Yeah, let’s forget about this for now. We focus on the denials.
The first boot with the denials is:
-16 1a0b5fc9d9be416bb59be7ef1fd52c50 Sun 2024-06-16 12:58:35 CEST Sun 2024-06-16 12:58:55 CEST
Do you know why this boot has only 20 seconds of logs? Do you sometimes reboot after updates or so? Maybe does Plasma Discover forces you to reboot? Or does Plasma Discover install updates on boot?
Additionally, is it possible that you did not use Chrome between “giu 16 17:59:29” and “giu 17 21:45:44” ? I try to explain that Chrome denials start on the subsequent day. Maybe you do your discover updates at the end of your “daily use of your Fedora” or so?
My current assumption is that you introduced the selinux-policy on the 16th through discover, and that discover does not create dnf logs.
The first related logs are from 16th (boot=+22 equal boot=-16 in your case , please ensure to use “-” in future as I otherwise need much more time to read the output):
emanu@fedora ~ [1]> sudo journalctl --boot=22 -g avc:..denied
giu 16 12:58:52 fedora audit[1309]: AVC avc: denied { getattr } for pid=1309 comm="systemd-fstab-g" path="/var/lib/machines" dev="nvme0n1p2" ino=256 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:>
giu 16 12:58:52 fedora kernel: audit: type=1400 audit(1718535532.832:72): avc: denied { getattr } for pid=1309 comm="systemd-fstab-g" path="/var/lib/machines" dev="nvme0n1p2" ino=256 scontext=system_u:system_r:systemd_fstab_generato>
giu 16 12:58:52 fedora kernel: audit: type=1400 audit(1718535532.832:73): avc: denied { getattr } for pid=1309 comm="systemd-fstab-g" path="/media/emanu/game" dev="sdc" ino=256 scontext=system_u:system_r:systemd_fstab_generator_t:s0>
giu 16 12:58:52 fedora kernel: audit: type=1400 audit(1718535532.833:74): avc: denied { getattr } for pid=1309 comm="systemd-fstab-g" path="/media/emanu/dati" dev="sdb1" ino=256 scontext=system_u:system_r:systemd_fstab_generator_t:s>
giu 16 12:58:52 fedora audit[1309]: AVC avc: denied { getattr } for pid=1309 comm="systemd-fstab-g" path="/media/emanu/game" dev="sdc" ino=256 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:unlabe>
giu 16 12:58:52 fedora audit[1309]: AVC avc: denied { getattr } for pid=1309 comm="systemd-fstab-g" path="/media/emanu/dati" dev="sdb1" ino=256 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:unlab>
giu 16 12:58:52 fedora audit[1309]: AVC avc: denied { getattr } for pid=1309 comm="systemd-fstab-g" path="/media/emanu/ssd" dev="sda" ino=256 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:unlabel>
You still didn’t provide ausearch outputs.
Please provide the ausearch that covers the “first appearances” since I also need an ausearch that can be linked to an available avc:…denied journalctl for comprehensible comparison, but also a current one.
This means the output of all three following commands (please use the exact commands as I provide them, just add “> file” if you want):
sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err --start 06/16/2024 --end 06/18/2024
and then, please also start and use Chrome before doing the next command, in order to ensure the current logs of today cover both Chrome and the other issue (to know if it is still there and if it still looks the same:
sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
At the best, you then also provide immediately after the ausearch of today, the journal of the running boot (no reboot in between) to compare against the current ausearch:
sudo journalctl --boot=0 -g avc:..denied (please stick with the 0)
→ ausearch is the major output for the bug report. The maintainer needs something that is focused on the major information and that has a common format to compare different users’ outputs.