Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SELinux: Label /usr and sysext image contents #1517

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

SELinux: Label /usr and sysext image contents #1517

wants to merge 2 commits into from

Conversation

pothos
Copy link
Member

@pothos pothos commented Dec 20, 2023

So far we did not correctly label /usr because it broke certain things like Docker. With the sysext Docker and new policies we should try again.
First generate the policy before branching off the base squashfs (which already misses a lot of things because they the most postprocessing is done late in finish_image!). Then label /usr and also the sysext contents in their folder - not in the overlay mount because this would operate on the whole image.

How to use

Hope that setfiles is clever enough

Verify with flatcar/mantle#487

Testing done

The sysext contents have the right label:

core@localhost ~ $ selabel_lookup -k /usr/bin/runc
Default context: system_u:object_r:container_engine_exec_t:s0
core@localhost ~ $ ls -Z /usr/bin/runc
system_u:object_r:container_engine_exec_t:s0 /usr/bin/runc

@pothos
Copy link
Member Author

pothos commented Dec 20, 2023

Needs a rebase when #1518 is merged

Copy link

github-actions bot commented Dec 20, 2023

Build action triggered: https://github.com/flatcar/scripts/actions/runs/7395050910

@pothos
Copy link
Member Author

pothos commented Dec 20, 2023

I've started a test run and when that passes I'll try again with flatcar/mantle#487

@pothos
Copy link
Member Author

pothos commented Dec 20, 2023

The finish_image vs create_prod_image actions need some refactoring… currently it doesn't make much sense. Anyway, the policy building seems to be needed for the devcontainer, too, so I guess this should go to every caller of finish_image.

@pothos
Copy link
Member Author

pothos commented Dec 22, 2023

We get a lot of denials - the image only works in permissive mode:

core@localhost ~ $ journalctl --system |grep denied
Dec 22 12:35:11 localhost audit[991]: AVC avc:  denied  { read } for  pid=991 comm="lvm2-activation" name="lib64" dev="vda9" ino=23 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:11 localhost audit[999]: AVC avc:  denied  { read } for  pid=999 comm="systemd-gpt-aut" name="boot" dev="vda9" ino=14 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:11 localhost audit[990]: AVC avc:  denied  { getattr } for  pid=990 comm="flatcar-autolog" path="/usr/share/baselayout/nsswitch.conf" dev="dm-0" ino=269 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Dec 22 12:35:11 localhost audit[990]: AVC avc:  denied  { read } for  pid=990 comm="flatcar-autolog" name="nsswitch.conf" dev="dm-0" ino=269 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Dec 22 12:35:11 localhost audit[990]: AVC avc:  denied  { open } for  pid=990 comm="flatcar-autolog" path="/usr/share/baselayout/nsswitch.conf" dev="dm-0" ino=269 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Dec 22 12:35:12 localhost audit[1063]: AVC avc:  denied  { read } for  pid=1063 comm="mount" name="lib64" dev="vda9" ino=23 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:12 localhost audit[1068]: AVC avc:  denied  { read } for  pid=1068 comm="kmod" name="lib64" dev="vda9" ino=23 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:12 localhost audit[1091]: AVC avc:  denied  { search } for  pid=1091 comm="systemd-modules" name="/" dev="overlay" ino=2 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:12 localhost audit[1091]: AVC avc:  denied  { read } for  pid=1091 comm="systemd-modules" name="lib64" dev="vda9" ino=23 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:12 localhost audit[1092]: AVC avc:  denied  { search } for  pid=1092 comm="systemd-network" name="/" dev="overlay" ino=2 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:12 localhost audit[1092]: AVC avc:  denied  { read } for  pid=1092 comm="systemd-network" name="lib64" dev="vda9" ino=23 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:12 localhost audit[1091]: AVC avc:  denied  { getattr } for  pid=1091 comm="systemd-modules" path="/etc" dev="overlay" ino=2 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:12 localhost audit[1090]: AVC avc:  denied  { read } for  pid=1090 comm="systemd-journal" name="lib64" dev="vda9" ino=23 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:12 localhost audit[1090]: AVC avc:  denied  { read } for  pid=1090 comm="systemd-journal" name="run" dev="vda9" ino=18 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:12 localhost audit[1098]: AVC avc:  denied  { read } for  pid=1098 comm="udevadm" name="lib64" dev="vda9" ino=23 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:12 localhost audit[1091]: AVC avc:  denied  { read } for  pid=1091 comm="systemd-modules" name="lib" dev="vda9" ino=24 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:12 localhost audit[1109]: AVC avc:  denied  { read } for  pid=1109 comm="mount" name="lib64" dev="vda9" ino=23 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:12 localhost audit[1119]: AVC avc:  denied  { search } for  pid=1119 comm="systemd-hwdb" name="/" dev="overlay" ino=2 scontext=system_u:system_r:systemd_hw_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:12 localhost audit[1119]: AVC avc:  denied  { read } for  pid=1119 comm="systemd-hwdb" name="lib64" dev="vda9" ino=23 scontext=system_u:system_r:systemd_hw_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:12 localhost audit[1120]: AVC avc:  denied  { search } for  pid=1120 comm="journalctl" name="/" dev="overlay" ino=2 scontext=system_u:system_r:systemd_journal_init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:12 localhost audit[1120]: AVC avc:  denied  { read } for  pid=1120 comm="journalctl" name="lib64" dev="vda9" ino=23 scontext=system_u:system_r:systemd_journal_init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:12 localhost audit[1119]: AVC avc:  denied  { getattr } for  pid=1119 comm="systemd-hwdb" path="/etc" dev="overlay" ino=2 scontext=system_u:system_r:systemd_hw_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:12 localhost audit[1090]: AVC avc:  denied  { write } for  pid=1090 comm="systemd-journal" name="journal" dev="vda9" ino=20 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:12 localhost audit[1090]: AVC avc:  denied  { add_name } for  pid=1090 comm="systemd-journal" name="aa3962a305774ac0891d0b30169400ea" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:12 localhost audit[1090]: AVC avc:  denied  { create } for  pid=1090 comm="systemd-journal" name="aa3962a305774ac0891d0b30169400ea" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:12 localhost audit[1090]: AVC avc:  denied  { write } for  pid=1090 comm="systemd-journal" name="aa3962a305774ac0891d0b30169400ea" dev="vda9" ino=41 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:12 localhost audit[1090]: AVC avc:  denied  { add_name } for  pid=1090 comm="systemd-journal" name="system.journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:12 localhost audit[1090]: AVC avc:  denied  { create } for  pid=1090 comm="systemd-journal" name="system.journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Dec 22 12:35:12 localhost audit[1090]: AVC avc:  denied  { read write open } for  pid=1090 comm="systemd-journal" path="/var/log/journal/aa3962a305774ac0891d0b30169400ea/system.journal" dev="vda9" ino=42 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Dec 22 12:35:12 localhost audit[1090]: AVC avc:  denied  { setattr } for  pid=1090 comm="systemd-journal" name="system.journal" dev="vda9" ino=42 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Dec 22 12:35:12 localhost audit[1090]: AVC avc:  denied  { getattr } for  pid=1090 comm="systemd-journal" path="/var/log/journal/aa3962a305774ac0891d0b30169400ea/system.journal" dev="vda9" ino=42 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Dec 22 12:35:12 localhost audit[1090]: AVC avc:  denied  { map } for  pid=1090 comm="systemd-journal" path="/var/log/journal/aa3962a305774ac0891d0b30169400ea/system.journal" dev="vda9" ino=42 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Dec 22 12:35:12 localhost audit[1122]: AVC avc:  denied  { search } for  pid=1122 comm="systemd-sysctl" name="/" dev="overlay" ino=2 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:12 localhost audit[1122]: AVC avc:  denied  { read } for  pid=1122 comm="systemd-sysctl" name="lib64" dev="vda9" ino=23 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:12 localhost audit[1122]: AVC avc:  denied  { getattr } for  pid=1122 comm="systemd-sysctl" path="/etc" dev="overlay" ino=2 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:12 localhost audit[1122]: AVC avc:  denied  { search } for  pid=1122 comm="systemd-sysctl" name="credentials" dev="tmpfs" ino=4 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
Dec 22 12:35:12 localhost audit[1127]: AVC avc:  denied  { read } for  pid=1127 comm="modprobe" name="lib64" dev="vda9" ino=23 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:12 localhost audit[1124]: AVC avc:  denied  { search } for  pid=1124 comm="systemd-sysuser" name="/" dev="overlay" ino=2 scontext=system_u:system_r:systemd_sysusers_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:12 localhost audit[1124]: AVC avc:  denied  { read } for  pid=1124 comm="systemd-sysuser" name="lib64" dev="vda9" ino=23 scontext=system_u:system_r:systemd_sysusers_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:12 localhost audit[1090]: AVC avc:  denied  { getattr } for  pid=1090 comm="systemd-journal" path="/var/log/journal/aa3962a305774ac0891d0b30169400ea/system.journal" dev="vda9" ino=42 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Dec 22 12:35:12 localhost audit[1090]: AVC avc:  denied  { read } for  pid=1090 comm="systemd-journal" name="aa3962a305774ac0891d0b30169400ea" dev="vda9" ino=41 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:12 localhost audit[1124]: AVC avc:  denied  { getattr } for  pid=1124 comm="systemd-sysuser" path="/etc" dev="overlay" ino=2 scontext=system_u:system_r:systemd_sysusers_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:12 localhost audit[1090]: AVC avc:  denied  { map } for  pid=1090 comm="systemd-journal" path="/var/log/journal/aa3962a305774ac0891d0b30169400ea/system.journal" dev="vda9" ino=42 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Dec 22 12:35:12 localhost audit[1090]: AVC avc:  denied  { read write } for  pid=1090 comm="systemd-journal" path="/var/log/journal/aa3962a305774ac0891d0b30169400ea/system.journal" dev="vda9" ino=42 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Dec 22 12:35:12 localhost audit[1124]: AVC avc:  denied  { write } for  pid=1124 comm="systemd-sysuser" name="/" dev="overlay" ino=2 scontext=system_u:system_r:systemd_sysusers_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:12 localhost audit[1124]: AVC avc:  denied  { add_name } for  pid=1124 comm="systemd-sysuser" name=".pwd.lock" scontext=system_u:system_r:systemd_sysusers_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:12 localhost audit[1124]: AVC avc:  denied  { create } for  pid=1124 comm="systemd-sysuser" name=".pwd.lock" scontext=system_u:system_r:systemd_sysusers_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Dec 22 12:35:12 localhost audit[1124]: AVC avc:  denied  { search } for  pid=1124 comm="systemd-sysuser" name="var" dev="vda9" ino=15 scontext=system_u:system_r:systemd_sysusers_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:12 localhost audit[1124]: AVC avc:  denied  { getattr } for  pid=1124 comm="systemd-sysuser" path="/usr/share/baselayout/nsswitch.conf" dev="dm-0" ino=269 scontext=system_u:system_r:systemd_sysusers_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Dec 22 12:35:12 localhost audit[1124]: AVC avc:  denied  { read } for  pid=1124 comm="systemd-sysuser" name="nsswitch.conf" dev="dm-0" ino=269 scontext=system_u:system_r:systemd_sysusers_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Dec 22 12:35:12 localhost audit[1124]: AVC avc:  denied  { open } for  pid=1124 comm="systemd-sysuser" path="/usr/share/baselayout/nsswitch.conf" dev="dm-0" ino=269 scontext=system_u:system_r:systemd_sysusers_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Dec 22 12:35:12 localhost audit[1129]: AVC avc:  denied  { search } for  pid=1129 comm="systemd-tmpfile" name="/" dev="overlay" ino=2 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:12 localhost audit[1129]: AVC avc:  denied  { read } for  pid=1129 comm="systemd-tmpfile" name="lib64" dev="vda9" ino=23 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:12 localhost audit[1129]: AVC avc:  denied  { getattr } for  pid=1129 comm="systemd-tmpfile" path="/etc" dev="overlay" ino=2 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:12 localhost audit[1129]: AVC avc:  denied  { search } for  pid=1129 comm="systemd-tmpfile" name="var" dev="vda9" ino=15 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:12 localhost audit[1129]: AVC avc:  denied  { read } for  pid=1129 comm="systemd-tmpfile" name="nsswitch.conf" dev="dm-0" ino=269 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Dec 22 12:35:12 localhost audit[1129]: AVC avc:  denied  { open } for  pid=1129 comm="systemd-tmpfile" path="/usr/share/baselayout/nsswitch.conf" dev="dm-0" ino=269 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Dec 22 12:35:12 localhost audit[1129]: AVC avc:  denied  { search } for  pid=1129 comm="systemd-tmpfile" name="/" dev="ramfs" ino=9527 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:ramfs_t:s0 tclass=dir permissive=1
Dec 22 12:35:12 localhost audit[1144]: AVC avc:  denied  { execute_no_trans } for  pid=1144 comm="(spawn)" path="/usr/lib/flatcar/issuegen" dev="dm-0" ino=27974 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
Dec 22 12:35:12 localhost audit[1146]: AVC avc:  denied  { create } for  pid=1146 comm="mkdir" name="issue.d" scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
Dec 22 12:35:12 localhost audit[1144]: AVC avc:  denied  { create } for  pid=1144 comm="issuegen" name="eth0" scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
Dec 22 12:35:12 localhost audit[1144]: AVC avc:  denied  { write open } for  pid=1144 comm="issuegen" path="/run/issue.d/eth0" dev="tmpfs" ino=1245 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
Dec 22 12:35:12 localhost audit[1144]: AVC avc:  denied  { getattr } for  pid=1144 comm="issuegen" path="/run/issue.d/eth0" dev="tmpfs" ino=1245 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
Dec 22 12:35:12 localhost audit[1147]: AVC avc:  denied  { read } for  pid=1147 comm="cat" name="eth0" dev="tmpfs" ino=1245 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
Dec 22 12:35:12 localhost audit[1143]: AVC avc:  denied  { search } for  pid=1143 comm="systemd-userdbd" name="/" dev="overlay" ino=2 scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:12 localhost audit[1143]: AVC avc:  denied  { read } for  pid=1143 comm="systemd-userdbd" name="lib64" dev="vda9" ino=23 scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:13 localhost audit[1152]: AVC avc:  denied  { getattr } for  pid=1152 comm="systemd-userwor" path="/etc" dev="overlay" ino=2 scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1136]: AVC avc:  denied  { search } for  pid=1136 comm="systemd-network" name="/" dev="overlay" ino=2 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1136]: AVC avc:  denied  { read } for  pid=1136 comm="systemd-network" name="lib64" dev="vda9" ino=23 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:13 localhost audit[1158]: AVC avc:  denied  { read } for  pid=1158 comm="modprobe" name="lib64" dev="vda9" ino=23 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:13 localhost audit[1136]: AVC avc:  denied  { getattr } for  pid=1136 comm="systemd-network" path="/etc" dev="overlay" ino=2 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1162]: AVC avc:  denied  { read } for  pid=1162 comm="lvm" name="lib64" dev="vda9" ino=23 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:13 localhost audit[1164]: AVC avc:  denied  { read } for  pid=1164 comm="mount" name="lib64" dev="vda9" ino=23 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:13 localhost audit[1167]: AVC avc:  denied  { read } for  pid=1167 comm="fsck" name="lib64" dev="vda9" ino=23 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:13 localhost audit[1164]: AVC avc:  denied  { mount } for  pid=1164 comm="mount" name="/" dev="9p" ino=50234 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
Dec 22 12:35:13 localhost audit[1169]: AVC avc:  denied  { search } for  pid=1169 comm="bootctl" name="/" dev="overlay" ino=2 scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1169]: AVC avc:  denied  { read } for  pid=1169 comm="bootctl" name="lib64" dev="vda9" ino=23 scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:13 localhost audit[1169]: AVC avc:  denied  { getattr } for  pid=1169 comm="bootctl" path="/boot" dev="autofs" ino=3410 scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:object_r:autofs_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1090]: AVC avc:  denied  { write } for  pid=1090 comm="systemd-journal" name="system.journal" dev="vda9" ino=42 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { search } for  pid=1182 comm="systemd-tmpfile" name="/" dev="overlay" ino=2 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { search } for  pid=1182 comm="systemd-tmpfile" name="/" dev="overlay" ino=2 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:initrc_state_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { search } for  pid=1182 comm="systemd-tmpfile" name="systemd" dev="overlay" ino=8 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { read } for  pid=1182 comm="systemd-tmpfile" name="lib64" dev="vda9" ino=23 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { getattr } for  pid=1182 comm="systemd-tmpfile" path="/etc" dev="overlay" ino=2 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { search } for  pid=1182 comm="systemd-tmpfile" name="var" dev="vda9" ino=15 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { read } for  pid=1182 comm="systemd-tmpfile" name="nsswitch.conf" dev="overlay" ino=269 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { open } for  pid=1182 comm="systemd-tmpfile" path="/usr/share/baselayout/nsswitch.conf" dev="overlay" ino=269 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { read } for  pid=1182 comm="systemd-tmpfile" name="machine-id" dev="overlay" ino=520963 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { open } for  pid=1182 comm="systemd-tmpfile" path="/etc/machine-id" dev="overlay" ino=520963 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { search } for  pid=1182 comm="systemd-tmpfile" name="/" dev="ramfs" ino=4483 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:ramfs_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { getattr } for  pid=1182 comm="systemd-tmpfile" path="/var" dev="vda9" ino=15 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { getattr } for  pid=1182 comm="systemd-tmpfile" path="/etc/gshadow" dev="overlay" ino=28988 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { getattr } for  pid=1182 comm="systemd-tmpfile" path="/bin" dev="vda9" ino=21 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { read } for  pid=1182 comm="systemd-tmpfile" name="bin" dev="vda9" ino=21 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { getattr } for  pid=1182 comm="systemd-tmpfile" path="/var/lib/systemd" dev="vda9" ino=39 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { search } for  pid=1182 comm="systemd-tmpfile" name="systemd" dev="vda9" ino=39 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { getattr } for  pid=1182 comm="systemd-tmpfile" path="/var/log/journal/aa3962a305774ac0891d0b30169400ea/system.journal" dev="vda9" ino=42 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { relabelfrom } for  pid=1182 comm="systemd-tmpfile" name="var" dev="vda9" ino=15 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { create } for  pid=1182 comm="systemd-tmpfile" name="selinux" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:semanage_store_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { getattr } for  pid=1182 comm="systemd-tmpfile" path="/var/lib/selinux" dev="vda9" ino=43 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:semanage_store_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { read } for  pid=1182 comm="systemd-tmpfile" name="selinux" dev="vda9" ino=43 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:semanage_store_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { relabelfrom } for  pid=1182 comm="systemd-tmpfile" name="selinux" dev="vda9" ino=43 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:semanage_store_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { relabelto } for  pid=1182 comm="systemd-tmpfile" name="selinux" dev="vda9" ino=43 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:semanage_store_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { relabelto } for  pid=1182 comm="systemd-tmpfile" name="audit" dev="vda9" ino=38 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { relabelfrom } for  pid=1182 comm="systemd-tmpfile" name="/" dev="overlay" ino=2 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { relabelto } for  pid=1182 comm="systemd-tmpfile" name="core" dev="vda9" ino=520971 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { search } for  pid=1182 comm="systemd-tmpfile" name="core" dev="vda9" ino=520971 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { relabelto } for  pid=1182 comm="systemd-tmpfile" name=".ssh" dev="vda9" ino=520972 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { relabelfrom } for  pid=1182 comm="systemd-tmpfile" name="bin" dev="vda9" ino=21 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { relabelto } for  pid=1182 comm="systemd-tmpfile" name="bin" dev="vda9" ino=21 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { relabelto } for  pid=1182 comm="systemd-tmpfile" name="lib64" dev="vda9" ino=23 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { relabelto } for  pid=1182 comm="systemd-tmpfile" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { relabelto } for  pid=1182 comm="systemd-tmpfile" name="/" dev="vda6" ino=256 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { relabelto } for  pid=1182 comm="systemd-tmpfile" name="opt" dev="vda9" ino=520967 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { relabelto } for  pid=1182 comm="systemd-tmpfile" name="bin" dev="vda9" ino=520968 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { create } for  pid=1182 comm="systemd-tmpfile" name="etcd" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { setattr } for  pid=1182 comm="systemd-tmpfile" name="etcd" dev="vda9" ino=46 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { relabelfrom } for  pid=1182 comm="systemd-tmpfile" name="etcd" dev="vda9" ino=46 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { relabelto } for  pid=1182 comm="systemd-tmpfile" name="etcd" dev="vda9" ino=46 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { write } for  pid=1182 comm="systemd-tmpfile" name="core" dev="vda9" ino=520971 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { add_name } for  pid=1182 comm="systemd-tmpfile" name=".bash_logout" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { create } for  pid=1182 comm="systemd-tmpfile" name=".bash_logout" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { getattr } for  pid=1182 comm="systemd-tmpfile" path="/home/core/.bash_logout" dev="vda9" ino=520965 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { read } for  pid=1182 comm="systemd-tmpfile" name=".bash_logout" dev="vda9" ino=520965 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { setattr } for  pid=1182 comm="systemd-tmpfile" name=".bash_logout" dev="vda9" ino=520965 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { relabelfrom } for  pid=1182 comm="systemd-tmpfile" name=".bash_logout" dev="vda9" ino=520965 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { relabelto } for  pid=1182 comm="systemd-tmpfile" name=".bash_logout" dev="vda9" ino=520965 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { write } for  pid=1182 comm="systemd-tmpfile" name="/" dev="vda9" ino=2 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { add_name } for  pid=1182 comm="systemd-tmpfile" name="srv" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { create } for  pid=1182 comm="systemd-tmpfile" name="etab" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { write open } for  pid=1182 comm="systemd-tmpfile" path="/var/lib/nfs/etab" dev="vda9" ino=52 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { getattr } for  pid=1182 comm="systemd-tmpfile" path="/var/lib/nfs/etab" dev="vda9" ino=52 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { ioctl } for  pid=1182 comm="systemd-tmpfile" path="/var/lib/nfs/etab" dev="vda9" ino=52 ioctlcmd=0x9409 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { setattr } for  pid=1182 comm="systemd-tmpfile" name="etab" dev="vda9" ino=52 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { relabelfrom } for  pid=1182 comm="systemd-tmpfile" name="etab" dev="vda9" ino=52 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { relabelto } for  pid=1182 comm="systemd-tmpfile" name="etab" dev="vda9" ino=52 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
Dec 22 12:35:13 localhost audit[1185]: AVC avc:  denied  { getattr } for  pid=1185 comm="flatcar-autolog" path="/usr/share/baselayout/nsswitch.conf" dev="overlay" ino=269 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Dec 22 12:35:13 localhost audit[1185]: AVC avc:  denied  { read } for  pid=1185 comm="flatcar-autolog" name="nsswitch.conf" dev="overlay" ino=269 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Dec 22 12:35:13 localhost audit[1185]: AVC avc:  denied  { open } for  pid=1185 comm="flatcar-autolog" path="/usr/share/baselayout/nsswitch.conf" dev="overlay" ino=269 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { search } for  pid=1182 comm="systemd-tmpfile" name="root" dev="vda9" ino=1041924 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { write } for  pid=1182 comm="systemd-tmpfile" name="root" dev="vda9" ino=1041924 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { add_name } for  pid=1182 comm="systemd-tmpfile" name=".ssh" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { create } for  pid=1182 comm="systemd-tmpfile" name=".ssh" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { relabelfrom } for  pid=1182 comm="systemd-tmpfile" name=".ssh" dev="vda9" ino=1041942 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { create } for  pid=1182 comm="systemd-tmpfile" name="sss" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { relabelfrom } for  pid=1182 comm="systemd-tmpfile" name="sss" dev="vda9" ino=69 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { relabelto } for  pid=1182 comm="systemd-tmpfile" name="sss" dev="vda9" ino=69 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { write } for  pid=1182 comm="systemd-tmpfile" name="sss" dev="vda9" ino=69 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { add_name } for  pid=1182 comm="systemd-tmpfile" name="deskprofile" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { create } for  pid=1182 comm="systemd-tmpfile" name="sssd" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sssd_var_log_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { relabelfrom } for  pid=1182 comm="systemd-tmpfile" name="sssd" dev="vda9" ino=80 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sssd_var_log_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { relabelto } for  pid=1182 comm="systemd-tmpfile" name="sssd" dev="vda9" ino=80 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sssd_var_log_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { create } for  pid=1182 comm="systemd-tmpfile" name="resolv.conf" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:systemd_networkd_runtime_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { getattr } for  pid=1182 comm="systemd-tmpfile" path="/run/systemd/network/resolv.conf" dev="tmpfs" ino=1544 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:systemd_networkd_runtime_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { read } for  pid=1182 comm="systemd-tmpfile" name="resolv.conf" dev="tmpfs" ino=1544 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:systemd_networkd_runtime_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { relabelfrom } for  pid=1182 comm="systemd-tmpfile" name="resolv.conf" dev="tmpfs" ino=1544 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:systemd_networkd_runtime_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { relabelto } for  pid=1182 comm="systemd-tmpfile" name="resolv.conf" dev="tmpfs" ino=1544 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:systemd_networkd_runtime_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { create } for  pid=1182 comm="systemd-tmpfile" name="spool" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { create } for  pid=1182 comm="systemd-tmpfile" name="xtables.lock" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:iptables_runtime_t:s0 tclass=file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { write open } for  pid=1182 comm="systemd-tmpfile" path="/run/xtables.lock" dev="tmpfs" ino=1545 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:iptables_runtime_t:s0 tclass=file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { getattr } for  pid=1182 comm="systemd-tmpfile" path="/run/xtables.lock" dev="tmpfs" ino=1545 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:iptables_runtime_t:s0 tclass=file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { relabelfrom } for  pid=1182 comm="systemd-tmpfile" name="xtables.lock" dev="tmpfs" ino=1545 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:iptables_runtime_t:s0 tclass=file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { relabelto } for  pid=1182 comm="systemd-tmpfile" name="xtables.lock" dev="tmpfs" ino=1545 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:iptables_runtime_t:s0 tclass=file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { getattr } for  pid=1182 comm="systemd-tmpfile" path="/etc/shadow" dev="overlay" ino=28987 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { relabelfrom } for  pid=1182 comm="systemd-tmpfile" name="shadow" dev="overlay" ino=28987 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { relabelto } for  pid=1182 comm="systemd-tmpfile" name="shadow" dev="overlay" ino=28987 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { read } for  pid=1182 comm="systemd-tmpfile" name="aa3962a305774ac0891d0b30169400ea" dev="vda9" ino=41 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { open } for  pid=1182 comm="systemd-tmpfile" path="/var/log/journal/aa3962a305774ac0891d0b30169400ea" dev="vda9" ino=41 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { setattr } for  pid=1182 comm="systemd-tmpfile" path="/var/log/journal/aa3962a305774ac0891d0b30169400ea" dev="vda9" ino=41 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:13 localhost audit[1182]: AVC avc:  denied  { relabelfrom } for  pid=1182 comm="systemd-tmpfile" name="system.journal" dev="vda9" ino=42 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Dec 22 12:35:14 localhost audit[1260]: AVC avc:  denied  { search } for  pid=1260 comm="journalctl" name="/" dev="overlay" ino=2 scontext=system_u:system_r:systemd_journal_init_t:s0 tcontext=system_u:object_r:initrc_state_t:s0 tclass=dir permissive=1
Dec 22 12:35:14 localhost audit[1260]: AVC avc:  denied  { getattr } for  pid=1260 comm="journalctl" path="/usr" dev="overlay" ino=2 scontext=system_u:system_r:systemd_journal_init_t:s0 tcontext=system_u:object_r:initrc_state_t:s0 tclass=dir permissive=1
Dec 22 12:35:14 localhost audit[1152]: AVC avc:  denied  { getattr } for  pid=1152 comm="systemd-userwor" path="/usr" dev="overlay" ino=2 scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:object_r:initrc_state_t:s0 tclass=dir permissive=1
Dec 22 12:35:14 localhost audit[1152]: AVC avc:  denied  { search } for  pid=1152 comm="systemd-userwor" name="/" dev="overlay" ino=2 scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:object_r:initrc_state_t:s0 tclass=dir permissive=1
Dec 22 12:35:14 localhost audit[1274]: AVC avc:  denied  { search } for  pid=1274 comm="modprobe" name="/" dev="overlay" ino=2 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:initrc_state_t:s0 tclass=dir permissive=1
Dec 22 12:35:14 localhost audit[1277]: AVC avc:  denied  { search } for  pid=1277 comm="modprobe" name="/" dev="overlay" ino=2 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:initrc_state_t:s0 tclass=dir permissive=1
Dec 22 12:35:14 localhost audit[1260]: AVC avc:  denied  { search } for  pid=1260 comm="journalctl" name="/" dev="overlay" ino=2 scontext=system_u:system_r:systemd_journal_init_t:s0 tcontext=system_u:object_r:initrc_state_t:s0 tclass=dir permissive=1
Dec 22 12:35:14 localhost audit[1262]: AVC avc:  denied  { search } for  pid=1262 comm="systemd-resolve" name="/" dev="overlay" ino=2 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:initrc_state_t:s0 tclass=dir permissive=1
Dec 22 12:35:14 localhost audit[1262]: AVC avc:  denied  { search } for  pid=1262 comm="systemd-resolve" name="systemd" dev="overlay" ino=8 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
Dec 22 12:35:21 localhost sudo[1486]: pam_env(sudo:setcred): Unable to open config file: /usr/lib/pam//pam_env.conf: Permission denied
Dec 22 12:35:51 localhost audit[910]: AVC avc:  denied  { read } for  pid=910 comm="systemd-gpt-aut" name="boot" dev="vda9" ino=14 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:51 localhost audit[901]: AVC avc:  denied  { getattr } for  pid=901 comm="flatcar-autolog" path="/usr/share/baselayout/nsswitch.conf" dev="dm-0" ino=269 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Dec 22 12:35:51 localhost audit[901]: AVC avc:  denied  { read } for  pid=901 comm="flatcar-autolog" name="nsswitch.conf" dev="dm-0" ino=269 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Dec 22 12:35:51 localhost audit[901]: AVC avc:  denied  { open } for  pid=901 comm="flatcar-autolog" path="/usr/share/baselayout/nsswitch.conf" dev="dm-0" ino=269 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Dec 22 12:35:51 localhost audit[992]: AVC avc:  denied  { read } for  pid=992 comm="systemd-journal" name="machine-id" dev="overlay" ino=520963 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Dec 22 12:35:51 localhost audit[992]: AVC avc:  denied  { open } for  pid=992 comm="systemd-journal" path="/etc/machine-id" dev="overlay" ino=520963 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Dec 22 12:35:51 localhost audit[1029]: AVC avc:  denied  { search } for  pid=1029 comm="systemd-sysctl" name="credentials" dev="tmpfs" ino=4 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
Dec 22 12:35:51 localhost audit[1031]: AVC avc:  denied  { getattr } for  pid=1031 comm="systemd-sysuser" path="/usr/share/baselayout/nsswitch.conf" dev="dm-0" ino=269 scontext=system_u:system_r:systemd_sysusers_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Dec 22 12:35:51 localhost audit[1031]: AVC avc:  denied  { read } for  pid=1031 comm="systemd-sysuser" name="nsswitch.conf" dev="dm-0" ino=269 scontext=system_u:system_r:systemd_sysusers_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Dec 22 12:35:51 localhost audit[1031]: AVC avc:  denied  { open } for  pid=1031 comm="systemd-sysuser" path="/usr/share/baselayout/nsswitch.conf" dev="dm-0" ino=269 scontext=system_u:system_r:systemd_sysusers_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Dec 22 12:35:51 localhost audit[1036]: AVC avc:  denied  { read } for  pid=1036 comm="systemd-tmpfile" name="machine-id" dev="overlay" ino=520963 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Dec 22 12:35:51 localhost audit[1036]: AVC avc:  denied  { open } for  pid=1036 comm="systemd-tmpfile" path="/etc/machine-id" dev="overlay" ino=520963 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Dec 22 12:35:51 localhost audit[1036]: AVC avc:  denied  { read } for  pid=1036 comm="systemd-tmpfile" name="nsswitch.conf" dev="dm-0" ino=269 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Dec 22 12:35:51 localhost audit[1036]: AVC avc:  denied  { open } for  pid=1036 comm="systemd-tmpfile" path="/usr/share/baselayout/nsswitch.conf" dev="dm-0" ino=269 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Dec 22 12:35:51 localhost audit[1036]: AVC avc:  denied  { search } for  pid=1036 comm="systemd-tmpfile" name="/" dev="ramfs" ino=6644 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:ramfs_t:s0 tclass=dir permissive=1
Dec 22 12:35:52 localhost audit[1051]: AVC avc:  denied  { execute_no_trans } for  pid=1051 comm="(spawn)" path="/usr/lib/flatcar/issuegen" dev="dm-0" ino=27974 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
Dec 22 12:35:52 localhost audit[1054]: AVC avc:  denied  { create } for  pid=1054 comm="mkdir" name="issue.d" scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
Dec 22 12:35:52 localhost audit[1051]: AVC avc:  denied  { create } for  pid=1051 comm="issuegen" name="eth0" scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
Dec 22 12:35:52 localhost audit[1051]: AVC avc:  denied  { write open } for  pid=1051 comm="issuegen" path="/run/issue.d/eth0" dev="tmpfs" ino=819 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
Dec 22 12:35:52 localhost audit[1051]: AVC avc:  denied  { getattr } for  pid=1051 comm="issuegen" path="/run/issue.d/eth0" dev="tmpfs" ino=819 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
Dec 22 12:35:52 localhost audit[1055]: AVC avc:  denied  { read } for  pid=1055 comm="cat" name="eth0" dev="tmpfs" ino=819 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
Dec 22 12:35:52 localhost audit[1044]: AVC avc:  denied  { read } for  pid=1044 comm="systemd-network" name="machine-id" dev="overlay" ino=520963 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Dec 22 12:35:52 localhost audit[1044]: AVC avc:  denied  { open } for  pid=1044 comm="systemd-network" path="/etc/machine-id" dev="overlay" ino=520963 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Dec 22 12:35:52 localhost audit[1073]: AVC avc:  denied  { mount } for  pid=1073 comm="mount" name="/" dev="9p" ino=50238 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
Dec 22 12:35:52 localhost audit[1078]: AVC avc:  denied  { getattr } for  pid=1078 comm="bootctl" path="/boot" dev="autofs" ino=352 scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:object_r:autofs_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { search } for  pid=1095 comm="systemd-tmpfile" name="/" dev="overlay" ino=2 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:initrc_state_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost kernel: audit: type=1400 audit(1703248553.043:158): avc:  denied  { search } for  pid=1095 comm="systemd-tmpfile" name="/" dev="overlay" ino=2 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:initrc_state_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost kernel: audit: type=1400 audit(1703248553.043:158): avc:  denied  { search } for  pid=1095 comm="systemd-tmpfile" name="systemd" dev="overlay" ino=9 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { search } for  pid=1095 comm="systemd-tmpfile" name="systemd" dev="overlay" ino=9 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { read } for  pid=1095 comm="systemd-tmpfile" name="nsswitch.conf" dev="overlay" ino=269 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { open } for  pid=1095 comm="systemd-tmpfile" path="/usr/share/baselayout/nsswitch.conf" dev="overlay" ino=269 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Dec 22 12:35:53 localhost kernel: audit: type=1400 audit(1703248553.053:159): avc:  denied  { read } for  pid=1095 comm="systemd-tmpfile" name="nsswitch.conf" dev="overlay" ino=269 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Dec 22 12:35:53 localhost kernel: audit: type=1400 audit(1703248553.053:159): avc:  denied  { open } for  pid=1095 comm="systemd-tmpfile" path="/usr/share/baselayout/nsswitch.conf" dev="overlay" ino=269 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Dec 22 12:35:53 localhost kernel: audit: type=1400 audit(1703248553.054:160): avc:  denied  { read } for  pid=1095 comm="systemd-tmpfile" name="machine-id" dev="overlay" ino=520963 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { read } for  pid=1095 comm="systemd-tmpfile" name="machine-id" dev="overlay" ino=520963 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { open } for  pid=1095 comm="systemd-tmpfile" path="/etc/machine-id" dev="overlay" ino=520963 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { search } for  pid=1095 comm="systemd-tmpfile" name="/" dev="ramfs" ino=8594 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:ramfs_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { getattr } for  pid=1095 comm="systemd-tmpfile" path="/var/lib/selinux" dev="vda9" ino=43 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:semanage_store_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { read } for  pid=1095 comm="systemd-tmpfile" name="selinux" dev="vda9" ino=43 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:semanage_store_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { getattr } for  pid=1095 comm="systemd-tmpfile" path="/etc/gshadow" dev="overlay" ino=28988 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { search } for  pid=1095 comm="systemd-tmpfile" name="core" dev="vda9" ino=520971 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { getattr } for  pid=1095 comm="systemd-tmpfile" path="/home/core/.bash_profile" dev="vda9" ino=520973 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { read } for  pid=1095 comm="systemd-tmpfile" name=".bash_profile" dev="vda9" ino=520973 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { getattr } for  pid=1095 comm="systemd-tmpfile" path="/bin" dev="vda9" ino=21 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { read } for  pid=1095 comm="systemd-tmpfile" name="bin" dev="vda9" ino=21 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { getattr } for  pid=1095 comm="systemd-tmpfile" path="/oem" dev="vda6" ino=256 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { search } for  pid=1095 comm="systemd-tmpfile" name="root" dev="vda9" ino=1041924 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { getattr } for  pid=1095 comm="systemd-tmpfile" path="/var/lib/nfs/state" dev="vda9" ino=58 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { getattr } for  pid=1095 comm="systemd-tmpfile" path="/etc/machine-id" dev="overlay" ino=520963 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelfrom } for  pid=1095 comm="systemd-tmpfile" name="selinux" dev="vda9" ino=43 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:semanage_store_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelto } for  pid=1095 comm="systemd-tmpfile" name="selinux" dev="vda9" ino=43 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:semanage_store_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelfrom } for  pid=1095 comm="systemd-tmpfile" name="audit" dev="vda9" ino=38 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelto } for  pid=1095 comm="systemd-tmpfile" name="audit" dev="vda9" ino=38 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelfrom } for  pid=1095 comm="systemd-tmpfile" name="core" dev="vda9" ino=520971 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelto } for  pid=1095 comm="systemd-tmpfile" name="core" dev="vda9" ino=520971 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelfrom } for  pid=1095 comm="systemd-tmpfile" name=".ssh" dev="vda9" ino=520972 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelto } for  pid=1095 comm="systemd-tmpfile" name=".ssh" dev="vda9" ino=520972 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelfrom } for  pid=1095 comm="systemd-tmpfile" name="bin" dev="vda9" ino=21 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelto } for  pid=1095 comm="systemd-tmpfile" name="bin" dev="vda9" ino=21 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelfrom } for  pid=1095 comm="systemd-tmpfile" name="lib64" dev="vda9" ino=23 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelto } for  pid=1095 comm="systemd-tmpfile" name="lib64" dev="vda9" ino=23 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelto } for  pid=1095 comm="systemd-tmpfile" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelfrom } for  pid=1095 comm="systemd-tmpfile" name="mnt" dev="vda9" ino=1041922 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelfrom } for  pid=1095 comm="systemd-tmpfile" name="/" dev="vda6" ino=256 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelto } for  pid=1095 comm="systemd-tmpfile" name="/" dev="vda6" ino=256 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelfrom } for  pid=1095 comm="systemd-tmpfile" name="opt" dev="vda9" ino=520967 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelto } for  pid=1095 comm="systemd-tmpfile" name="opt" dev="vda9" ino=520967 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelfrom } for  pid=1095 comm="systemd-tmpfile" name="bin" dev="vda9" ino=520968 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelto } for  pid=1095 comm="systemd-tmpfile" name="bin" dev="vda9" ino=520968 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelfrom } for  pid=1095 comm="systemd-tmpfile" name="root" dev="vda9" ino=1041924 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelfrom } for  pid=1095 comm="systemd-tmpfile" name="etcd" dev="vda9" ino=46 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelto } for  pid=1095 comm="systemd-tmpfile" name="etcd" dev="vda9" ino=46 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelfrom } for  pid=1095 comm="systemd-tmpfile" name=".bash_logout" dev="vda9" ino=520965 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelto } for  pid=1095 comm="systemd-tmpfile" name=".bash_logout" dev="vda9" ino=520965 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelfrom } for  pid=1095 comm="systemd-tmpfile" name="etab" dev="vda9" ino=52 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelto } for  pid=1095 comm="systemd-tmpfile" name="etab" dev="vda9" ino=52 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
Dec 22 12:35:53 localhost audit[1098]: AVC avc:  denied  { getattr } for  pid=1098 comm="flatcar-autolog" path="/usr/share/baselayout/nsswitch.conf" dev="overlay" ino=269 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Dec 22 12:35:53 localhost audit[1098]: AVC avc:  denied  { read } for  pid=1098 comm="flatcar-autolog" name="nsswitch.conf" dev="overlay" ino=269 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Dec 22 12:35:53 localhost audit[1098]: AVC avc:  denied  { open } for  pid=1098 comm="flatcar-autolog" path="/usr/share/baselayout/nsswitch.conf" dev="overlay" ino=269 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelfrom } for  pid=1095 comm="systemd-tmpfile" name="sss" dev="vda9" ino=69 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelto } for  pid=1095 comm="systemd-tmpfile" name="sss" dev="vda9" ino=69 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelfrom } for  pid=1095 comm="systemd-tmpfile" name="sssd" dev="vda9" ino=80 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sssd_var_log_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelto } for  pid=1095 comm="systemd-tmpfile" name="sssd" dev="vda9" ino=80 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sssd_var_log_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { create } for  pid=1095 comm="systemd-tmpfile" name="resolv.conf" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:systemd_networkd_runtime_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { getattr } for  pid=1095 comm="systemd-tmpfile" path="/run/systemd/network/resolv.conf" dev="tmpfs" ino=1199 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:systemd_networkd_runtime_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { read } for  pid=1095 comm="systemd-tmpfile" name="resolv.conf" dev="tmpfs" ino=1199 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:systemd_networkd_runtime_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelfrom } for  pid=1095 comm="systemd-tmpfile" name="resolv.conf" dev="tmpfs" ino=1199 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:systemd_networkd_runtime_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelto } for  pid=1095 comm="systemd-tmpfile" name="resolv.conf" dev="tmpfs" ino=1199 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:systemd_networkd_runtime_t:s0 tclass=lnk_file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { read } for  pid=1095 comm="systemd-tmpfile" name="system.data" dev="overlay" ino=27580 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { open } for  pid=1095 comm="systemd-tmpfile" path="/usr/share/trousers/system.data" dev="overlay" ino=27580 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { create } for  pid=1095 comm="systemd-tmpfile" name="xtables.lock" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:iptables_runtime_t:s0 tclass=file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { write open } for  pid=1095 comm="systemd-tmpfile" path="/run/xtables.lock" dev="tmpfs" ino=1201 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:iptables_runtime_t:s0 tclass=file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { getattr } for  pid=1095 comm="systemd-tmpfile" path="/run/xtables.lock" dev="tmpfs" ino=1201 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:iptables_runtime_t:s0 tclass=file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelfrom } for  pid=1095 comm="systemd-tmpfile" name="xtables.lock" dev="tmpfs" ino=1201 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:iptables_runtime_t:s0 tclass=file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelto } for  pid=1095 comm="systemd-tmpfile" name="xtables.lock" dev="tmpfs" ino=1201 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:iptables_runtime_t:s0 tclass=file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { getattr } for  pid=1095 comm="systemd-tmpfile" path="/etc/shadow" dev="overlay" ino=28987 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelfrom } for  pid=1095 comm="systemd-tmpfile" name="shadow" dev="overlay" ino=28987 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
Dec 22 12:35:53 localhost audit[1095]: AVC avc:  denied  { relabelto } for  pid=1095 comm="systemd-tmpfile" name="shadow" dev="overlay" ino=28987 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
Dec 22 12:35:53 localhost audit[1170]: AVC avc:  denied  { search } for  pid=1170 comm="journalctl" name="/" dev="overlay" ino=2 scontext=system_u:system_r:systemd_journal_init_t:s0 tcontext=system_u:object_r:initrc_state_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1060]: AVC avc:  denied  { getattr } for  pid=1060 comm="systemd-userwor" path="/usr" dev="overlay" ino=2 scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:object_r:initrc_state_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1060]: AVC avc:  denied  { search } for  pid=1060 comm="systemd-userwor" name="/" dev="overlay" ino=2 scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:object_r:initrc_state_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1170]: AVC avc:  denied  { getattr } for  pid=1170 comm="journalctl" path="/usr" dev="overlay" ino=2 scontext=system_u:system_r:systemd_journal_init_t:s0 tcontext=system_u:object_r:initrc_state_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1184]: AVC avc:  denied  { search } for  pid=1184 comm="modprobe" name="/" dev="overlay" ino=2 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:initrc_state_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1170]: AVC avc:  denied  { search } for  pid=1170 comm="journalctl" name="/" dev="overlay" ino=2 scontext=system_u:system_r:systemd_journal_init_t:s0 tcontext=system_u:object_r:initrc_state_t:s0 tclass=dir permissive=1
Dec 22 12:35:53 localhost audit[1186]: AVC avc:  denied  { search } for  pid=1186 comm="modprobe" name="/" dev="overlay" ino=2 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:initrc_state_t:s0 tclass=dir permissive=1

@krnowak
Copy link
Member

krnowak commented Jan 3, 2024

I think that if we want to start labeling the whole filesystem, we should at least start enabling selinux USE flag globally and pull in the missing sec-policy/selinux-<stuff> packages first. Currently we enable selinux USE flag for a selected set of packages instead.

So far we did not correctly label /usr because it broke certain things
like Docker. With the sysext Docker and new policies we should try
again.
First generate the policy before branching off the base squashfs (which
already misses a lot of things because they the most postprocessing is
done late in finish_image!). Then label /usr and also the sysext
contents in their folder - not in the overlay mount because this would
operate on the whole image.
This is missing for containerd and docker labels:

Current:
```
$ selabel_lookup -k /usr/bin/docker
Default context: system_u:object_r:bin_t:s0
```

Signed-off-by: Mathieu Tortuyaux <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants