1211971 – [SELinux] Installing container-selinux with the testing selinux policy causes SLES15SP4 to be unreachable

Bug 1211971 - [SELinux] Installing container-selinux with the testing selinux policy causes SLES15SP4 to be unreachable

Summary: [SELinux] Installing container-selinux with the testing selinux policy causes...

Status:	RESOLVED FIXED

Alias:	None

Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Current
Hardware:	x86-64 SLES 15

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assignee:	Johannes Segitz
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-06-02 18:40 UTC by Maxwell Ross
Modified:	2023-07-12 01:11 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Maxwell Ross 2023-06-02 18:40:24 UTC

Operating System: SUSE Linux Enterprise Server 15 SP4

SELinux status, mode and policy name:
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     requested (insecure)
Max kernel policy version:      33

SELinux policy version and repository:
Information for package selinux-policy:
---------------------------------------
Repository     : SELinux (15.4)
Name           : selinux-policy
Version        : 20230425-150400.194.7
Arch           : noarch
Vendor         : obs://build.opensuse.org/security:SELinux
Support Level  : unknown
Installed Size : 24.7 KiB
Installed      : Yes
Status         : up-to-date
Source package : selinux-policy-20230425-150400.194.7.src
Upstream URL   : https://github.com/fedora-selinux/selinux-policy.git
Summary        : SELinux policy configuration
Description    : 
    SELinux Reference Policy. A complete SELinux policy that can be used
    as the system policy for a variety of systems and used as the basis for
    creating other policies.

The software (incl. version) that is affected by the SELinux issue and the error message: I'm not sure if this problem is with SLES 15, the testing selinux policies (selinux-policy-20220428-150400.2.10.noarch.rpm, selinux-policy-targeted-20220428-150400.2.10.noarch.rpm, and selinux-policy-devel-20220428-150400.2.10.noarch.rpm), or container-selinux (container-selinux-2.215.0-150400.1.2.noarch). My guess is container-selinux plus the testing selinux policies. 

SELinux Audit log:
----
time->Fri Jun  2 17:13:43 2023
type=AVC msg=audit(1685726023.823:71): avc:  denied  { transition } for  pid=1699 comm="(systemd)" path="/usr/lib/systemd/systemd" dev="nvme0n1p3" ino=25442166 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1
----
time->Fri Jun  2 17:13:43 2023
type=AVC msg=audit(1685726023.823:72): avc:  denied  { entrypoint } for  pid=1699 comm="(systemd)" path="/usr/lib/systemd/systemd" dev="nvme0n1p3" ino=25442166 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:25:20 2023
type=AVC msg=audit(1685726720.905:161): avc:  denied  { read write } for  pid=2607 comm="load_policy" path="/dev/pts/0" dev="devpts" ino=3 scontext=unconfined_u:unconfined_r:load_policy_t:s0 tcontext=unconfined_u:object_r:devpts_t:s0 tclass=chr_file permissive=1
----
time->Fri Jun  2 17:25:30 2023
type=AVC msg=audit(1685726730.233:172): avc:  denied  { fowner } for  pid=3618 comm="sefcontext_comp" capability=3  scontext=unconfined_u:unconfined_r:setsebool_t:s0 tcontext=unconfined_u:unconfined_r:setsebool_t:s0 tclass=capability permissive=1
----
time->Fri Jun  2 17:25:39 2023
type=AVC msg=audit(1685726739.685:174): avc:  denied  { read write } for  pid=3629 comm="load_policy" path="/dev/pts/0" dev="devpts" ino=3 scontext=unconfined_u:unconfined_r:load_policy_t:s0 tcontext=unconfined_u:object_r:devpts_t:s0 tclass=chr_file permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.282:191): avc:  denied  { write } for  pid=4373 comm="curl" path="pipe:[30131]" dev="pipefs" ino=30131 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=fifo_file permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.290:192): avc:  denied  { search } for  pid=4373 comm="curl" name="ssl" dev="nvme0n1p3" ino=16797852 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.290:193): avc:  denied  { read } for  pid=4373 comm="curl" name="openssl.cnf" dev="nvme0n1p3" ino=16798546 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.290:194): avc:  denied  { open } for  pid=4373 comm="curl" path="/etc/ssl/openssl.cnf" dev="nvme0n1p3" ino=16798546 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.290:195): avc:  denied  { getattr } for  pid=4373 comm="curl" path="/etc/ssl/openssl.cnf" dev="nvme0n1p3" ino=16798546 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.290:196): avc:  denied  { getattr } for  pid=4373 comm="curl" path="/etc/ssl/engines.d" dev="nvme0n1p3" ino=311 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.290:197): avc:  denied  { read } for  pid=4373 comm="curl" name="engines.d" dev="nvme0n1p3" ino=311 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.290:198): avc:  denied  { open } for  pid=4373 comm="curl" path="/etc/ssl/engines.d" dev="nvme0n1p3" ino=311 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.290:199): avc:  denied  { search } for  pid=4373 comm="curl" name="nscd" dev="tmpfs" ino=901 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.290:200): avc:  denied  { write } for  pid=4373 comm="curl" name="socket" dev="tmpfs" ino=940 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.290:201): avc:  denied  { connectto } for  pid=4373 comm="curl" path="/run/nscd/socket" scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.290:203): avc:  denied  { read } for  pid=4373 comm="curl" path="/var/lib/nscd/passwd" dev="nvme0n1p3" ino=25640565 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.290:204): avc:  denied  { ioctl } for  pid=4373 comm="curl" path="pipe:[30131]" dev="pipefs" ino=30131 ioctlcmd=0x5401 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=fifo_file permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.290:205): avc:  denied  { create } for  pid=4373 comm="curl" scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_generic_helper_t:s0 tclass=udp_socket permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.294:206): avc:  denied  { create } for  pid=4373 comm="curl" scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_generic_helper_t:s0 tclass=tcp_socket permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.294:207): avc:  denied  { setopt } for  pid=4373 comm="curl" scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_generic_helper_t:s0 tclass=tcp_socket permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.294:208): avc:  denied  { connect } for  pid=4373 comm="curl" scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_generic_helper_t:s0 tclass=tcp_socket permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.294:209): avc:  denied  { name_connect } for  pid=4373 comm="curl" dest=80 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.294:210): avc:  denied  { getopt } for  pid=4373 comm="curl" laddr=172.31.37.192 lport=33440 faddr=169.254.169.254 fport=80 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_generic_helper_t:s0 tclass=tcp_socket permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.294:211): avc:  denied  { getattr } for  pid=4373 comm="curl" laddr=172.31.37.192 lport=33440 faddr=169.254.169.254 fport=80 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_generic_helper_t:s0 tclass=tcp_socket permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.294:212): avc:  denied  { getattr } for  pid=4373 comm="curl" path="pipe:[30131]" dev="pipefs" ino=30131 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=fifo_file permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.294:213): avc:  denied  { read } for  pid=4376 comm="grep" path="pipe:[30140]" dev="pipefs" ino=30140 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=fifo_file permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.318:214): avc:  denied  { write } for  pid=4379 comm="touch" name="cloud-netconfig" dev="tmpfs" ino=1016 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.318:215): avc:  denied  { add_name } for  pid=4379 comm="touch" name="lock" scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.318:216): avc:  denied  { create } for  pid=4379 comm="touch" name="lock" scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.318:217): avc:  denied  { write open } for  pid=4379 comm="touch" path="/run/cloud-netconfig/lock" dev="tmpfs" ino=1177 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.330:218): avc:  denied  { getattr } for  pid=4384 comm="systemctl" path="socket:[30122]" dev="sockfs" ino=30122 scontext=system_u:system_r:kernel_systemctl_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.330:219): avc:  denied  { search } for  pid=4384 comm="systemctl" name="1" dev="proc" ino=14039 scontext=system_u:system_r:kernel_systemctl_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.330:220): avc:  denied  { read } for  pid=4384 comm="systemctl" name="root" dev="proc" ino=14052 scontext=system_u:system_r:kernel_systemctl_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=lnk_file permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.330:221): avc:  denied  { read } for  pid=4384 comm="systemctl" scontext=system_u:system_r:kernel_systemctl_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.330:222): avc:  denied  { connectto } for  pid=4384 comm="systemctl" path="/run/systemd/private" scontext=system_u:system_r:kernel_systemctl_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.350:224): avc:  denied  { getattr } for  pid=4389 comm="awk" path="socket:[30122]" dev="sockfs" ino=30122 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.354:225): avc:  denied  { append } for  pid=4392 comm="grep" path="socket:[30122]" dev="sockfs" ino=30122 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.366:226): avc:  denied  { append } for  pid=4396 comm="systemctl" path="socket:[30122]" dev="sockfs" ino=30122 scontext=system_u:system_r:kernel_systemctl_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.398:227): avc:  denied  { search } for  pid=4401 comm="grep" name="wicked" dev="tmpfs" ino=985 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:wicked_var_run_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.398:228): avc:  denied  { read } for  pid=4401 comm="grep" name="leaseinfo.eth0.dhcp.ipv4" dev="tmpfs" ino=1033 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:wicked_var_run_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.398:229): avc:  denied  { open } for  pid=4401 comm="grep" path="/run/wicked/leaseinfo.eth0.dhcp.ipv4" dev="tmpfs" ino=1033 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:wicked_var_run_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.398:230): avc:  denied  { getattr } for  pid=4401 comm="grep" path="/run/wicked/leaseinfo.eth0.dhcp.ipv4" dev="tmpfs" ino=1033 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:wicked_var_run_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.398:231): avc:  denied  { read } for  pid=4402 comm="cat" name="eth0" dev="sysfs" ino=14543 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.398:232): avc:  denied  { read } for  pid=4402 comm="cat" name="address" dev="sysfs" ino=14554 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.398:233): avc:  denied  { open } for  pid=4402 comm="cat" path="/sys/devices/pci0000:00/0000:00:05.0/net/eth0/address" dev="sysfs" ino=14554 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.398:234): avc:  denied  { getattr } for  pid=4402 comm="cat" path="/sys/devices/pci0000:00/0000:00:05.0/net/eth0/address" dev="sysfs" ino=14554 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.414:235): avc:  denied  { search } for  pid=4409 comm="curl" name="ssl" dev="nvme0n1p3" ino=16797852 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.414:236): avc:  denied  { getattr } for  pid=4409 comm="curl" path="/etc/ssl/engines.d" dev="nvme0n1p3" ino=311 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.414:237): avc:  denied  { read } for  pid=4409 comm="curl" name="engines.d" dev="nvme0n1p3" ino=311 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.414:238): avc:  denied  { open } for  pid=4409 comm="curl" path="/etc/ssl/engines.d" dev="nvme0n1p3" ino=311 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.478:239): avc:  denied  { read } for  pid=4431 comm="systemctl" scontext=system_u:system_r:kernel_systemctl_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.486:240): avc:  denied  { getattr } for  pid=4432 comm="rm" path="/run/cloud-netconfig/lock" dev="tmpfs" ino=1177 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.486:241): avc:  denied  { write } for  pid=4432 comm="rm" name="cloud-netconfig" dev="tmpfs" ino=1016 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.486:242): avc:  denied  { remove_name } for  pid=4432 comm="rm" name="lock" dev="tmpfs" ino=1177 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:26:32 2023
type=AVC msg=audit(1685726792.486:243): avc:  denied  { unlink } for  pid=4432 comm="rm" name="lock" dev="tmpfs" ino=1177 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:27:42 2023
type=AVC msg=audit(1685726862.599:249): avc:  denied  { read } for  pid=4436 comm="curl" name="openssl.cnf" dev="nvme0n1p3" ino=16798546 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:27:42 2023
type=AVC msg=audit(1685726862.599:250): avc:  denied  { open } for  pid=4436 comm="curl" path="/etc/ssl/openssl.cnf" dev="nvme0n1p3" ino=16798546 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:27:42 2023
type=AVC msg=audit(1685726862.599:251): avc:  denied  { getattr } for  pid=4436 comm="curl" path="/etc/ssl/openssl.cnf" dev="nvme0n1p3" ino=16798546 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:27:42 2023
type=AVC msg=audit(1685726862.603:252): avc:  denied  { search } for  pid=4436 comm="curl" name="nscd" dev="tmpfs" ino=901 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:27:42 2023
type=AVC msg=audit(1685726862.603:253): avc:  denied  { connectto } for  pid=4436 comm="curl" path="/run/nscd/socket" scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=1
----
time->Fri Jun  2 17:27:42 2023
type=AVC msg=audit(1685726862.603:254): avc:  denied  { create } for  pid=4436 comm="curl" scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_generic_helper_t:s0 tclass=udp_socket permissive=1
----
time->Fri Jun  2 17:27:42 2023
type=AVC msg=audit(1685726862.603:255): avc:  denied  { create } for  pid=4436 comm="curl" scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_generic_helper_t:s0 tclass=tcp_socket permissive=1
----
time->Fri Jun  2 17:27:42 2023
type=AVC msg=audit(1685726862.603:256): avc:  denied  { setopt } for  pid=4436 comm="curl" scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_generic_helper_t:s0 tclass=tcp_socket permissive=1
----
time->Fri Jun  2 17:27:42 2023
type=AVC msg=audit(1685726862.603:257): avc:  denied  { connect } for  pid=4436 comm="curl" scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_generic_helper_t:s0 tclass=tcp_socket permissive=1
----
time->Fri Jun  2 17:27:42 2023
type=AVC msg=audit(1685726862.603:258): avc:  denied  { name_connect } for  pid=4436 comm="curl" dest=80 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=1
----
time->Fri Jun  2 17:27:42 2023
type=AVC msg=audit(1685726862.603:259): avc:  denied  { getopt } for  pid=4436 comm="curl" laddr=172.31.37.192 lport=58526 faddr=169.254.169.254 fport=80 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_generic_helper_t:s0 tclass=tcp_socket permissive=1
----
time->Fri Jun  2 17:27:42 2023
type=AVC msg=audit(1685726862.603:260): avc:  denied  { getattr } for  pid=4436 comm="curl" laddr=172.31.37.192 lport=58526 faddr=169.254.169.254 fport=80 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_generic_helper_t:s0 tclass=tcp_socket permissive=1
----
time->Fri Jun  2 17:27:42 2023
type=AVC msg=audit(1685726862.623:263): avc:  denied  { add_name } for  pid=4442 comm="touch" name="lock" scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:27:42 2023
type=AVC msg=audit(1685726862.623:264): avc:  denied  { search } for  pid=4444 comm="grep" name="network" dev="nvme0n1p3" ino=25166596 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:27:42 2023
type=AVC msg=audit(1685726862.623:265): avc:  denied  { read } for  pid=4444 comm="grep" name="config" dev="nvme0n1p3" ino=25189783 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:27:42 2023
type=AVC msg=audit(1685726862.623:266): avc:  denied  { open } for  pid=4444 comm="grep" path="/etc/sysconfig/network/config" dev="nvme0n1p3" ino=25189783 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:27:42 2023
type=AVC msg=audit(1685726862.623:267): avc:  denied  { getattr } for  pid=4444 comm="grep" path="/etc/sysconfig/network/config" dev="nvme0n1p3" ino=25189783 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:27:42 2023
type=AVC msg=audit(1685726862.627:268): avc:  denied  { getattr } for  pid=4447 comm="systemctl" path="socket:[32185]" dev="sockfs" ino=32185 scontext=system_u:system_r:kernel_systemctl_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=1
----
time->Fri Jun  2 17:27:42 2023
type=AVC msg=audit(1685726862.627:269): avc:  denied  { search } for  pid=4447 comm="systemctl" name="1" dev="proc" ino=14039 scontext=system_u:system_r:kernel_systemctl_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:27:42 2023
type=AVC msg=audit(1685726862.627:270): avc:  denied  { read } for  pid=4447 comm="systemctl" name="root" dev="proc" ino=14052 scontext=system_u:system_r:kernel_systemctl_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=lnk_file permissive=1
----
time->Fri Jun  2 17:27:42 2023
type=AVC msg=audit(1685726862.627:271): avc:  denied  { connectto } for  pid=4447 comm="systemctl" path="/run/systemd/private" scontext=system_u:system_r:kernel_systemctl_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=1
----
time->Fri Jun  2 17:27:42 2023
type=AVC msg=audit(1685726862.639:272): avc:  denied  { getattr } for  pid=4452 comm="awk" path="socket:[32185]" dev="sockfs" ino=32185 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=1
----
time->Fri Jun  2 17:27:42 2023
type=AVC msg=audit(1685726862.639:273): avc:  denied  { append } for  pid=4456 comm="cut" path="socket:[32185]" dev="sockfs" ino=32185 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=1
----
time->Fri Jun  2 17:27:42 2023
type=AVC msg=audit(1685726862.647:274): avc:  denied  { append } for  pid=4459 comm="systemctl" path="socket:[32185]" dev="sockfs" ino=32185 scontext=system_u:system_r:kernel_systemctl_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=1
----
time->Fri Jun  2 17:27:42 2023
type=AVC msg=audit(1685726862.671:275): avc:  denied  { search } for  pid=4464 comm="grep" name="wicked" dev="tmpfs" ino=985 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:wicked_var_run_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:27:42 2023
type=AVC msg=audit(1685726862.671:276): avc:  denied  { read } for  pid=4464 comm="grep" name="leaseinfo.eth0.dhcp.ipv4" dev="tmpfs" ino=1033 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:wicked_var_run_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:27:42 2023
type=AVC msg=audit(1685726862.671:277): avc:  denied  { open } for  pid=4464 comm="grep" path="/run/wicked/leaseinfo.eth0.dhcp.ipv4" dev="tmpfs" ino=1033 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:wicked_var_run_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:27:42 2023
type=AVC msg=audit(1685726862.671:278): avc:  denied  { getattr } for  pid=4464 comm="grep" path="/run/wicked/leaseinfo.eth0.dhcp.ipv4" dev="tmpfs" ino=1033 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:wicked_var_run_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:27:42 2023
type=AVC msg=audit(1685726862.671:279): avc:  denied  { read } for  pid=4465 comm="cat" name="address" dev="sysfs" ino=14554 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:27:42 2023
type=AVC msg=audit(1685726862.671:280): avc:  denied  { open } for  pid=4465 comm="cat" path="/sys/devices/pci0000:00/0000:00:05.0/net/eth0/address" dev="sysfs" ino=14554 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:27:42 2023
type=AVC msg=audit(1685726862.671:281): avc:  denied  { getattr } for  pid=4465 comm="cat" path="/sys/devices/pci0000:00/0000:00:05.0/net/eth0/address" dev="sysfs" ino=14554 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:30:01 2023
type=AVC msg=audit(1685727001.545:294): avc:  denied  { execute } for  pid=4562 comm="run-crons" path="/usr/bin/bash" dev="nvme0n1p3" ino=8692413 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:30:01 2023
type=AVC msg=audit(1685727001.553:295): avc:  denied  { execute_no_trans } for  pid=4563 comm="run-crons" path="/usr/bin/basename" dev="nvme0n1p3" ino=8692411 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:30:01 2023
type=AVC msg=audit(1685727001.553:296): avc:  denied  { write } for  pid=4564 comm="mktemp" name="tmp" dev="nvme0n1p3" ino=135 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:30:01 2023
type=AVC msg=audit(1685727001.553:297): avc:  denied  { add_name } for  pid=4564 comm="mktemp" name="run-crons.Rb4Ft1" scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:30:01 2023
type=AVC msg=audit(1685727001.553:298): avc:  denied  { create } for  pid=4564 comm="mktemp" name="run-crons.Rb4Ft1" scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:30:01 2023
type=AVC msg=audit(1685727001.553:299): avc:  denied  { search } for  pid=4565 comm="mkdir" name="cron" dev="nvme0n1p3" ino=17686463 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:30:01 2023
type=AVC msg=audit(1685727001.553:300): avc:  denied  { getattr } for  pid=4565 comm="mkdir" path="/var/spool/cron/lastrun" dev="nvme0n1p3" ino=25640518 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:crond_tmp_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:30:01 2023
type=AVC msg=audit(1685727001.553:301): avc:  denied  { search } for  pid=4562 comm="run-crons" name="lastrun" dev="nvme0n1p3" ino=25640518 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:crond_tmp_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:30:01 2023
type=AVC msg=audit(1685727001.557:302): avc:  denied  { read } for  pid=4567 comm="find" name="root" dev="nvme0n1p3" ino=16797826 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:30:01 2023
type=AVC msg=audit(1685727001.557:303): avc:  denied  { getattr } for  pid=4567 comm="find" name="/" dev="nvme0n1p3" ino=128 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
----
time->Fri Jun  2 17:30:01 2023
type=AVC msg=audit(1685727001.565:304): avc:  denied  { write } for  pid=4574 comm="touch" name="lastrun" dev="nvme0n1p3" ino=25640518 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:crond_tmp_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:30:01 2023
type=AVC msg=audit(1685727001.565:305): avc:  denied  { fowner } for  pid=4574 comm="touch" capability=3  scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_generic_helper_t:s0 tclass=capability permissive=1
----
time->Fri Jun  2 17:30:01 2023
type=AVC msg=audit(1685727001.569:306): avc:  denied  { read } for  pid=4576 comm="find" name="lastrun" dev="nvme0n1p3" ino=25640518 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:crond_tmp_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:30:01 2023
type=AVC msg=audit(1685727001.569:307): avc:  denied  { open } for  pid=4576 comm="find" path="/var/spool/cron/lastrun" dev="nvme0n1p3" ino=25640518 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:crond_tmp_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:30:01 2023
type=AVC msg=audit(1685727001.573:308): avc:  denied  { read } for  pid=4577 comm="rm" name="run-crons.Rb4Ft1" dev="nvme0n1p3" ino=50357248 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:30:01 2023
type=AVC msg=audit(1685727001.573:309): avc:  denied  { remove_name } for  pid=4577 comm="rm" name="run-crons.Rb4Ft1" dev="nvme0n1p3" ino=50357248 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:30:01 2023
type=AVC msg=audit(1685727001.573:310): avc:  denied  { rmdir } for  pid=4577 comm="rm" name="run-crons.Rb4Ft1" dev="nvme0n1p3" ino=50357248 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:42:32 2023
type=AVC msg=audit(1685727752.957:334): avc:  denied  { ioctl } for  pid=5094 comm="netconfig" path="/run/wicked/extension/generic/batch.YydWn0" dev="tmpfs" ino=1213 ioctlcmd=0x5401 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:wicked_var_run_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:42:32 2023
type=AVC msg=audit(1685727752.957:335): avc:  denied  { ioctl } for  pid=5094 comm="netconfig" path="socket:[33128]" dev="sockfs" ino=33128 ioctlcmd=0x540f scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=1
----
time->Fri Jun  2 17:42:32 2023
type=AVC msg=audit(1685727752.957:336): avc:  denied  { search } for  pid=5094 comm="netconfig" name="scripts" dev="nvme0n1p3" ino=8388799 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:wicked_script_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:42:32 2023
type=AVC msg=audit(1685727752.957:337): avc:  denied  { read } for  pid=5094 comm="netconfig" name="functions.netconfig" dev="nvme0n1p3" ino=8641296 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:wicked_script_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:42:32 2023
type=AVC msg=audit(1685727752.957:338): avc:  denied  { open } for  pid=5094 comm="netconfig" path="/etc/sysconfig/network/scripts/functions.netconfig" dev="nvme0n1p3" ino=8641296 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:wicked_script_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:42:32 2023
type=AVC msg=audit(1685727752.957:339): avc:  denied  { getattr } for  pid=5094 comm="netconfig" path="/etc/sysconfig/network/scripts/functions.netconfig" dev="nvme0n1p3" ino=8641296 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:wicked_script_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:42:32 2023
type=AVC msg=audit(1685727752.965:340): avc:  denied  { getattr } for  pid=5103 comm="mkdir" path="/run/netconfig" dev="tmpfs" ino=898 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:42:32 2023
type=AVC msg=audit(1685727752.969:341): avc:  denied  { read } for  pid=5094 comm="netconfig" name="uptime" dev="proc" ino=4026532023 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:42:32 2023
type=AVC msg=audit(1685727752.969:342): avc:  denied  { open } for  pid=5094 comm="netconfig" path="/proc/uptime" dev="proc" ino=4026532023 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:42:32 2023
type=AVC msg=audit(1685727752.969:343): avc:  denied  { ioctl } for  pid=5094 comm="netconfig" path="/proc/uptime" dev="proc" ino=4026532023 ioctlcmd=0x5401 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:42:32 2023
type=AVC msg=audit(1685727752.977:344): avc:  denied  { read } for  pid=5113 comm="ls" name="eth0" dev="tmpfs" ino=1035 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:42:32 2023
type=AVC msg=audit(1685727752.977:345): avc:  denied  { open } for  pid=5113 comm="ls" path="/run/netconfig/eth0" dev="tmpfs" ino=1035 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:42:32 2023
type=AVC msg=audit(1685727752.981:346): avc:  denied  { write } for  pid=5118 comm="rm" name="eth0" dev="tmpfs" ino=1035 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:42:32 2023
type=AVC msg=audit(1685727752.981:347): avc:  denied  { remove_name } for  pid=5118 comm="rm" name="netconfig0" dev="tmpfs" ino=1036 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:42:32 2023
type=AVC msg=audit(1685727752.981:348): avc:  denied  { unlink } for  pid=5118 comm="rm" name="netconfig0" dev="tmpfs" ino=1036 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:42:32 2023
type=AVC msg=audit(1685727752.981:349): avc:  denied  { add_name } for  pid=5094 comm="netconfig" name="netconfig0" scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:42:32 2023
type=AVC msg=audit(1685727752.981:350): avc:  denied  { create } for  pid=5094 comm="netconfig" name="netconfig0" scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:42:32 2023
type=AVC msg=audit(1685727752.981:351): avc:  denied  { write } for  pid=5094 comm="netconfig" path="/run/netconfig/eth0/netconfig0" dev="tmpfs" ino=1215 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:42:32 2023
type=AVC msg=audit(1685727752.985:352): avc:  denied  { getattr } for  pid=5125 comm="cloud-netconfig" path="/usr/bin/systemctl" dev="nvme0n1p3" ino=9330815 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:42:32 2023
type=AVC msg=audit(1685727752.985:353): avc:  denied  { execute } for  pid=5125 comm="cloud-netconfig" name="systemctl" dev="nvme0n1p3" ino=9330815 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:42:32 2023
type=AVC msg=audit(1685727752.985:354): avc:  denied  { read } for  pid=5125 comm="cloud-netconfig" name="systemctl" dev="nvme0n1p3" ino=9330815 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:42:32 2023
type=AVC msg=audit(1685727752.985:355): avc:  denied  { open } for  pid=5125 comm="cloud-netconfig" path="/usr/bin/systemctl" dev="nvme0n1p3" ino=9330815 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:42:32 2023
type=AVC msg=audit(1685727752.985:356): avc:  denied  { execute_no_trans } for  pid=5125 comm="cloud-netconfig" path="/usr/bin/systemctl" dev="nvme0n1p3" ino=9330815 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:42:32 2023
type=AVC msg=audit(1685727752.989:357): avc:  denied  { search } for  pid=5125 comm="systemctl" name="1" dev="proc" ino=14039 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:42:32 2023
type=AVC msg=audit(1685727752.989:358): avc:  denied  { read } for  pid=5125 comm="systemctl" name="root" dev="proc" ino=14052 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=lnk_file permissive=1
----
time->Fri Jun  2 17:42:32 2023
type=AVC msg=audit(1685727752.993:359): avc:  denied  { read } for  pid=5125 comm="systemctl" scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:42:32 2023
type=AVC msg=audit(1685727752.993:360): avc:  denied  { search } for  pid=5125 comm="systemctl" name="systemd" dev="tmpfs" ino=2 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:42:32 2023
type=AVC msg=audit(1685727752.993:361): avc:  denied  { getattr } for  pid=5125 comm="systemctl" path="/run/systemd/system" dev="tmpfs" ino=3 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir permissive=1
----
time->Fri Jun  2 17:42:32 2023
type=AVC msg=audit(1685727752.993:362): avc:  denied  { write } for  pid=5125 comm="systemctl" name="private" dev="tmpfs" ino=464 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file permissive=1
----
time->Fri Jun  2 17:42:32 2023
type=AVC msg=audit(1685727752.997:364): avc:  denied  { execute_no_trans } for  pid=5124 comm="cloud-netconfig" path="/usr/lib/cloud-netconfig/cloud-netconfig" dev="nvme0n1p3" ino=9412735 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:42:33 2023
type=AVC msg=audit(1685727753.025:365): avc:  denied  { read } for  pid=5147 comm="dns-resolver" name="functions.netconfig" dev="nvme0n1p3" ino=8641296 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:wicked_script_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:42:33 2023
type=AVC msg=audit(1685727753.025:366): avc:  denied  { open } for  pid=5147 comm="dns-resolver" path="/etc/sysconfig/network/scripts/functions.netconfig" dev="nvme0n1p3" ino=8641296 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:wicked_script_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:42:33 2023
type=AVC msg=audit(1685727753.025:367): avc:  denied  { getattr } for  pid=5147 comm="dns-resolver" path="/etc/sysconfig/network/scripts/functions.netconfig" dev="nvme0n1p3" ino=8641296 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:wicked_script_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:42:33 2023
type=AVC msg=audit(1685727753.085:370): avc:  denied  { setattr } for  pid=5211 comm="chmod" name=".resolv.conf.9XArQC" dev="tmpfs" ino=1216 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:42:33 2023
type=AVC msg=audit(1685727753.085:371): avc:  denied  { append } for  pid=5147 comm="dns-resolver" name=".resolv.conf.9XArQC" dev="tmpfs" ino=1216 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:42:33 2023
type=AVC msg=audit(1685727753.085:372): avc:  denied  { create } for  pid=5212 comm="dns-resolver" name="sh-thd.Tbfusj" scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:42:33 2023
type=AVC msg=audit(1685727753.085:373): avc:  denied  { write open } for  pid=5212 comm="dns-resolver" path="/tmp/sh-thd.Tbfusj" dev="nvme0n1p3" ino=18175 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:42:33 2023
type=AVC msg=audit(1685727753.085:374): avc:  denied  { unlink } for  pid=5212 comm="dns-resolver" name="sh-thd.Tbfusj" dev="nvme0n1p3" ino=18175 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:42:33 2023
type=AVC msg=audit(1685727753.089:375): avc:  denied  { getattr } for  pid=5147 comm="dns-resolver" path="/etc/resolv.conf" dev="nvme0n1p3" ino=25640562 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=lnk_file permissive=1
----
time->Fri Jun  2 17:42:33 2023
type=AVC msg=audit(1685727753.089:376): avc:  denied  { read } for  pid=5215 comm="readlink" name="resolv.conf" dev="nvme0n1p3" ino=25640562 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=lnk_file permissive=1
----
time->Fri Jun  2 17:42:33 2023
type=AVC msg=audit(1685727753.157:377): avc:  denied  { execute } for  pid=5223 comm="nis" name="hostname" dev="nvme0n1p3" ino=9176883 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:42:33 2023
type=AVC msg=audit(1685727753.157:378): avc:  denied  { read open } for  pid=5271 comm="nis" path="/usr/bin/hostname" dev="nvme0n1p3" ino=9176883 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:42:33 2023
type=AVC msg=audit(1685727753.157:379): avc:  denied  { execute_no_trans } for  pid=5271 comm="nis" path="/usr/bin/hostname" dev="nvme0n1p3" ino=9176883 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1
----
time->Fri Jun  2 17:42:33 2023
type=AVC msg=audit(1685727753.193:380): avc:  denied  { read } for  pid=5299 comm="cat" name="netconfig.pid" dev="tmpfs" ino=1214 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1


Any other important details:
My steps were:
1. Enabled SeLinux on the machine via:
    1  sudo zypper in restorecond policycoreutils setools-console
    2  sudo zypper ar -f https://download.opensuse.org/repositories/security:/SELinux_legacy/15.4/ SELinux-Legacy
    3  sudo zypper refresh
    4  sudo zypper in selinux-policy-targeted selinux-policy-devel
    5  sudo /usr/sbin/getenforce 
    6  sudo vi /etc/default/grub
# In above, updated default to include: "security=selinux selinux=1"
    7  sudo grub2-mkconfig -o /boot/grub2/grub.cfg
    8  sudo reboot

2. Check denials after reboot:
$ sudo ausearch -m avc
----
time->Wed May 17 17:19:02 2023
type=AVC msg=audit(1684343942.115:73): avc:  denied  { transition } for  pid=1721 comm="(systemd)" path="/usr/lib/systemd/systemd" dev="nvme0n1p3" ino=25442166 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1
----
time->Wed May 17 17:19:02 2023
type=AVC msg=audit(1684343942.115:74): avc:  denied  { entrypoint } for  pid=1721 comm="(systemd)" path="/usr/lib/systemd/systemd" dev="nvme0n1p3" ino=25442166 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1

3. That didn't look too bad, so now leaving in permissive mode and installing container-selinux via:
   10  sudo restorecon -R /
   11  sudo zypper addrepo https://download.opensuse.org/repositories/security:SELinux/15.4/security:SELinux.repo
   12  sudo zypper refresh
   13  sudo zypper install container-selinux
   14  sudo restorecon -R /

This is when the errors appeared. Note that if I set to enforcing, I can no longer access the VM at all.

Also please note, that when installing container-selinux, it had an error as shown below:
$ sudo zypper install container-selinux
Refreshing service 'Basesystem_Module_x86_64'.
Refreshing service 'Containers_Module_x86_64'.
Refreshing service 'Desktop_Applications_Module_x86_64'.
Refreshing service 'Development_Tools_Module_x86_64'.
Refreshing service 'Legacy_Module_x86_64'.
Refreshing service 'Public_Cloud_Module_x86_64'.
Refreshing service 'Python_3_Module_x86_64'.
Refreshing service 'SUSE_Linux_Enterprise_Server_x86_64'.
Refreshing service 'Server_Applications_Module_x86_64'.
Refreshing service 'Web_and_Scripting_Module_x86_64'.
Loading repository data...
Reading installed packages...
Resolving package dependencies...

Problem: the to be installed container-selinux-2.215.0-150400.1.2.noarch requires 'selinux-policy >= 20230425-150400.194.7', but this requirement cannot be provided
  not installable providers: selinux-policy-20230425-150400.194.7.noarch[security_SELinux]
 Solution 1: Following actions will be done:
  install selinux-policy-20230425-150400.194.7.noarch from vendor obs://build.opensuse.org/security:SELinux
    replacing selinux-policy-20220428-150400.2.10.noarch from vendor obs://build.opensuse.org/security
  install selinux-policy-targeted-20230425-150400.194.7.noarch from vendor obs://build.opensuse.org/security:SELinux
    replacing selinux-policy-targeted-20220428-150400.2.10.noarch from vendor obs://build.opensuse.org/security
  install policycoreutils-3.5-150400.183.3.x86_64 from vendor obs://build.opensuse.org/security:SELinux
    replacing policycoreutils-3.1-150400.1.5.x86_64 from vendor SUSE LLC <https://www.suse.com/>
  install policycoreutils-lang-3.5-150400.183.3.noarch from vendor obs://build.opensuse.org/security:SELinux
    replacing policycoreutils-lang-3.1-150400.1.5.noarch from vendor SUSE LLC <https://www.suse.com/>
  deinstallation of python3-policycoreutils-3.1-150400.1.5.noarch
  install libselinux1-3.5-150400.172.1.x86_64 from vendor obs://build.opensuse.org/security:SELinux
    replacing libselinux1-3.1-150400.1.69.x86_64 from vendor SUSE LLC <https://www.suse.com/>
  deinstallation of python3-selinux-3.1-150400.1.5.x86_64
  deinstallation of libsemanage1-3.1-150400.1.65.x86_64
  install python3-semanage-3.5-150400.111.1.x86_64 from vendor obs://build.opensuse.org/security:SELinux
    replacing python3-semanage-3.1-150400.1.4.x86_64 from vendor SUSE LLC <https://www.suse.com/>
  install shadow-4.8.1-150400.10.8.6.x86_64 from vendor obs://build.opensuse.org/security:SELinux
    replacing shadow-4.8.1-150400.10.3.1.x86_64 from vendor SUSE LLC <https://www.suse.com/>
 Solution 2: do not install container-selinux-2.215.0-150400.1.2.noarch
 Solution 3: break container-selinux-2.215.0-150400.1.2.noarch by ignoring some of its dependencies

Choose from above solutions by number or cancel [1/2/3/c/d/?] (c): 1
Resolving dependencies...
Resolving package dependencies...

The following 7 packages are going to be upgraded:
  libselinux1 policycoreutils policycoreutils-lang python3-semanage selinux-policy selinux-policy-targeted shadow

The following 7 packages are going to change vendor:
  libselinux1              SUSE LLC <https://www.suse.com/> -> obs://build.opensuse.org/security:SELinux
  policycoreutils          SUSE LLC <https://www.suse.com/> -> obs://build.opensuse.org/security:SELinux
  policycoreutils-lang     SUSE LLC <https://www.suse.com/> -> obs://build.opensuse.org/security:SELinux
  python3-semanage         SUSE LLC <https://www.suse.com/> -> obs://build.opensuse.org/security:SELinux
  selinux-policy           obs://build.opensuse.org/security -> obs://build.opensuse.org/security:SELinux
  selinux-policy-targeted  obs://build.opensuse.org/security -> obs://build.opensuse.org/security:SELinux
  shadow                   SUSE LLC <https://www.suse.com/> -> obs://build.opensuse.org/security:SELinux

The following 5 NEW packages are going to be installed:
  container-selinux libsemanage2 libsemanage-conf libsepol2 selinux-autorelabel

The following 3 packages are going to be REMOVED:
  libsemanage1 python3-policycoreutils python3-selinux

The following 12 packages have no support information from their vendor:
  container-selinux libselinux1 libsemanage2 libsemanage-conf libsepol2 policycoreutils policycoreutils-lang python3-semanage selinux-autorelabel selinux-policy selinux-policy-targeted shadow

7 packages to upgrade, 5 new, 3 to remove, 7  to change vendor.
...

Comment 1 Johannes Segitz 2023-06-05 07:18:54 UTC

You say that you use the legacy policy, but that doesn't seem to be the case.

Please try again and strictly follow
https://documentation.suse.com/sles/15-SP4/html/SLES-all/cha-selinux.html

Comment 2 Maxwell Ross 2023-06-16 19:13:16 UTC

I believe the problem is that the legacy selinux policy, obtained from https://documentation.suse.com/sles/15-SP4/html/SLES-all/cha-selinux.html#sec-selinux-getpolicy, is not configured properly for the latest container-selinux.


Details BEFORE installing container-selinux:

ec2-user@ip-172-31-29-63:~> hostnamectl | grep "Operating System"
Operating System: SUSE Linux Enterprise Server 15 SP4
ec2-user@ip-172-31-29-63:~> sudo sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     requested (insecure)
Max kernel policy version:      33
ec2-user@ip-172-31-29-63:~> sudo zypper info selinux-policy
Refreshing service 'Basesystem_Module_x86_64'.
Refreshing service 'Containers_Module_x86_64'.
Refreshing service 'Desktop_Applications_Module_x86_64'.
Refreshing service 'Development_Tools_Module_x86_64'.
Refreshing service 'Legacy_Module_x86_64'.
Refreshing service 'Public_Cloud_Module_x86_64'.
Refreshing service 'Python_3_Module_x86_64'.
Refreshing service 'SUSE_Linux_Enterprise_Server_x86_64'.
Refreshing service 'Server_Applications_Module_x86_64'.
Refreshing service 'Web_and_Scripting_Module_x86_64'.
Loading repository data...
Reading installed packages...


Information for package selinux-policy:
---------------------------------------
Repository     : SELinux-Legacy
Name           : selinux-policy
Version        : 20220428-150400.2.11
Arch           : noarch
Vendor         : obs://build.opensuse.org/security
Support Level  : unknown
Installed Size : 24.7 KiB
Installed      : Yes (automatically)
Status         : up-to-date
Source package : selinux-policy-20220428-150400.2.11.src
Upstream URL   : https://github.com/fedora-selinux/selinux-policy.git
Summary        : SELinux policy configuration, legacy version for toolchain version < 3.4
Description    : 
    SELinux Reference Policy. A complete SELinux policy that can be used
    as the system policy for a variety of systems and used as the basis for
    creating other policies.

ec2-user@ip-172-31-29-63:~> sudo ausearch -ts today -m avc
----
time->Fri Jun 16 19:00:35 2023
type=AVC msg=audit(1686942035.165:69): avc:  denied  { transition } for  pid=1650 comm="(systemd)" path="/usr/lib/systemd/systemd" dev="nvme0n1p3" ino=25442166 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1
----
time->Fri Jun 16 19:00:35 2023
type=AVC msg=audit(1686942035.165:70): avc:  denied  { entrypoint } for  pid=1650 comm="(systemd)" path="/usr/lib/systemd/systemd" dev="nvme0n1p3" ino=25442166 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1




---

Attempting to install container-selinux gives the same error as mentioned originally:

ec2-user@ip-172-31-29-63:~> sudo restorecon -R /
ec2-user@ip-172-31-29-63:~> sudo zypper addrepo https://download.opensuse.org/repositories/security:SELinux/15.4/security:SELinux.repo
Adding repository 'SELinux (15.4)' .....................................................................................................................................................................................................[done]
Repository 'SELinux (15.4)' successfully added

URI         : https://download.opensuse.org/repositories/security:/SELinux/15.4/
Enabled     : Yes
GPG Check   : Yes
Autorefresh : No
Priority    : 99 (default priority)

Repository priorities are without effect. All enabled repositories share the same priority.
ec2-user@ip-172-31-29-63:~> sudo zypper refresh
Repository 'SLE-Module-Basesystem15-SP4-Pool' is up to date.                                                                                                                                                                                  
Repository 'SLE-Module-Basesystem15-SP4-Updates' is up to date.                                                                                                                                                                               
Repository 'SLE-Module-Containers15-SP4-Pool' is up to date.                                                                                                                                                                                  
Repository 'SLE-Module-Containers15-SP4-Updates' is up to date.                                                                                                                                                                               
Repository 'SLE-Module-Desktop-Applications15-SP4-Pool' is up to date.                                                                                                                                                                        
Repository 'SLE-Module-Desktop-Applications15-SP4-Updates' is up to date.                                                                                                                                                                     
Repository 'SLE-Module-DevTools15-SP4-Pool' is up to date.                                                                                                                                                                                    
Repository 'SLE-Module-DevTools15-SP4-Updates' is up to date.                                                                                                                                                                                 
Repository 'SLE-Module-Legacy15-SP4-Pool' is up to date.                                                                                                                                                                                      
Repository 'SLE-Module-Legacy15-SP4-Updates' is up to date.                                                                                                                                                                                   
Repository 'SLE-Module-Public-Cloud15-SP4-Pool' is up to date.                                                                                                                                                                                
Repository 'SLE-Module-Public-Cloud15-SP4-Updates' is up to date.                                                                                                                                                                             
Repository 'SLE-Module-Python3-15-SP4-Pool' is up to date.                                                                                                                                                                                    
Repository 'SLE-Module-Python3-15-SP4-Updates' is up to date.                                                                                                                                                                                 
Repository 'SELinux-Legacy' is up to date.                                                                                                                                                                                                    
Repository 'SLE-Product-SLES15-SP4-Pool' is up to date.                                                                                                                                                                                       
Repository 'SLE-Product-SLES15-SP4-Updates' is up to date.                                                                                                                                                                                    
Repository 'SLE-Module-Server-Applications15-SP4-Pool' is up to date.                                                                                                                                                                         
Repository 'SLE-Module-Server-Applications15-SP4-Updates' is up to date.                                                                                                                                                                      
Repository 'SLE-Module-Web-Scripting15-SP4-Pool' is up to date.                                                                                                                                                                               
Repository 'SLE-Module-Web-Scripting15-SP4-Updates' is up to date.                                                                                                                                                                            

New repository or package signing key received:

  Repository:       SELinux (15.4)
  Key Fingerprint:  06B5 B9E1 5212 34E9 52FE EB7F F692 2B09 93B8 32EE
  Key Name:         security:SELinux OBS Project <security:SELinux@build.opensuse.org>
  Key Algorithm:    DSA 1024
  Key Created:      Mon 27 Feb 2023 05:17:50 PM UTC
  Key Expires:      Wed 07 May 2025 05:17:50 PM UTC
  Rpm Name:         gpg-pubkey-93b832ee-63fce5be



    Note: Signing data enables the recipient to verify that no modifications occurred after the data
    were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
    and in extreme cases even to a system compromise.

    Note: A GPG pubkey is clearly identified by its fingerprint. Do not rely on the key's name. If
    you are not sure whether the presented key is authentic, ask the repository provider or check
    their web site. Many providers maintain a web page showing the fingerprints of the GPG keys they
    are using.

Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r): a
Retrieving repository 'SELinux (15.4)' metadata ........................................................................................................................................................................................[done]
Building repository 'SELinux (15.4)' cache .............................................................................................................................................................................................[done]
All repositories have been refreshed.

ec2-user@ip-172-31-29-63:~> sudo zypper install container-selinux
Refreshing service 'Basesystem_Module_x86_64'.
Refreshing service 'Containers_Module_x86_64'.
Refreshing service 'Desktop_Applications_Module_x86_64'.
Refreshing service 'Development_Tools_Module_x86_64'.
Refreshing service 'Legacy_Module_x86_64'.
Refreshing service 'Public_Cloud_Module_x86_64'.
Refreshing service 'Python_3_Module_x86_64'.
Refreshing service 'SUSE_Linux_Enterprise_Server_x86_64'.
Refreshing service 'Server_Applications_Module_x86_64'.
Refreshing service 'Web_and_Scripting_Module_x86_64'.
Loading repository data...
Reading installed packages...
Resolving package dependencies...

Problem: the to be installed container-selinux-2.215.0-150400.1.4.noarch requires 'selinux-policy >= 20230425-150400.194.9', but this requirement cannot be provided
  not installable providers: selinux-policy-20230425-150400.194.9.noarch[security_SELinux]
 Solution 1: Following actions will be done:
  install selinux-policy-20230425-150400.194.9.noarch from vendor obs://build.opensuse.org/security:SELinux
    replacing selinux-policy-20220428-150400.2.11.noarch from vendor obs://build.opensuse.org/security
  install selinux-policy-targeted-20230425-150400.194.9.noarch from vendor obs://build.opensuse.org/security:SELinux
    replacing selinux-policy-targeted-20220428-150400.2.11.noarch from vendor obs://build.opensuse.org/security
  install policycoreutils-3.5-150400.183.5.x86_64 from vendor obs://build.opensuse.org/security:SELinux
    replacing policycoreutils-3.1-150400.1.5.x86_64 from vendor SUSE LLC <https://www.suse.com/>
  install policycoreutils-lang-3.5-150400.183.5.noarch from vendor obs://build.opensuse.org/security:SELinux
    replacing policycoreutils-lang-3.1-150400.1.5.noarch from vendor SUSE LLC <https://www.suse.com/>
  install python3-policycoreutils-3.5-150400.183.5.noarch from vendor obs://build.opensuse.org/security:SELinux
    replacing python3-policycoreutils-3.1-150400.1.5.noarch from vendor SUSE LLC <https://www.suse.com/>
  install libselinux1-3.5-150400.175.2.x86_64 from vendor obs://build.opensuse.org/security:SELinux
    replacing libselinux1-3.1-150400.1.69.x86_64 from vendor SUSE LLC <https://www.suse.com/>
  install python3-selinux-3.5-150400.175.1.x86_64 from vendor obs://build.opensuse.org/security:SELinux
    replacing python3-selinux-3.1-150400.1.5.x86_64 from vendor SUSE LLC <https://www.suse.com/>
  deinstallation of libsemanage1-3.1-150400.1.65.x86_64
  install python3-semanage-3.5-150400.111.1.x86_64 from vendor obs://build.opensuse.org/security:SELinux
    replacing python3-semanage-3.1-150400.1.4.x86_64 from vendor SUSE LLC <https://www.suse.com/>
  install shadow-4.8.1-150400.10.8.9.x86_64 from vendor obs://build.opensuse.org/security:SELinux
    replacing shadow-4.8.1-150400.10.3.1.x86_64 from vendor SUSE LLC <https://www.suse.com/>
 Solution 2: do not install container-selinux-2.215.0-150400.1.4.noarch
 Solution 3: break container-selinux-2.215.0-150400.1.4.noarch by ignoring some of its dependencies

Choose from above solutions by number or cancel [1/2/3/c/d/?] (c): c



---

So from my analysis, the problem is here during the container-selinux install:

Problem: the to be installed container-selinux-2.215.0-150400.1.4.noarch requires 'selinux-policy >= 20230425-150400.194.9', but this requirement cannot be provided
  not installable providers: selinux-policy-20230425-150400.194.9.noarch[security_SELinux]
 Solution 1: Following actions will be done:
  install selinux-policy-20230425-150400.194.9.noarch from vendor obs://build.opensuse.org/security:SELinux


I think the legacy selinux policy may need to be updated to account for this?

Comment 3 Johannes Segitz 2023-06-19 12:31:24 UTC

container-selinux relies on newer policies. I forked an older container-selinux package into security:SELinux_legacy. Please retry and only use the security:SELinux_legacy repository (so make sure security:SELinux is not enabled). Then it should work for you

Comment 4 Johannes Segitz 2023-07-03 13:29:42 UTC

could you please test this?

Comment 5 Maxwell Ross 2023-07-12 01:11:12 UTC

That worked! Thank you for pinning this older version of container-selinux! I am marking this as resolved.