Bug 2440916 - SELinux is preventing systemd-machine from 'create' accesses on the adresář resolve.hook.
Summary: SELinux is preventing systemd-machine from 'create' accesses on the adresář r...
Keywords:
Status: CLOSED DUPLICATE of bug 2415701
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:717ae2dd7dedd5c523467c03975...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-02-19 09:56 UTC by Vít Ondruch
Modified: 2026-02-27 15:11 UTC (History)
9 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2026-02-27 15:11:30 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
File: description (1.98 KB, text/plain)
2026-02-19 09:56 UTC, Vít Ondruch 		no flags Details
File: os_info (740 bytes, text/plain)
2026-02-19 09:56 UTC, Vít Ondruch 		no flags Details
View All

Description Vít Ondruch 2026-02-19 09:56:43 UTC 
Description of problem:
SELinux is preventing systemd-machine from 'create' accesses on the adresář resolve.hook.

*****  Plugin catchall (100. confidence) suggests   **************************

Pokud jste přesvědčeni, že má systemd-machine mít ve výchozím stavu přístup create na resolve.hook directory.
Then měli byste tento problém nahlásit jako chybu.
Abyste přístup povolili, můžete vygenerovat lokální modul pravidel.
Do
prozatím tento přístup povolíte příkazy:
# ausearch -c 'systemd-machine' --raw | audit2allow -M my-systemdmachine
# semodule -X 300 -i my-systemdmachine.pp

Additional Information:
Source Context                system_u:system_r:systemd_machined_t:s0
Target Context                system_u:object_r:init_var_run_t:s0
Target Objects                resolve.hook [ dir ]
Source                        systemd-machine
Source Path                   systemd-machine
Port                          <Neznámé>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-42.23-1.fc44.noarch
Local Policy RPM              selinux-policy-targeted-42.23-1.fc44.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.19.0-59.fc45.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Mon Feb 9 16:35:21 UTC 2026 x86_64
Alert Count                   1
First Seen                    2026-02-19 10:47:50 CET
Last Seen                     2026-02-19 10:47:50 CET
Local ID                      e3530696-6ec0-4adf-be59-f7449a06c139

Raw Audit Messages
type=AVC msg=audit(1771494470.206:56): avc:  denied  { create } for  pid=1546 comm="systemd-machine" name="resolve.hook" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0


Hash: systemd-machine,systemd_machined_t,init_var_run_t,dir,create

Version-Release number of selected component:
selinux-policy-targeted-42.23-1.fc44.noarch

Additional info:
reporter:       libreport-2.17.15
reason:         SELinux is preventing systemd-machine from 'create' accesses on the adresář resolve.hook.
package:        selinux-policy-targeted-42.23-1.fc44.noarch
component:      selinux-policy
hashmarkername: setroubleshoot
type:           libreport
kernel:         6.19.0-59.fc45.x86_64
component:      selinux-policy
Comment 1 Vít Ondruch 2026-02-19 09:56:46 UTC 
Created attachment 2130041 [details]
File: description
Comment 2 Vít Ondruch 2026-02-19 09:56:48 UTC 
Created attachment 2130042 [details]
File: os_info
Comment 3 Lukas Slebodnik 2026-02-27 12:33:35 UTC 
sh# usearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -i -ts recent
type=PROCTITLE msg=audit(02/27/2026 13:26:54.756:424) : proctitle=/usr/lib/systemd/systemd-machined
type=PATH msg=audit(02/27/2026 13:26:54.756:424) : item=1 name=/run/systemd/resolve.hook nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(02/27/2026 13:26:54.756:424) : item=0 name=/run/systemd/ inode=2 dev=00:1c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametyp
e=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/27/2026 13:26:54.756:424) : cwd=/ 
type=SYSCALL msg=audit(02/27/2026 13:26:54.756:424) : arch=x86_64 syscall=mkdirat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ffd0bb5cac0 a2=0755 a3=0x7ffd0bb5cacd items=2 ppid=1 pid=9841 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-machine exe=/usr/lib/systemd/systemd-machined subj=system_u:system_r:systemd_machined_t:s0 key=(null) 
type=AVC msg=audit(02/27/2026 13:26:54.756:424) : avc:  denied  { create } for  pid=9841 comm=systemd-machine name=resolve.hook scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0 

# And in permissive mode

sh# semanage permissive --add systemd_machined_t
sh# systemctl restart systemd-machined
sh# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -i -ts recent

----
type=PROCTITLE msg=audit(02/27/2026 13:26:54.756:424) : proctitle=/usr/lib/systemd/systemd-machined 
type=PATH msg=audit(02/27/2026 13:26:54.756:424) : item=1 name=/run/systemd/resolve.hook nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(02/27/2026 13:26:54.756:424) : item=0 name=/run/systemd/ inode=2 dev=00:1c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/27/2026 13:26:54.756:424) : cwd=/ 
type=SYSCALL msg=audit(02/27/2026 13:26:54.756:424) : arch=x86_64 syscall=mkdirat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ffd0bb5cac0 a2=0755 a3=0x7ffd0bb5cacd items=2 ppid=1 pid=9841 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-machine exe=/usr/lib/systemd/systemd-machined subj=system_u:system_r:systemd_machined_t:s0 key=(null) 
type=AVC msg=audit(02/27/2026 13:26:54.756:424) : avc:  denied  { create } for  pid=9841 comm=systemd-machine name=resolve.hook scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(02/27/2026 13:27:38.551:433) : proctitle=/usr/lib/systemd/systemd-machined 
type=PATH msg=audit(02/27/2026 13:27:38.551:433) : item=1 name=/run/systemd/resolve.hook inode=4822 dev=00:1c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(02/27/2026 13:27:38.551:433) : item=0 name=/run/systemd/ inode=2 dev=00:1c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/27/2026 13:27:38.551:433) : cwd=/
type=SYSCALL msg=audit(02/27/2026 13:27:38.551:433) : arch=x86_64 syscall=mkdirat success=yes exit=0 a0=AT_FDCWD a1=0x7ffc593e8790 a2=0755 a3=0x7ffc593e879d items=2 ppid=1 pid=10063 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-machine exe=/usr/lib/systemd/systemd-machined subj=system_u:system_r:systemd_machined_t:s0 key=(null)
type=AVC msg=audit(02/27/2026 13:27:38.551:433) : avc:  denied  { create } for  pid=10063 comm=systemd-machine name=resolve.hook scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=1
----
type=PROCTITLE msg=audit(02/27/2026 13:27:38.551:434) : proctitle=/usr/lib/systemd/systemd-machined
type=PATH msg=audit(02/27/2026 13:27:38.551:434) : item=1 name=/run/systemd/resolve.hook/io.systemd.Machine inode=4823 dev=00:1c mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(02/27/2026 13:27:38.551:434) : item=0 name=/run/systemd/resolve.hook/ inode=4822 dev=00:1c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/27/2026 13:27:38.551:434) : cwd=/
type=SOCKADDR msg=audit(02/27/2026 13:27:38.551:434) : saddr={ saddr_fam=local path=/run/systemd/resolve.hook/io.systemd.Machine }
type=SYSCALL msg=audit(02/27/2026 13:27:38.551:434) : arch=x86_64 syscall=bind success=yes exit=0 a0=0xd a1=0x7ffc593e8870 a2=0x2f a3=0x7ffc593e8864 items=2 ppid=1 pid=10063 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-machine exe=/usr/lib/systemd/systemd-machined subj=system_u:system_r:systemd_machined_t:s0 key=(null)
type=AVC msg=audit(02/27/2026 13:27:38.551:434) : avc:  denied  { create } for  pid=10063 comm=systemd-machine name=io.systemd.Machine scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file permissive=1
Comment 4 Lukas Slebodnik 2026-02-27 12:34:56 UTC 
sh$ rpm -q selinux-policy-targeted systemd
selinux-policy-targeted-42.24-1.fc44.noarch
systemd-259.1-1.fc44.x86_64
Comment 5 Zdenek Pytela 2026-02-27 15:11:30 UTC 

*** This bug has been marked as a duplicate of bug 2415701 ***
Note You need to log in before you can comment on or make changes to this bug.