View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0012211 | Rocky-Linux-10 | selinux-policy | public | 2026-03-05 23:25 | 2026-03-05 23:25 |
| Reporter | Jakub Chromy | Assigned To | |||
| Priority | urgent | Severity | block | Reproducibility | always |
| Status | new | Resolution | open | ||
| Product Version | 10.1 | ||||
| Summary | 0012211: SELinux regression in selinux-policy-42.1.7-1.el10_1.1 causes systemd AVC denial (init_t capability2 mac_admin) and breaks syste | ||||
| Description | After upgrading to selinux-policy-42.1.7-1.el10_1.1 on Rocky Linux 10.1, SELinux starts denying the mac_admin capability for systemd (init_t). This results in repeated AVC denials and causes system services to malfunction. In our environment this manifests as failures when managing services (for example via systemctl or automation tools such as Ansible). Downgrading SELinux policy packages to 42.1.7-1.el10 resolves the issue immediately. Working versions: selinux-policy-42.1.7-1.el10.noarch selinux-policy-targeted-42.1.7-1.el10.noarch systemd-257-13.el10.rocky.0.1.x86_64 dbus-broker-36-4.el10.x86_64 Broken versions: selinux-policy-42.1.7-1.el10_1.1.noarch selinux-policy-targeted-42.1.7-1.el10_1.1.noarch | ||||
| Steps To Reproduce | Install Rocky Linux 10.1 with SELinux enabled (enforcing). Update system packages: dnf upgrade Ensure SELinux policy packages are updated to: selinux-policy-42.1.7-1.el10_1.1 selinux-policy-targeted-42.1.7-1.el10_1.1 Observe SELinux AVC denials for systemd. Example AVC: avc: denied { mac_admin } for pid=1 comm="systemd" capability=33 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=capability2 permissive=0 audit2why output: Missing type enforcement (TE) allow rule. Downgrading the policy packages fixes the problem: dnf downgrade selinux-policy selinux-policy-targeted | ||||
| Additional Information | Rocky Linux 10.1 systemd-257-13.el10.rocky.0.1 dbus-broker-36-4.el10 SELinux enforcing | ||||
| Tags | No tags attached. | ||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2026-03-05 23:25 | Jakub Chromy | New Issue |
