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 type=AVC msg=audit(31/07/25 08:13:45.131:7587) : avc: denied { getattr } for pid=1538 comm=tuned-ppd name=/ dev="nvme0n1p3" ino=2 scontext=system_u:system_r:tuned_ppd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 type=AVC msg=audit(31/07/25 14:17:59.453:87925) : avc: denied { getattr } for pid=1461 comm=tuned-ppd name=/ dev="nvme0n1p3" ino=2 scontext=system_u:system_r:tuned_ppd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 type=AVC msg=audit(31/07/25 17:52:42.492:88063) : avc: denied { getattr } for pid=1461 comm=tuned-ppd name=/ dev="nvme0n1p3" ino=2 scontext=system_u:system_r:tuned_ppd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 type=AVC msg=audit(01/08/25 15:08:20.266:1031) : avc: denied { getattr } for pid=1437 comm=tuned-ppd name=/ dev="nvme0n1p3" ino=2 scontext=system_u:system_r:tuned_ppd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 type=AVC msg=audit(09/08/25 14:21:26.254:538) : avc: denied { getattr } for pid=1477 comm=tuned-ppd name=/ dev="nvme0n1p3" ino=2 scontext=system_u:system_r:tuned_ppd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 type=AVC msg=audit(09/08/25 15:35:43.076:727) : avc: denied { getattr } for pid=1477 comm=tuned-ppd name=/ dev="nvme0n1p3" ino=2 scontext=system_u:system_r:tuned_ppd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 type=AVC msg=audit(11/08/25 09:55:11.489:779) : avc: denied { getattr } for pid=1473 comm=tuned-ppd name=/ dev="nvme0n1p3" ino=2 scontext=system_u:system_r:tuned_ppd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 type=AVC msg=audit(11/08/25 09:58:16.569:553) : avc: denied { getattr } for pid=1466 comm=tuned-ppd name=/ dev="nvme0n1p3" ino=2 scontext=system_u:system_r:tuned_ppd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 type=AVC msg=audit(11/08/25 10:03:12.144:614) : avc: denied { getattr } for pid=1466 comm=tuned-ppd name=/ dev="nvme0n1p3" ino=2 scontext=system_u:system_r:tuned_ppd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 type=AVC msg=audit(11/08/25 10:11:18.710:908) : avc: denied { getattr } for pid=1466 comm=tuned-ppd name=/ dev="nvme0n1p3" ino=2 scontext=system_u:system_r:tuned_ppd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 type=AVC msg=audit(11/08/25 10:12:08.135:935) : avc: denied { getattr } for pid=1466 comm=tuned-ppd name=/ dev="nvme0n1p3" ino=2 scontext=system_u:system_r:tuned_ppd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 type=AVC msg=audit(11/08/25 11:31:48.976:1813) : avc: denied { getattr } for pid=1466 comm=tuned-ppd name=/ dev="nvme0n1p3" ino=2 scontext=system_u:system_r:tuned_ppd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 type=AVC msg=audit(11/08/25 11:31:48.981:1814) : avc: denied { getattr } for pid=1466 comm=tuned-ppd name=/ dev="nvme0n1p3" ino=2 scontext=system_u:system_r:tuned_ppd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 type=AVC msg=audit(11/08/25 11:33:54.436:525) : avc: denied { getattr } for pid=1778 comm=tuned-ppd name=/ dev="nvme0n1p3" ino=2 scontext=system_u:system_r:tuned_ppd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
FEDORA-2025-7a468a12c5 (selinux-policy-42.7-1.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-7a468a12c5
FEDORA-2025-7a468a12c5 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-7a468a12c5` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-7a468a12c5 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-7a468a12c5 (selinux-policy-42.7-1.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report.