The systemd-259~rc1-2.fc44 update for Rawhide - https://bodhi.fedoraproject.org/updates/FEDORA-2025-c83e064a78 - failed openQA testing. The systemd-machined service fails to start, which appears to be caused by an SELinux denial: Nov 17 16:19:02 fedora audit[921]: AVC avc: denied { create } for pid=921 comm="systemd-machine" name="resolve.hook" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0 Nov 17 16:19:02 fedora systemd-machined[921]: Failed to bind to varlink socket: Permission denied Nov 17 16:19:02 fedora systemd-machined[921]: Failed to fully start up daemon: Permission denied I don't have the more detailed format because this is from openQA logs. I can try and reproduce in a local VM, and see if there are any further denials with enforcing=0 - will follow up shortly.
testing in a VM with enforcing=0 shows one additional denial: ---- time->Tue Nov 18 15:13:37 2025 type=AVC msg=audit(1763496817.464:273): avc: denied { create } for pid=2020 comm="systemd-machine" name="resolve.hook" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=1 ---- time->Tue Nov 18 15:13:37 2025 type=AVC msg=audit(1763496817.464:274): avc: denied { create } for pid=2020 comm="systemd-machine" name="io.systemd.Machine" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file permissive=1
Related, but happening on F43: systemd update to systemd-0:258.2-1.fc43.x86_64 version (via dnf update) triggered ============ # sealert -l 6fa0babc-41b0-4c4c-a491-6eb64e1fc642 SELinux impedisce a systemd-machine un accesso search su cartella 388393. ⏎ ⏎ ***** Plugin catchall(100. confidenza) suggerisce************************** Se si ritiene che a systemd-machine debba essere consentito l'accesso search su directory 388393 per impostazione predefinita. Quindi si dovrebbe segnalare il problema come bug. È possibile generare un modulo di politica locale per consentire questo accesso. Fai consentire questo accesso per ora eseguendo: # ausearch -c 'systemd-machine' --raw | audit2allow -M my-$MODULE_NOME # semodule -X 300 -i mio-systemdmachine.pp Informazioni addizionali: Contesto della sorgente system_u:system_r:systemd_machined_t:s0 Contesto target system_u:system_r:svirt_t:s0:c275,c898 Oggetti target 388393 [ dir ] Sorgente systemd-machine Percorso della sorgente systemd-machine Porta <Sconosciuto> Host machine Sorgente Pacchetti RPM Pacchetti RPM target SELinux Policy RPM selinux-policy-targeted-42.16-1.fc43.noarch Local Policy RPM selinux-policy-targeted-42.16-1.fc43.noarch Selinux abilitato True Tipo di politica targeted Modalità Enforcing Enforcing Host Name machine Piattaforma Linux machine 6.17.8-300.fc43.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Nov 14 01:47:12 UTC 2025 x86_64 Conteggio avvisi 14 Primo visto 2025-11-22 18:30:42 CET Ultimo visto 2025-11-26 14:43:55 CET Messaggi Raw Audit type=AVC msg=audit(1764164635.894:6601): avc: denied { search } for pid=2286 comm="systemd-machine" name="388393" dev="proc" ino=3422251 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:svirt_t:s0:c275,c898 tclass=dir permissive=0 Hash: systemd-machine,systemd_machined_t,svirt_t,dir,search ============ during post update scriplets run
Germano: I'm not sure that's related, the one I reported is new with systemd 259 in Rawhide, and your denial is for a different action and a different name. It might be best to file it separately. The initial reported denials here are still a problem with the systemd-259 rc2 update - https://bodhi.fedoraproject.org/updates/FEDORA-2025-b5ff59bddc .
(In reply to Adam Williamson from comment #3) > Germano: I'm not sure that's related, the one I reported is new with systemd > 259 in Rawhide, and your denial is for a different action and a different > name. It might be best to file it separately. Already reported like 16 times and resolved. https://bugzilla.redhat.com/show_bug.cgi?id=2407206
The two errors in comment#1 are because systemd-machined wants to listen on /run/systemd/resolve.hook/io.systemd.Machine, so it'll try to create "resolve.hook" first and then "io.systemd.Machine" second.
*** Bug 2417714 has been marked as a duplicate of this bug. ***
*** Bug 2418797 has been marked as a duplicate of this bug. ***
*** Bug 2421837 has been marked as a duplicate of this bug. ***
*** Bug 2427548 has been marked as a duplicate of this bug. ***
*** Bug 2428563 has been marked as a duplicate of this bug. ***
*** Bug 2427549 has been marked as a duplicate of this bug. ***
*** Bug 2421836 has been marked as a duplicate of this bug. ***
*** Bug 2428562 has been marked as a duplicate of this bug. ***
*** Bug 2436675 has been marked as a duplicate of this bug. ***
*** Bug 2437020 has been marked as a duplicate of this bug. ***
*** Bug 2437021 has been marked as a duplicate of this bug. ***
*** Bug 2440916 has been marked as a duplicate of this bug. ***
*** Bug 2440404 has been marked as a duplicate of this bug. ***
*** Bug 2438544 has been marked as a duplicate of this bug. ***
*** Bug 2440094 has been marked as a duplicate of this bug. ***
FEDORA-2026-d5ad4083a3 (selinux-policy-43.1-1.fc43) has been submitted as an update to Fedora 43. https://bodhi.fedoraproject.org/updates/FEDORA-2026-d5ad4083a3
FEDORA-2026-d5ad4083a3 has been pushed to the Fedora 43 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-d5ad4083a3` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-d5ad4083a3 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2026-d5ad4083a3 (selinux-policy-43.1-1.fc43) has been pushed to the Fedora 43 stable repository. If problem still persists, please make note of it in this bug report.