Hi, I have a service running with a SmackProcessLabel that uses the supervisory watchdog feature, ie calls sd_notify(). The Watchdog keeps resetting the service and I get the following in the journal Jul 27 11:36:11 kernel: audit: type=1400 audit(1532691371.270:34): lsm=SMACK fn=smack_unix_may_send action=denied subject="apphealthd" object="_" requested=w pid=466 comm="apphealthd" path="/run/systemd/notify" /run/systemd/notify is a socket so I'm guessing sd_notify kicks the watchdog by writing to this socket. The problem seems to be that the socket is labelled with the floor label. After looking through the code that sets up the notify socket I quickly patched in some code to set SMACK64IPIN and IPOUT (not sure if this one is required). @@ -728,7 +729,12 @@ static int manager_setup_notify(Manager *m) { m->notify_fd = fd; fd = -1; - + r = mac_smack_apply_fd(m->notify_fd, SMACK_ATTR_IPIN, "*"); + if (r < 0) + log_error_errno(r, "mac_smack_apply_ip_in_fd: %m"); + r = mac_smack_apply_fd(m->notify_fd, SMACK_ATTR_IPOUT, "@"); + if (r < 0) + log_error_errno(r, "mac_smack_apply_ip_out_fd: %m"); log_debug("Using notification socket %s", m->notify_socket); } And the audit message has gone. Is there a better way of ensuring /run/systemd/notify can be accessed by a service with a User defined SMACK label? or is this patch to manager_setup_notify sufficient? Many Thanks in Advance, Martin.