Hello there, I'm trying to start a new systemd-container with machinectl which gives me an error like: Job for systemd-nspawn@fedora-33-dev.service failed because the control process exited with error code. See "systemctl status systemd-nspawn@fedora-33-dev.service" and "journalctl -xeu systemd-nspawn@fedora-33-dev.service" for details. In the journal is nothing really interesting just: Aug 12 09:27:08 desktop-louis systemd-nspawn[4937]: Failed to register machine: Access denied Aug 12 09:27:08 desktop-louis systemd-nspawn[4940]: Parent died too early Now if I set se linux to permissive, it work without any problems but I get the following if I lookup the selinux logs: SELinux is preventing systemd-machine from search access on the directory 4940. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-machine should be allowed search access on the 4940 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-machine' --raw | audit2allow -M my-systemdmachine # semodule -X 300 -i my-systemdmachine.pp Additional Information: Source Context system_u:system_r:systemd_machined_t:s0 Target Context system_u:system_r:unconfined_service_t:s0 Target Objects 4940 [ dir ] Source systemd-machine Source Path systemd-machine Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-34.14-1.fc34.noarch Local Policy RPM selinux-policy-targeted-34.14-1.fc34.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name desktop-louis Platform Linux desktop-louis 5.13.8-200.fc34.x86_64 #1 SMP Wed Aug 4 19:59:54 UTC 2021 x86_64 x86_64 Alert Count 1 First Seen 2021-08-12 09:27:08 CEST Last Seen 2021-08-12 09:27:08 CEST Local ID 0ded547d-2c08-4e48-a664-159ec9c9675b Raw Audit Messages type=AVC msg=audit(1628753228.555:412): avc: denied { search } for pid=846 comm="systemd-machine" name="4940" dev="proc" ino=65001 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir permissive=0 Hash: systemd-machine,systemd_machined_t,unconfined_service_t,dir,search If I then look up the (presumably inode number 4940) with sudo find / -inum 4940, I get the following: /sys/kernel/tracing/events/compaction/mm_compaction_kcompactd_wake/hist /sys/kernel/debug/tracing/events/compaction/mm_compaction_kcompactd_wake/hist /sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service/init.scope/cgroup.events /sys/firmware/acpi/interrupts/gpe13 /usr/share/app-info/icons/fedora/64x64/org.fedoraproject.google-noto-serif-fonts.png Now here comes my question, how should I continue with this problem and where should I report this problem to. Ps. Sorry if I made something wrong fist time using a mailing list. Thanks Louis _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure