0010825: selinux prevents systemd-networkd from writing to /var/lib/systemd/network - Rocky Linux BugTracker

ID	Project	Category	View Status	Date Submitted	Last Update

0010825	Rocky-Linux-10	selinux-policy	public	2025-10-31 11:48	2025-10-31 15:56

Reporter	Andrew Miskell	Assigned To	Louis Abel
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	won't fix
Product Version	10.0
Fixed in Version	10-LookAhead

Summary	0010825: selinux prevents systemd-networkd from writing to /var/lib/systemd/network
Description	After installing/configuring/enabling systemd-networkd from the epel repositories, the systemd-networkd-persistent-storage service fails to start with the following error. Oct 31 11:34:57 ip-10-242-1-172.ec2.internal networkctl[37656]: Failed to issue io.systemd.Network.SetPersistentStorage() varlink call: Timer expired Setting selinux to permissive allows the service to start, so it appeared to be a policy issue. I ran audit2allow against the audit logs and it generating the attached policy, which I loaded into selinux and was able to start/restart the service while in enforcing mode. Based on the generated policy, systemd_networkd_t needs permissions to read, write and getattr for init_var_lib_t:dir in order to be able to write to /var/lib/systemd/network Permissions on the /var/lib/systemd/network directory: drwxr-xr-x. 2 systemd-network systemd-network system_u:object_r:init_var_lib_t:s0 6 Oct 31 02:40 network
Tags	No tags attached.
Attached Files	systemd-networkd.te.txt (265 bytes) module systemd-networkd 1.0; require { type init_var_lib_t; type systemd_networkd_t; class dir { getattr write read }; } #============= systemd_networkd_t ============== allow systemd_networkd_t init_var_lib_t:dir { getattr write read }; systemd-networkd.te.txt (265 bytes)

Andrew Miskell 2025-10-31 12:20 reporter ~0011584	I also checked this on RHEL 10 and CentOS Stream 10 to see if the issue was present upstream or specific to RL10. RHEL10 had the same issue but CentOS Stream 10 did not. Looking closer at CentOS Stream 10, it appears the selinux context on the /var/lib/systemd/network directory is different than the defaults on RHEL10 and RL10. Instead of init_var_lib_t:s0 it's now systemd_networkd_var_lib_t:s0. Context on CentOS Stream 10 is: drwxr-xr-x. 2 systemd-network systemd-network system_u:object_r:systemd_networkd_var_lib_t:s0 6 Oct 31 07:07 network

Louis Abel 2025-10-31 15:56 administrator ~0011617	The selinux policy packages will update in 10.1 which addresses this. Closing. [root@idp tmp]# rpm -q selinux-policy selinux-policy-40.13.26-1.el10.noarch [root@idp ~]# grep systemd_networkd /etc/selinux/targeted/contexts/files/file_contexts /run/systemd/netif(/.)? system_u:object_r:systemd_networkd_var_run_t:s0 /usr/lib/systemd/systemd-networkd -- system_u:object_r:systemd_networkd_exec_t:s0 /usr/lib/systemd/system/systemd-networkd\.service system_u:object_r:systemd_networkd_unit_file_t:s0 [root@cm03 systemd]# rpm -q selinux-policy selinux-policy-42.1.7-1.el10.noarch [root@cm03 systemd]# grep systemd_networkd /etc/selinux/targeted/contexts/files/file_contexts /run/systemd/netif(/.)? system_u:object_r:systemd_networkd_var_run_t:s0 /var/lib/systemd/network(/.*)? system_u:object_r:systemd_networkd_var_lib_t:s0 /usr/lib/systemd/systemd-networkd -- system_u:object_r:systemd_networkd_exec_t:s0 /usr/lib/systemd/system/systemd-networkd\.service system_u:object_r:systemd_networkd_unit_file_t:s0

Date Modified	Username	Field	Change
2025-10-31 11:48	Andrew Miskell	New Issue
2025-10-31 11:48	Andrew Miskell	File Added: systemd-networkd.te.txt
2025-10-31 12:20	Andrew Miskell	Note Added: 0011584
2025-10-31 15:56	Louis Abel	Assigned To	=> Louis Abel
2025-10-31 15:56	Louis Abel	Status	new => closed
2025-10-31 15:56	Louis Abel	Resolution	open => won't fix
2025-10-31 15:56	Louis Abel	Fixed in Version	=> 10-LookAhead
2025-10-31 15:56	Louis Abel	Note Added: 0011617