Permission denied as root

orion · December 5, 2025, 2:32pm

Testing out a centos stream 10 generic cloud image for the first time and running into issues with root having very limited permissions. e.g.

[orion@localhost ~]$ sudo cat /var/log/dnf.log

cat: /var/log/dnf.log: Permission denied

[orion@localhost ~]$ sudo crb enable Enabling CRB repo Config error: [Errno 13] Permission denied: '/var/log/dnf.log': '/var/log/dnf.log' Config error: [Errno 13] Permission denied: '/var/log/dnf.log': '/var/log/dnf.log' Config error: [Errno 13] Permission denied: '/var/log/dnf.log': '/var/log/dnf.log' CRB repo is disabled

What’s going on here?

trogdor · December 5, 2025, 2:52pm

try doing

ls -Z /var/log/dnf.log

I think it might be the SELinux. so check and see if you have any unlabeled permissions. I would also check getenforce if it is enforcing it; it is going to be SELinux

Edit,
from what i can find its a common thing i would try to do

sudo touch /.autorelabel
sudo reboot
# then rerun your cat again and see if you have permissions.

you could also try

sudo setenforce 0
sudo cat /var/log/dnf.log

I would just not leave the setenforce at 0.

also what are you running this in? as in what environment (KVM, proxmox, vmware)?

orion · December 5, 2025, 3:14pm

Well, it’s definitely SELinux. Booting with enforcing=0 clears it up. But labels look good:

-rw-r–r–. 1 root root system_u:object_r:rpm_log_t:s0 36136 Dec 5 09:48 /var/log/dnf.log

looking at audit.log:

type=AVC msg=audit(1764947520.986:111): avc: denied { open } for pid=1511 comm=“grep” path=“/var/log/audit/audit.log” dev=“vda2” ino=14292797 scontext=
staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_log_t:s0 tclass=file permissive=1

I’m guessing it’s because even with the sudo transition I’m staying in the staff_t context.

I’m running this in libvirt/KVM.

trogdor · December 5, 2025, 3:21pm

Yes, it would be the staff_t/_u/_r. I don’t know if you are going to keep running on staff_u but it does not do an auto transition for sudo commands, as it is a cloud user account, and I believe it is for security reasons.

you could do

sudo semanage login -m -s unconfined_u #username

this would get you what you’re looking for as a sudo command account

orion · December 5, 2025, 3:29pm

I followed Chapter 3. Managing confined and unconfined users | Using SELinux | Red Hat Enterprise Linux | 10 | Red Hat Documentation and added an sudo rule to transition to the sysadm_t role. I’m a bit surprised that this doesn’t happen automatically for the wheel group.

trogdor · December 5, 2025, 3:37pm

I believe it’s because it’s a cloud distro so they know people setting it up are going to forget and not think to lock down the system so they pre lock it so you can’t mess it up which I honestly think is a good thing so there is less of a chance that a fresh install gets permission hopping hackers

Topic		Replies	Views
Virt Manager Quit Working (ibvirtError: can't connect to virtlogd) Ask Fedora	4	13668	April 19, 2024
Dnf5 permission issue after 'dnf system-upgrade' from Fedora 40 Ask Fedora dnf5 , f41	23	1389	March 9, 2025
Logrotate: permission denied on boot.log Project Discussion silverblue-team	6	1230	March 15, 2025
SELinux issue when running dnf with run0 Ask Fedora selinux , dnf , dnf5 , f41 , f42 , run0	2	252	November 17, 2025
SELinux prevents login (Process /usr/lib/systemd/systemd could not be executed) Ask Fedora f35 , f36 , systemd , selinux	4	3610	June 2, 2022

Permission denied as root

Related topics