Bug 2394805 - SELinux is preventing udev-event from using the 'dac_override' capabilities.
Summary: SELinux is preventing udev-event from using the 'dac_override' capabilities.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 43
Hardware: x86_64
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:1ad795a9f316a84abfdb9e822cc...
: 2430643 2432578 2443576 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-09-12 11:02 UTC by Kamil Páral
Modified: 2026-03-09 02:05 UTC (History)
15 users (show)

Fixed In Version: selinux-policy-42.25-1.fc43
Clone Of:
Environment:
Last Closed: 2026-03-05 17:34:00 UTC
Type: ---
Embargoed:
kparal: needinfo+
kparal: mirror+

Attachments (Terms of Use)
File: description (2.39 KB, text/plain)
2025-09-12 11:02 UTC, Kamil Páral 		no flags Details
File: os_info (726 bytes, text/plain)
2025-09-12 11:02 UTC, Kamil Páral 		no flags Details
AVC Denials with full auditing (11.77 KB, text/plain)
2025-12-02 01:25 UTC, madness742 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 3063 0 None open Allow virtnodedevd the dac_read_search capability 2026-02-11 14:30:06 UTC
Red Hat Issue Tracker FC-2265 0 None None None 2025-09-16 13:31:36 UTC

Description Kamil Páral 2025-09-12 11:02:01 UTC 
Description of problem:
This showed up when I started a virtual machine in virt-manager.
SELinux is preventing udev-event from using the 'dac_override' capabilities.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If you believe that udev-event should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'udev-event' --raw | audit2allow -M my-udevevent
# semodule -X 300 -i my-udevevent.pp

Additional Information:
Source Context                system_u:system_r:virtnodedevd_t:s0
Target Context                system_u:system_r:virtnodedevd_t:s0
Target Objects                Unknown [ capability ]
Source                        udev-event
Source Path                   udev-event
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-42.8-1.fc43.noarch
Local Policy RPM              selinux-policy-targeted-42.8-1.fc43.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.17.0-0.rc5.42.fc43.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Mon Sep 8 15:08:30 UTC 2025 x86_64
Alert Count                   6
First Seen                    2025-09-12 12:59:10 CEST
Last Seen                     2025-09-12 13:00:53 CEST
Local ID                      57d0e84d-a507-4c86-802b-53b783b516c4

Raw Audit Messages
type=AVC msg=audit(1757674853.217:340): avc:  denied  { dac_override } for  pid=20666 comm="udev-event" capability=1  scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:system_r:virtnodedevd_t:s0 tclass=capability permissive=0


Hash: udev-event,virtnodedevd_t,virtnodedevd_t,capability,dac_override

Version-Release number of selected component:
selinux-policy-targeted-42.8-1.fc43.noarch

Additional info:
reporter:       libreport-2.17.15
reason:         SELinux is preventing udev-event from using the 'dac_override' capabilities.
package:        selinux-policy-targeted-42.8-1.fc43.noarch
component:      selinux-policy
hashmarkername: setroubleshoot
type:           libreport
kernel:         6.17.0-0.rc5.42.fc43.x86_64
comment:        This showed up when I started a virtual machine in virt-manager.
component:      selinux-policy
Comment 1 Kamil Páral 2025-09-12 11:02:04 UTC 
Created attachment 2106422 [details]
File: description
Comment 2 Kamil Páral 2025-09-12 11:02:06 UTC 
Created attachment 2106423 [details]
File: os_info
Comment 3 Kamil Páral 2025-09-12 11:04:33 UTC 
There seems to be more of it:

----
time->Fri Sep 12 12:59:10 2025
type=AVC msg=audit(1757674750.036:300): avc:  denied  { dac_read_search } for  pid=20666 comm="udev-event" capability=2  scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:system_r:virtnodedevd_t:s0 tclass=capability permissive=0
----
time->Fri Sep 12 12:59:10 2025
type=AVC msg=audit(1757674750.036:301): avc:  denied  { dac_override } for  pid=20666 comm="udev-event" capability=1  scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:system_r:virtnodedevd_t:s0 tclass=capability permissive=0
----
Comment 4 Zdenek Pytela 2025-09-12 12:17:43 UTC 
The dac_override capability is requested on an access attempt where DAC permission do not allow this access and usually indicate a problem with the permissions.
Please follow the recommendations of the restorecon plugin to turn on full auditing and when reproduced again, check permissions 
for the file or directory.

https://fedoraproject.org/wiki/SELinux/Debugging#Enable_full_auditing
Comment 5 madness742 2025-12-02 01:25:52 UTC 
Created attachment 2117024 [details]
AVC Denials with full auditing

I started seeing the same alert after upgrading from Fedora 42 to Fedora 43.

The alert shows up every time I start a virtual machine in virt-manager.
Comment 6 jjanasek 2026-01-27 07:51:49 UTC 
*** Bug 2432578 has been marked as a duplicate of this bug. ***
Comment 7 jjanasek 2026-01-27 07:51:53 UTC 
*** Bug 2430643 has been marked as a duplicate of this bug. ***
Comment 8 Zdenek Pytela 2026-02-10 15:39:54 UTC 
Can you check if this module is sufficient?

# cat local_virtnodedev.cil
(allow virtnodedevd_t virtnodedevd_t (capability (dac_read_search)))
# semodule -i local_virtnodedev.cil
Comment 9 madness742 2026-02-10 22:06:20 UTC 
(In reply to Zdenek Pytela from comment #8)
> Can you check if this module is sufficient?

Yes, it is sufficient. :)
Comment 10 Zdenek Pytela 2026-03-02 09:44:48 UTC 
*** Bug 2443576 has been marked as a duplicate of this bug. ***
Comment 11 Fedora Update System 2026-03-05 17:34:34 UTC 
FEDORA-2026-e7ccd1e8ea (selinux-policy-42.25-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-e7ccd1e8ea
Comment 12 Fedora Update System 2026-03-06 00:52:43 UTC 
FEDORA-2026-e7ccd1e8ea has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-e7ccd1e8ea`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-e7ccd1e8ea

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 13 Fedora Update System 2026-03-09 02:05:41 UTC 
FEDORA-2026-e7ccd1e8ea (selinux-policy-42.25-1.fc43) has been pushed to the Fedora 43 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.