View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0012211Rocky-Linux-10selinux-policypublic2026-03-05 23:252026-03-06 09:22
ReporterJakub Chromy Assigned ToLouis Abel  
PriorityurgentSeverityblockReproducibilityalways
Status needinfoResolutionopen 
Product Version10.1 
Summary0012211: SELinux regression in selinux-policy-42.1.7-1.el10_1.1 causes systemd AVC denial (init_t capability2 mac_admin) and breaks syste
DescriptionAfter upgrading to selinux-policy-42.1.7-1.el10_1.1 on Rocky Linux 10.1, SELinux starts denying the mac_admin capability for systemd (init_t). This results in repeated AVC denials and causes system services to malfunction. In our environment this manifests as failures when managing services (for example via systemctl or automation tools such as Ansible).

Downgrading SELinux policy packages to 42.1.7-1.el10 resolves the issue immediately.

Working versions:

selinux-policy-42.1.7-1.el10.noarch
selinux-policy-targeted-42.1.7-1.el10.noarch
systemd-257-13.el10.rocky.0.1.x86_64
dbus-broker-36-4.el10.x86_64

Broken versions:

selinux-policy-42.1.7-1.el10_1.1.noarch
selinux-policy-targeted-42.1.7-1.el10_1.1.noarch
Steps To ReproduceInstall Rocky Linux 10.1 with SELinux enabled (enforcing).

Update system packages:

dnf upgrade

Ensure SELinux policy packages are updated to:

selinux-policy-42.1.7-1.el10_1.1
selinux-policy-targeted-42.1.7-1.el10_1.1

Observe SELinux AVC denials for systemd.

Example AVC:

avc: denied { mac_admin } for pid=1 comm="systemd"
capability=33 scontext=system_u:system_r:init_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=capability2 permissive=0

audit2why output:

Missing type enforcement (TE) allow rule.

Downgrading the policy packages fixes the problem:

dnf downgrade selinux-policy selinux-policy-targeted
Additional InformationRocky Linux 10.1
systemd-257-13.el10.rocky.0.1
dbus-broker-36-4.el10
SELinux enforcing
TagsNo tags attached.

Activities

Louis Abel

Louis Abel

2026-03-06 05:52

administrator   ~0013069

Thank you for the report. I am unable to reproduce your issue.

[root@idp ~]# rpm -q rocky-release systemd audit libsepol selinux-policy kernel dbus-broker
rocky-release-10.1-1.4.el10
systemd-257-13.el10.rocky.0.1
audit-4.0.3-4.el10
libsepol-3.9-1.el10
selinux-policy-42.1.7-1.el10_1.1
dbus-broker-36-4.el10
dbus-broker-36-4.el10.x86_64
[root@idp ~]# grep init_t /var/log/audit/audit.log | grep denied
[root@idp ~]# grep systemd /var/log/audit/audit.log | grep denied
[root@idp ~]# grep denied /var/log/audit/audit.log
[root@idp ~]# systemctl restart chronyd
[root@idp ~]# grep denied /var/log/audit/audit.log
[root@idp ~]#

This is the only change log from the selinux policy update.

[root@idp ~]# rpm -q selinux-policy --changelog | head
* Fri Feb 13 2026 Zdenek Pytela <zpytela@redhat.com> - 42.1.7-1.1
- Allow nfsd_t domain setuid and setgid capability for rpc.mountd
Resolves: RHEL-148248

Have you made any selinux related changes to your system(s)? Using the default system settings, I am not seeing denials nor systems misbehaving with this update.

Setting to needinfo.
Jakub Chromy

Jakub Chromy

2026-03-06 06:57

reporter   ~0013070

Hello... the error occurs on the FRESH system.. but -- and thats something I've forgotten to mention.. with RHEL/Rocky CIS Level 1 patches(!).

I'll try to simulate the yesterday's situation with fresh VM...
Jakub Chromy

Jakub Chromy

2026-03-06 06:58

reporter   ~0013071

Also the response -- no... just the standard Ansible installation.. the error occurs just after this:

- name: update all packages
  ansible.builtin.dnf:
    name: "*"
    state: latest
    nobest: true
    update_cache: yes
  when: not first_run.stat.exists
  tags: update
  register: pkg_update
  retries: 30
  delay: 60
  until: pkg_update is succeeded
  notify: reboot
Jakub Chromy

Jakub Chromy

2026-03-06 08:52

reporter   ~0013072

additional debug:

[ 164.656307] systemd[1]: Failed to set SELinux security context system_u:object_r:systemd_generator_unit_file_t:s0 for /run/systemd/generator: Invalid argument
[ 164.656899] systemd[1]: Failed to set SELinux security context system_u:object_r:systemd_generator_unit_file_t:s0 for /run/systemd/generator.early: Invalid argument
[ 164.657530] systemd[1]: Failed to set SELinux security context system_u:object_r:systemd_generator_unit_file_t:s0 for /run/systemd/generator.late: Invalid argument
[ 164.657978] systemd[1]: Failed to create generator directories: Invalid argument
[ 164.741353] systemd[1]: Freezing execution.
[ 186.142677] systemd-journald[499]: Failed to send WATCHDOG=1 notification message: Connection refused
[ 250.926935] SELinux: Converting 432 SID table entries...
[ 250.945322] SELinux: policy capability network_peer_controls=1
[ 250.945455] SELinux: policy capability open_perms=1
[ 250.945545] SELinux: policy capability extended_socket_class=1
[ 250.945638] SELinux: policy capability always_check_network=0
[ 250.945741] SELinux: policy capability cgroup_seclabel=1
[ 250.945833] SELinux: policy capability nnp_nosuid_transition=1
[ 250.945925] SELinux: policy capability genfs_seclabel_symlinks=1
[ 250.946007] SELinux: policy capability ioctl_skip_cloexec=0
[ 250.946093] SELinux: policy capability userspace_initial_context=0
[ 276.570887] systemd-journald[499]: Failed to send WATCHDOG=1 notification message: Transport endpoint is not connected
[ 334.817378] systemd-journald[499]: Failed to send WATCHDOG=1 notification message: Transport endpoint is not connected
[ 367.911774] systemd-journald[499]: Failed to send WATCHDOG=1 notification message: Transport endpoint is not connected
[ 402.688130] SELinux: Converting 452 SID table entries...
[ 402.704290] SELinux: policy capability network_peer_controls=1
[ 402.704422] SELinux: policy capability open_perms=1
[ 402.704505] SELinux: policy capability extended_socket_class=1
[ 402.704575] SELinux: policy capability always_check_network=0
[ 402.704654] SELinux: policy capability cgroup_seclabel=1
[ 402.708120] SELinux: policy capability nnp_nosuid_transition=1
[ 402.709146] SELinux: policy capability genfs_seclabel_symlinks=1
[ 402.710112] SELinux: policy capability ioctl_skip_cloexec=0
[ 402.711060] SELinux: policy capability userspace_initial_context=0
[ 459.571341] systemd-journald[499]: Failed to send WATCHDOG=1 notification message: Transport endpoint is not connected


[root@localhost ~]# reboot
Call to Reboot failed: Connection timed out
Failed to connect to system scope bus via local transport: Connection refused
Failed to open /run/initctl: No such device or address
Failed to talk to init daemon: Connection refused

[root@localhost ~]# sudo ausearch -m avc -ts "2026-03-05 23:46:30" -te "2026-03-05 23:47:10" -i sudo audit2why -a | tail -n 50 Invalid start time (2026-03-05 23:46:30). Hour, Minute, and Second are required. type=AVC msg=audit(1772750805.646:493): avc: denied { mac_admin } for pid=1 comm="systemd" capability=33 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=capability2 permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1772750805.647:495): avc: denied { mac_admin } for pid=1 comm="systemd" capability=33 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=capability2 permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1772750805.647:497): avc: denied { mac_admin } for pid=1 comm="systemd" capability=33 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=capability2 permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access.


root@localhost ~]# rpm -q selinux-policy selinux-policy-targeted dbus-broker systemd sudo ausearch -m avc,user_avc -ts "today" -i | tail -n 80 sudo journalctl -b -o short-precise | grep -iE "dbus-broker|avc|security policy denied|system_bus_socket" | tail -n 80 selinux-policy-42.1.7-1.el10_1.1.noarch selinux-policy-targeted-42.1.7-1.el10_1.1.noarch dbus-broker-36-4.el10.x86_64 systemd-257-13.el10.rocky.0.1.x86_64 ---- type=AVC msg=audit(03/05/2026 23:46:45.646:493) : avc: denied { mac_admin } for pid=1 comm=systemd capability=mac_admin scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=capability2 permissive=0 ---- type=AVC msg=audit(03/05/2026 23:46:45.647:495) : avc: denied { mac_admin } for pid=1 comm=systemd capability=mac_admin scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=capability2 permissive=0 ---- type=AVC msg=audit(03/05/2026 23:46:45.647:497) : avc: denied { mac_admin } for pid=1 comm=systemd capability=mac_admin scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=capability2 permissive=0 Mar 05 23:57:32.608905 localhost systemd[1]: Starting dbus-broker.service - D-Bus System Message Bus... Mar 05 23:57:32.686248 localhost dbus-broker-launch[770]: Looking up NSS user entry for 'geoclue'... Mar 05 23:57:32.689293 localhost dbus-broker-launch[770]: NSS returned no entry for 'geoclue' Mar 05 23:57:32.689293 localhost dbus-broker-launch[770]: Invalid user-name in /usr/share/dbus-1/system.d/net.hadess.SensorProxy.conf +14: user="geoclue" Mar 05 23:57:32.701266 localhost systemd[1]: Started dbus-broker.service - D-Bus System Message Bus. Mar 05 23:57:32.714266 localhost dbus-broker-launch[770]: Ready Mar 05 23:58:49.690438 localhost.localdomain sudo[5024]: root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/sbin/ausearch -m avc,user_avc -ts today -i


...had to shut it down forcefully through the hypervisor.
Jakub Chromy

Jakub Chromy

2026-03-06 09:22

reporter   ~0013073

for anyone interested.. my Ansible workaround:

- name: Temporarily set SELinux to permissive / workaround for Rocky 10.1 selinux-policy regression (42.1.7-1.el10_1.1)
  ansible.builtin.command: setenforce 0

- name: update all packages
  ansible.builtin.dnf:
    name: "*"
    state: latest
    nobest: true
    update_cache: yes
  when: not first_run.stat.exists
  tags: update
  register: pkg_update
  retries: 30
  delay: 60
  until: pkg_update is succeeded
  notify: reboot

- name: WORKAROUND - Rocky 10.1 selinux-policy regression (42.1.7-1.el10_1.1)
  block:

    - name: Ensure versionlock plugin is installed
      ansible.builtin.dnf:
        name: python3-dnf-plugin-versionlock
        state: present

    - name: Install known-good selinux-policy versions
      ansible.builtin.dnf:
        name:
          - selinux-policy-42.1.7-1.el10
          - selinux-policy-targeted-42.1.7-1.el10
          - selinux-policy-targeted-extra-42.1.7-1.el10
        state: present
        allow_downgrade: true
      register: selinux_policy_change

    - name: Lock selinux-policy versions until upstream fix is available
      ansible.builtin.command: >
        dnf -y versionlock add
        selinux-policy-42.1.7-1.el10
        selinux-policy-targeted-42.1.7-1.el10
        selinux-policy-targeted-extra-42.1.7-1.el10
      changed_when: false

    - name: Reboot if selinux-policy changed
      ansible.builtin.reboot:
        msg: "Reboot after selinux-policy workaround downgrade/pin"
        reboot_timeout: 900
      when: selinux_policy_change.changed

Issue History

Date Modified Username Field Change
2026-03-05 23:25 Jakub Chromy New Issue
2026-03-06 05:52 Louis Abel Assigned To => Louis Abel
2026-03-06 05:52 Louis Abel Status new => needinfo
2026-03-06 05:52 Louis Abel Note Added: 0013069
2026-03-06 06:57 Jakub Chromy Note Added: 0013070
2026-03-06 06:58 Jakub Chromy Note Added: 0013071
2026-03-06 08:52 Jakub Chromy Note Added: 0013072
2026-03-06 09:22 Jakub Chromy Note Added: 0013073