> Apologies if this has already been reported or fixed but I did not see
> anything on the mailing list.
>
> On next-20240221 and next-20240222, with CONFIG_FS_PID=y, some of my
> services such as abrtd, dbus, and polkit fail to start on my Fedora
> machines, which causes further isssues like failing to start network
> interfaces with NetworkManager. I can easily reproduce this in a Fedora
> 39 QEMU virtual machine, which has:
>
> # systemctl --version
> systemd 254 (254.9-1.fc39)
If something fails for completely inexplicable reasons:
Feb 23 12:09:58 fed1 audit[353]: AVC avc: denied { read write open } for pid=353 comm="systemd-userdbd" path="pidfd:[709]" dev="pidfs" ino=709 scontext=system_u:system_r:systemd_userdbd_t:>
> +SELINUX
pidfd creation can now be mediated by LSMs since we can finally go
through the regular open path. That wasn't possible before but LSM
mediation ability had been requested a few times.
In short, we have to update the selinux policy for Fedora. (Fwiw, went
through the same excercise with nsfs back then.)
I've created a pull-request here:
https://github.com/fedora-selinux/selinux-policy/pull/2050
and filed an issue here:
https://bugzilla.redhat.com/show_bug.cgi?id=2265630
We have sufficient time to get this resolved and I was assured that this
would be resolved. If we can't get it resolved in a timely manner we'll
default to N for a while until everything's updated but I'd like to
avoid that. I'll track that issue.
