search

fedora-selinux / selinux-policy

selinux-policy for Fedora is a large patch off the mainline
GNU General Public License v2.0
168 stars 167 forks source link

F40: Creation of debugfs entries in QAT driver blocked after starting qat service in QATlib #2312

Closed gcabiddu closed 1 month ago

gcabiddu commented 2 months ago

In Fedora 40 with any kernel version it has been noticed that most of the debugfs entries for the QAT driver are not present after starting the qat service.

The debugfs folder reports only the key dev_cfg which is created at the startup of the driver.

This is caused by SELinux blocking the creation of debugfs entries in the driver. If SELinux is in permissive mode or disabled, this issue does not occur.

Expected:

root@fedora:/sys/kernel/debug/qat_4xxx_0000:e8:00.0# ls
cnv_errors  dev_cfg  fw_counters  heartbeat  pm_status  telemetry  transport

Actual:

root@fedora:/sys/kernel/debug/qat_4xxx_0000:e8:00.0# ls
dev_cfg
zpytela commented 2 months ago

@gcabiddu Can you share AVC denials?

gcabiddu commented 2 months ago

@zpytela Is this sufficient?

# cat audit.log

type=AVC msg=audit(1723218438.213:294): avc:  denied  { search } for  pid=3379 comm="lspci" name=".cache" dev="nvme0n1p3" ino=151671 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:cache_home_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1723218438.812:295): avc:  denied  { read } for  pid=3562 comm="chown" name="userdb" dev="tmpfs" ino=41 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1723218438.812:296): avc:  denied  { open } for  pid=3562 comm="chown" path="/run/systemd/userdb" dev="tmpfs" ino=41 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1723218438.812:297): avc:  denied  { getattr } for  pid=3562 comm="chown" path="/run/systemd/userdb" dev="tmpfs" ino=41 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1723218438.812:298): avc:  denied  { search } for  pid=3562 comm="chown" name="userdb" dev="tmpfs" ino=41 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1723218438.812:299): avc:  denied  { write } for  pid=3562 comm="chown" name="io.systemd.DynamicUser" dev="tmpfs" ino=42 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1723218438.812:300): avc:  denied  { connectto } for  pid=3562 comm="chown" path="/systemd/userdb/io.systemd.DynamicUser" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1723218438.812:301): avc:  denied  { read } for  pid=3562 comm="chown" name="io.systemd.DropIn" dev="tmpfs" ino=1252 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1723218438.812:302): avc:  denied  { connectto } for  pid=3562 comm="chown" path="/run/systemd/userdb/io.systemd.Multiplexer" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_userdbd_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1723218438.812:303): avc:  denied  { connectto } for  pid=3562 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1723218438.824:304): avc:  denied  { write } for  pid=3578 comm="chown" name="io.systemd.DynamicUser" dev="tmpfs" ino=42 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=sock_file permissive=1
type=SERVICE_START msg=audit(1723218441.244:305): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=setroubleshootd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_START msg=audit(1723218441.451:306): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@1 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_START msg=audit(1723218445.416:307): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=qat comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1723218452.870:308): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@1 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1723218452.942:309): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=setroubleshootd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
# sealert -a /var/log/audit/audit.log
100% done
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing chown from connectto access on the unix_stream_socket /run/systemd/userdb/io.systemd.Machine.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow daemons to enable cluster mode
Then you must tell SELinux about this by enabling the 'daemons_enable_cluster_mode' boolean.

Do
setsebool -P daemons_enable_cluster_mode 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that chown should be allowed connectto access on the io.systemd.Machine unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'chown' --raw | audit2allow -M my-chown
# semodule -X 300 -i my-chown.pp

Additional Information:
Source Context                system_u:system_r:qatlib_t:s0
Target Context                system_u:system_r:systemd_machined_t:s0
Target Objects                /run/systemd/userdb/io.systemd.Machine [
                              unix_stream_socket ]
Source                        chown
Source Path                   chown
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-40.27-1.fc40.noarch
Local Policy RPM              selinux-policy-targeted-40.27-1.fc40.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora
Platform                      Linux fedora 6.10.6-200.fc40.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Mon Aug 19 14:09:30 UTC 2024
                              x86_64
Alert Count                   128
First Seen                    2024-09-02 16:07:53 GMT
Last Seen                     2024-09-02 16:07:55 GMT
Local ID                      1783ce6c-2ac8-43d8-aef7-10baf50b8abd

Raw Audit Messages
type=AVC msg=audit(1725293275.201:328): avc:  denied  { connectto } for  pid=3870 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0

Hash: chown,qatlib_t,systemd_machined_t,unix_stream_socket,connectto

I don't see any reference to debugfs.

zpytela commented 2 months ago

selinux-policy-targeted-40.27-1.fc40.noarch should have fixed majority of the denials, can you ensure you are showing only those after update?

For these, I'd like to have some more information.

type=AVC msg=audit(1723218438.213:294): avc: denied { search } for pid=3379 comm="lspci" name=".cache" dev="nvme0n1p3" ino=151671 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:cache_home_t:s0 tclass=dir permissive=1

type=AVC msg=audit(1723218438.812:303): avc: denied { connectto } for pid=3562 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=1

gcabiddu commented 2 months ago

@zpytela this is what I see with selinux-policy-targeted-40.27-1.fc40.noarch.

BTW. I don't see anything indicating debugfs. In the driver I see that when SElinux is enabled, the function that creates the debugfs entries returns -13 (-EPERM).

type=AVC msg=audit(1725307495.053:369): avc:  denied  { connectto } for  pid=4528 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.054:370): avc:  denied  { connectto } for  pid=4528 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.060:371): avc:  denied  { connectto } for  pid=4534 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.060:372): avc:  denied  { connectto } for  pid=4534 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.067:373): avc:  denied  { connectto } for  pid=4536 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.068:374): avc:  denied  { connectto } for  pid=4536 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.076:375): avc:  denied  { connectto } for  pid=4538 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.076:376): avc:  denied  { connectto } for  pid=4538 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.086:377): avc:  denied  { connectto } for  pid=4540 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.086:378): avc:  denied  { connectto } for  pid=4540 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.093:379): avc:  denied  { connectto } for  pid=4542 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.094:380): avc:  denied  { connectto } for  pid=4542 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.100:381): avc:  denied  { connectto } for  pid=4544 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.101:382): avc:  denied  { connectto } for  pid=4544 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.105:383): avc:  denied  { connectto } for  pid=4545 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.106:384): avc:  denied  { connectto } for  pid=4545 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.113:385): avc:  denied  { connectto } for  pid=4548 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.114:386): avc:  denied  { connectto } for  pid=4548 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.121:387): avc:  denied  { connectto } for  pid=4550 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.122:388): avc:  denied  { connectto } for  pid=4550 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.128:389): avc:  denied  { connectto } for  pid=4552 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.129:390): avc:  denied  { connectto } for  pid=4552 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.136:391): avc:  denied  { connectto } for  pid=4554 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.137:392): avc:  denied  { connectto } for  pid=4554 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.140:393): avc:  denied  { connectto } for  pid=4555 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.141:394): avc:  denied  { connectto } for  pid=4555 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.148:395): avc:  denied  { connectto } for  pid=4558 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.149:396): avc:  denied  { connectto } for  pid=4558 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.153:397): avc:  denied  { connectto } for  pid=4559 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.154:398): avc:  denied  { connectto } for  pid=4559 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.161:399): avc:  denied  { connectto } for  pid=4562 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.162:400): avc:  denied  { connectto } for  pid=4562 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.575:401): avc:  denied  { connectto } for  pid=4685 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.576:402): avc:  denied  { connectto } for  pid=4685 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.584:403): avc:  denied  { connectto } for  pid=4697 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.585:404): avc:  denied  { connectto } for  pid=4697 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.595:405): avc:  denied  { connectto } for  pid=4711 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.596:406): avc:  denied  { connectto } for  pid=4711 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.604:407): avc:  denied  { connectto } for  pid=4718 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.605:408): avc:  denied  { connectto } for  pid=4718 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.615:409): avc:  denied  { connectto } for  pid=4720 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.616:410): avc:  denied  { connectto } for  pid=4720 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.627:411): avc:  denied  { connectto } for  pid=4722 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.627:412): avc:  denied  { connectto } for  pid=4722 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.633:413): avc:  denied  { connectto } for  pid=4724 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.633:414): avc:  denied  { connectto } for  pid=4724 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.641:415): avc:  denied  { connectto } for  pid=4726 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.641:416): avc:  denied  { connectto } for  pid=4726 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.649:417): avc:  denied  { connectto } for  pid=4728 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.650:418): avc:  denied  { connectto } for  pid=4728 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.656:419): avc:  denied  { connectto } for  pid=4730 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.656:420): avc:  denied  { connectto } for  pid=4730 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.664:421): avc:  denied  { connectto } for  pid=4732 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.665:422): avc:  denied  { connectto } for  pid=4732 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.673:423): avc:  denied  { connectto } for  pid=4734 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.674:424): avc:  denied  { connectto } for  pid=4734 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.681:425): avc:  denied  { connectto } for  pid=4737 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.682:426): avc:  denied  { connectto } for  pid=4737 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.688:427): avc:  denied  { connectto } for  pid=4739 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.689:428): avc:  denied  { connectto } for  pid=4739 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.696:429): avc:  denied  { connectto } for  pid=4741 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.696:430): avc:  denied  { connectto } for  pid=4741 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.702:431): avc:  denied  { connectto } for  pid=4743 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307495.703:432): avc:  denied  { connectto } for  pid=4743 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.130:433): avc:  denied  { connectto } for  pid=4859 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.130:434): avc:  denied  { connectto } for  pid=4859 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.136:435): avc:  denied  { connectto } for  pid=4869 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.137:436): avc:  denied  { connectto } for  pid=4869 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.147:437): avc:  denied  { connectto } for  pid=4884 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.148:438): avc:  denied  { connectto } for  pid=4884 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.156:439): avc:  denied  { connectto } for  pid=4898 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.157:440): avc:  denied  { connectto } for  pid=4898 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.163:441): avc:  denied  { connectto } for  pid=4901 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.164:442): avc:  denied  { connectto } for  pid=4901 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.175:443): avc:  denied  { connectto } for  pid=4903 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.176:444): avc:  denied  { connectto } for  pid=4903 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.184:445): avc:  denied  { connectto } for  pid=4905 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.184:446): avc:  denied  { connectto } for  pid=4905 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.193:447): avc:  denied  { connectto } for  pid=4907 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.194:448): avc:  denied  { connectto } for  pid=4907 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.204:449): avc:  denied  { connectto } for  pid=4909 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.205:450): avc:  denied  { connectto } for  pid=4909 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.211:451): avc:  denied  { connectto } for  pid=4911 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.212:452): avc:  denied  { connectto } for  pid=4911 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.220:453): avc:  denied  { connectto } for  pid=4913 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.221:454): avc:  denied  { connectto } for  pid=4913 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.230:455): avc:  denied  { connectto } for  pid=4915 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.231:456): avc:  denied  { connectto } for  pid=4915 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.239:457): avc:  denied  { connectto } for  pid=4917 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.240:458): avc:  denied  { connectto } for  pid=4917 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.248:459): avc:  denied  { connectto } for  pid=4919 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.248:460): avc:  denied  { connectto } for  pid=4919 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.256:461): avc:  denied  { connectto } for  pid=4921 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.257:462): avc:  denied  { connectto } for  pid=4921 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.264:463): avc:  denied  { connectto } for  pid=4923 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.265:464): avc:  denied  { connectto } for  pid=4923 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.690:465): avc:  denied  { connectto } for  pid=5046 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.691:466): avc:  denied  { connectto } for  pid=5046 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.697:467): avc:  denied  { connectto } for  pid=5058 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.698:468): avc:  denied  { connectto } for  pid=5058 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.708:469): avc:  denied  { connectto } for  pid=5069 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.708:470): avc:  denied  { connectto } for  pid=5069 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.718:471): avc:  denied  { connectto } for  pid=5078 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.719:472): avc:  denied  { connectto } for  pid=5078 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.727:473): avc:  denied  { connectto } for  pid=5080 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.728:474): avc:  denied  { connectto } for  pid=5080 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.736:475): avc:  denied  { connectto } for  pid=5082 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.736:476): avc:  denied  { connectto } for  pid=5082 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.744:477): avc:  denied  { connectto } for  pid=5084 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.745:478): avc:  denied  { connectto } for  pid=5084 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.754:479): avc:  denied  { connectto } for  pid=5086 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.754:480): avc:  denied  { connectto } for  pid=5086 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.761:481): avc:  denied  { connectto } for  pid=5088 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.761:482): avc:  denied  { connectto } for  pid=5088 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.770:483): avc:  denied  { connectto } for  pid=5090 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.771:484): avc:  denied  { connectto } for  pid=5090 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.779:485): avc:  denied  { connectto } for  pid=5092 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.780:486): avc:  denied  { connectto } for  pid=5092 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.789:487): avc:  denied  { connectto } for  pid=5094 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.790:488): avc:  denied  { connectto } for  pid=5094 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.795:489): avc:  denied  { connectto } for  pid=5096 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.796:490): avc:  denied  { connectto } for  pid=5096 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.802:491): avc:  denied  { connectto } for  pid=5098 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.802:492): avc:  denied  { connectto } for  pid=5098 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.810:493): avc:  denied  { connectto } for  pid=5100 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.810:494): avc:  denied  { connectto } for  pid=5100 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.820:495): avc:  denied  { connectto } for  pid=5102 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1725307496.821:496): avc:  denied  { connectto } for  pid=5102 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
type=SERVICE_START msg=audit(1725307498.245:497): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=setroubleshootd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_START msg=audit(1725307498.583:498): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@1 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_START msg=audit(1725307501.594:499): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=qat comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1725307510.643:500): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@1 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1725307510.716:501): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=setroubleshootd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
gcabiddu commented 1 month ago

@zpytela do you need anything else on this? Thanks!

zpytela commented 1 month ago

Can you try copr build from https://github.com/fedora-selinux/selinux-policy/pull/2355 -> Checks?

gcabiddu commented 1 month ago

I tried the build from copr. Now I don't see the avc: denied logs, but the behaviour is the same. The debugfs entries are not getting created.

zpytela commented 1 month ago

If you switch the mode to permissive, do you see any change?

setenforce 0

gcabiddu commented 1 month ago

Tried again. If I switch to permissive mode, I see that the entries in debugfs are successfully created.

zpytela commented 1 month ago

If there are no new avc denials, please remove dontaudit rules: semodule -DB ...reproduce... semodule -B ausearch -i -m avc -ts recent

gcabiddu commented 1 month ago

Here is the log:

type=AVC msg=audit(19/09/24 10:36:25.402:1091) : avc:  denied  { siginh } for  pid=9724 comm=sh scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process permissive=1
----
type=AVC msg=audit(19/09/24 10:36:25.585:1092) : avc:  denied  { search } for  pid=9727 comm=qat_init.sh name=qat_4xxx_0000:e8:00.0 dev="debugfs" ino=98915 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1
----
type=AVC msg=audit(19/09/24 10:36:28.242:1095) : avc:  denied  { kill } for  pid=1251 comm=systemd-journal capability=kill  scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=cap_userns permissive=1
zpytela commented 1 month ago

Thank you, please try now the updated coprbuild. Removing the kernel module is probably required for a full reproducer.

gcabiddu commented 1 month ago

Tested with the copr build - it works. Thank you very much for your support.

zpytela commented 1 month ago

Can you please ensure the module update is sufficient in selinux enforcing mode and after reboot?

gcabiddu commented 1 month ago

Confirmed. Tested also after reboot.

Also no avc denials in the audit log.

zpytela commented 1 month ago

Thanks for your cooperation.