Hmm, I guess the two which happen with permissive=0 are for systemctl commands, not necessarily to do with systemd-ssh-issue. I'll attach the full /var/log tarball, too.

Created attachment 2105206 [details]
/var/log tarball from affected test

Also found by one of our CI tests:
----
type=PROCTITLE msg=audit(09/04/2025 08:15:35.852:40) : proctitle=/usr/lib/systemd/systemd-ssh-issue --make-vsock 
type=PATH msg=audit(09/04/2025 08:15:35.852:40) : item=1 name=/run/issue.d inode=1766 dev=00:1c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(09/04/2025 08:15:35.852:40) : item=0 name=/run/ inode=1 dev=00:1c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/04/2025 08:15:35.852:40) : cwd=/ 
type=SYSCALL msg=audit(09/04/2025 08:15:35.852:40) : arch=x86_64 syscall=mkdirat success=yes exit=0 a0=AT_FDCWD a1=0x7ffc3e3941f0 a2=0755 a3=0x7ffc3e3941f5 items=2 ppid=1 pid=757 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-ssh-iss exe=/usr/lib/systemd/systemd-ssh-issue subj=system_u:system_r:systemd_ssh_issue_t:s0 key=(null) 
type=AVC msg=audit(09/04/2025 08:15:35.852:40) : avc:  denied  { create } for  pid=757 comm=systemd-ssh-iss name=issue.d scontext=system_u:system_r:systemd_ssh_issue_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 
type=AVC msg=audit(09/04/2025 08:15:35.852:40) : avc:  denied  { add_name } for  pid=757 comm=systemd-ssh-iss name=issue.d scontext=system_u:system_r:systemd_ssh_issue_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(09/04/2025 08:15:35.852:41) : proctitle=/usr/lib/systemd/systemd-ssh-issue --make-vsock 
type=PATH msg=audit(09/04/2025 08:15:35.852:41) : item=0 name=/run/issue.d inode=1767 dev=00:1c mode=file,640 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/04/2025 08:15:35.852:41) : cwd=/ 
type=SYSCALL msg=audit(09/04/2025 08:15:35.852:41) : arch=x86_64 syscall=openat success=yes exit=4 a0=AT_FDCWD a1=0x56328b33a9c0 a2=O_WRONLY|O_DIRECTORY|O_CLOEXEC|__O_TMPFILE a3=0x1a0 items=1 ppid=1 pid=757 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-ssh-iss exe=/usr/lib/systemd/systemd-ssh-issue subj=system_u:system_r:systemd_ssh_issue_t:s0 key=(null) 
type=AVC msg=audit(09/04/2025 08:15:35.852:41) : avc:  denied  { write open } for  pid=757 comm=systemd-ssh-iss path=/run/issue.d/#1767 (deleted) dev="tmpfs" ino=1767 scontext=system_u:system_r:systemd_ssh_issue_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(09/04/2025 08:15:35.852:42) : proctitle=/usr/lib/systemd/systemd-ssh-issue --make-vsock 
type=SYSCALL msg=audit(09/04/2025 08:15:35.852:42) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x4 a1=0x7ffc3e393ef0 a2=0x7fb358bf4ec0 a3=0x1 items=0 ppid=1 pid=757 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-ssh-iss exe=/usr/lib/systemd/systemd-ssh-issue subj=system_u:system_r:systemd_ssh_issue_t:s0 key=(null) 
type=AVC msg=audit(09/04/2025 08:15:35.852:42) : avc:  denied  { getattr } for  pid=757 comm=systemd-ssh-iss path=/run/issue.d/#1767 (deleted) dev="tmpfs" ino=1767 scontext=system_u:system_r:systemd_ssh_issue_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(09/04/2025 08:15:35.852:43) : proctitle=/usr/lib/systemd/systemd-ssh-issue --make-vsock 
type=PATH msg=audit(09/04/2025 08:15:35.852:43) : item=0 name=(null) inode=1767 dev=00:1c mode=file,640 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/04/2025 08:15:35.852:43) : cwd=/ 
type=SYSCALL msg=audit(09/04/2025 08:15:35.852:43) : arch=x86_64 syscall=fchmod success=yes exit=0 a0=0x4 a1=0644 a2=0x0 a3=0x4 items=1 ppid=1 pid=757 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-ssh-iss exe=/usr/lib/systemd/systemd-ssh-issue subj=system_u:system_r:systemd_ssh_issue_t:s0 key=(null) 
type=AVC msg=audit(09/04/2025 08:15:35.852:43) : avc:  denied  { setattr } for  pid=757 comm=systemd-ssh-iss name=#1767 dev="tmpfs" ino=1767 scontext=system_u:system_r:systemd_ssh_issue_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(09/04/2025 08:15:35.852:44) : proctitle=/usr/lib/systemd/systemd-ssh-issue --make-vsock 
type=PATH msg=audit(09/04/2025 08:15:35.852:44) : item=2 name=/run/issue.d/50-ssh-vsock.issue inode=1767 dev=00:1c mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(09/04/2025 08:15:35.852:44) : item=1 name= inode=1767 dev=00:1c mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(09/04/2025 08:15:35.852:44) : item=0 name=/run/issue.d/ inode=1766 dev=00:1c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/04/2025 08:15:35.852:44) : cwd=/ 
type=SYSCALL msg=audit(09/04/2025 08:15:35.852:44) : arch=x86_64 syscall=linkat success=yes exit=0 a0=0x4 a1=0x7fb358f66dd9 a2=AT_FDCWD a3=0x56328b33af20 items=3 ppid=1 pid=757 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-ssh-iss exe=/usr/lib/systemd/systemd-ssh-issue subj=system_u:system_r:systemd_ssh_issue_t:s0 key=(null) 
type=AVC msg=audit(09/04/2025 08:15:35.852:44) : avc:  denied  { link } for  pid=757 comm=systemd-ssh-iss name=#1767 dev="tmpfs" ino=1767 scontext=system_u:system_r:systemd_ssh_issue_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 
type=AVC msg=audit(09/04/2025 08:15:35.852:44) : avc:  denied  { read } for  pid=757 comm=systemd-ssh-iss dev="tmpfs" ino=1767 scontext=system_u:system_r:systemd_ssh_issue_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 
----

The whole test output log is available at:
 * https://artifacts.dev.testing-farm.io/ef2a6fba-36c5-4059-b815-b91997775c60/work-rebootctb8h0di/plans/reboot/execute/data/guest/default-0/other/collect-denials-3/output.txt

I am seeing them after successful installs of the server DVD and server netinst ISOs in VM environments (Proxmox). The VMs seem otherwise fine and very responsive. I just happened to notice these messages in the log.

The results are similar between UEFI/BIOS installs, but differ by DVD vs. netinst.

DVD:
root@f43s-uefi:~# ausearch -m avc
----
time->Thu Sep 11 18:31:31 2025
type=AVC msg=audit(1757633491.285:50): avc:  denied  { add_name } for  pid=903 comm="systemd-ssh-iss" name="issue.d" scontext=system_u:system_r:systemd_ssh_issue_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
----
time->Thu Sep 11 18:31:31 2025
type=AVC msg=audit(1757633491.285:51): avc:  denied  { create } for  pid=903 comm="systemd-ssh-iss" name="issue.d" scontext=system_u:system_r:systemd_ssh_issue_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
----
time->Thu Sep 11 18:31:31 2025
type=AVC msg=audit(1757633491.285:52): avc:  denied  { write open } for  pid=903 comm="systemd-ssh-iss" path=2F72756E2F69737375652E642F2332313735202864656C6574656429 dev="tmpfs" ino=2175 scontext=system_u:system_r:systemd_ssh_issue_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Thu Sep 11 18:31:31 2025
type=AVC msg=audit(1757633491.285:53): avc:  denied  { getattr } for  pid=903 comm="systemd-ssh-iss" path=2F72756E2F69737375652E642F2332313735202864656C6574656429 dev="tmpfs" ino=2175 scontext=system_u:system_r:systemd_ssh_issue_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Thu Sep 11 18:31:31 2025
type=AVC msg=audit(1757633491.285:54): avc:  denied  { setattr } for  pid=903 comm="systemd-ssh-iss" name="#2175" dev="tmpfs" ino=2175 scontext=system_u:system_r:systemd_ssh_issue_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Thu Sep 11 18:31:31 2025
type=AVC msg=audit(1757633491.285:55): avc:  denied  { read } for  pid=903 comm="systemd-ssh-iss" dev="tmpfs" ino=2175 scontext=system_u:system_r:systemd_ssh_issue_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Thu Sep 11 18:31:31 2025
type=AVC msg=audit(1757633491.285:56): avc:  denied  { link } for  pid=903 comm="systemd-ssh-iss" name="#2175" dev="tmpfs" ino=2175 scontext=system_u:system_r:systemd_ssh_issue_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1


Netinst:
root@f43sn-uefi:~# ausearch -m avc
----
time->Thu Sep 11 18:35:43 2025
type=AVC msg=audit(1757633743.945:50): avc:  denied  { read } for  pid=1034 comm="systemd-ssh-iss" name="vsock" dev="devtmpfs" ino=488 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=0
----
time->Thu Sep 11 18:35:47 2025
type=AVC msg=audit(1757633747.233:98): avc:  denied  { getattr } for  pid=1214 comm="systemctl" name="/" dev="pidfs" ino=1 scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:object_r:pidfs_t:s0 tclass=filesystem permissive=0
----
time->Thu Sep 11 18:35:47 2025
type=AVC msg=audit(1757633747.410:107): avc:  denied  { getattr } for  pid=1256 comm="systemctl" name="/" dev="pidfs" ino=1 scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:object_r:pidfs_t:s0 tclass=filesystem permissive=0

systemd-ssh-issue is a new helper that creates /run/issue.d/50-ssh-vsock.issue
with a message like "Try contacting this VM's SSH server via 'ssh vsock%%%u' from host."
if the VM has AF_VSOCK support and IOCTL_VM_SOCKETS_GET_LOCAL_CID returns something.

I guess that's the query:
avc:  denied  { read } for  pid=1034 comm="systemd-ssh-iss" name="vsock" dev="devtmpfs" ino=488 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=0

and then it tries to create a directory and a temporary file and atomically rename
the temporary file to the final name, following the standard pattern.

type=AVC msg=audit(1757633491.285:50): avc:  denied  { add_name } for  pid=903 comm="systemd-ssh-iss" name="issue.d" scontext=system_u:system_r:systemd_ssh_issue_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1757633491.285:51): avc:  denied  { create } for  pid=903 comm="systemd-ssh-iss" name="issue.d" scontext=system_u:system_r:systemd_ssh_issue_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1757633491.285:52): avc:  denied  { write open } for  pid=903 comm="systemd-ssh-iss" path=2F72756E2F69737375652E642F2332313735202864656C6574656429 dev="tmpfs" ino=2175 scontext=system_u:system_r:systemd_ssh_issue_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1757633491.285:53): avc:  denied  { getattr } for  pid=903 comm="systemd-ssh-iss" path=2F72756E2F69737375652E642F2332313735202864656C6574656429 dev="tmpfs" ino=2175 scontext=system_u:system_r:systemd_ssh_issue_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1757633491.285:54): avc:  denied  { setattr } for  pid=903 comm="systemd-ssh-iss" name="#2175" dev="tmpfs" ino=2175 scontext=system_u:system_r:systemd_ssh_issue_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1757633491.285:55): avc:  denied  { read } for  pid=903 comm="systemd-ssh-iss" dev="tmpfs" ino=2175 scontext=system_u:system_r:systemd_ssh_issue_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1757633491.285:56): avc:  denied  { link } for  pid=903 comm="systemd-ssh-iss" name="#2175" dev="tmpfs" ino=2175 scontext=system_u:system_r:systemd_ssh_issue_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1

I don't know why the name is first
path=2F72756E2F69737375652E642F2332313735202864656C6574656429 ino=2175
and then name="#2175" ino=2175, but I assume it's the same file and that's
how selinux is reporting it. The file is an unnamed temporary file
opened with O_TMPFILE.

That file is only informative and the return value from the program is ignored,
so those failures should not cause any problems apart from the messages.

--

type=AVC msg=audit(1756500207.828:120): avc:  denied  { getattr } for  pid=1029 comm="systemctl" name="/" dev="pidfs" ino=1 scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:object_r:pidfs_t:s0 tclass=filesystem permissive=0

That seems to be systemctl trying to acquire a pidfd for a process…

(In reply to Zbigniew Jędrzejewski-Szmek from comment #5)
> systemd-ssh-issue is a new helper that creates
> /run/issue.d/50-ssh-vsock.issue
> with a message like "Try contacting this VM's SSH server via 'ssh vsock%%%u'
> from host."
> if the VM has AF_VSOCK support and IOCTL_VM_SOCKETS_GET_LOCAL_CID returns
> something.
> 
> I guess that's the query:
> avc:  denied  { read } for  pid=1034 comm="systemd-ssh-iss" name="vsock"
> dev="devtmpfs" ino=488 scontext=system_u:system_r:init_t:s0
> tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=0
> 
> and then it tries to create a directory and a temporary file and atomically
> rename
> the temporary file to the final name, following the standard pattern.
Yes, it is allowed in all current releases and the new denial is addressed by the linked PR.

...
> I don't know why the name is first
> path=2F72756E2F69737375652E642F2332313735202864656C6574656429 ino=2175
> and then name="#2175" ino=2175, but I assume it's the same file and that's
> how selinux is reporting it. The file is an unnamed temporary file
Note it is audit which reports. Path may be encoded if it contains non-word characters, this one decodes to
/run/issue.d/#2175 (deleted)

...
> type=AVC msg=audit(1756500207.828:120): avc:  denied  { getattr } for 
> pid=1029 comm="systemctl" name="/" dev="pidfs" ino=1
> scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0
> tcontext=system_u:object_r:pidfs_t:s0 tclass=filesystem permissive=0
> 
> That seems to be systemctl trying to acquire a pidfd for a process…
Not related to this bz, but also already fixed.