Repeated security messages from SELinux

py0xc3 · June 21, 2024, 11:26am

Unfortunately, the new update does not solve the issue in the case I can reproduce. I already reported that. But feel free to keep us updated how it works for you. That might be relevant information for the maintainer to finally solve the issue.

emanuc · June 21, 2024, 3:08pm

After the upgrade, I still have the same issue; in my case, the problem has not been resolved.

journalctl -f
https://pastebin.com/wTJNbVAZ

sudo journalctl --boot=0 -g avc:..denied

https://pastebin.com/4wiLBy5a

 cat /var/log/dnf.* | grep selinux-policy-40.23-1.fc40

2024-06-21T15:11:56+0200 INFO Downloading: http://mirror.vpsnet.com/fedora/linux/updates/testing/40/Everything/x86_64/Packages/s/selinux-policy-40.23-1.fc40.noarch.rpm
2024-06-21T15:12:26+0200 DEBUG Aggiornati: selinux-policy-40.23-1.fc40.noarch
2024-06-21T15:12:26+0200 DDEBUG /var/cache/dnf/updates-testing-448cf8eff887bf4a/packages/selinux-policy-40.23-1.fc40.noarch.rpm eliminato
2024-06-21T15:11:59+0200 SUBDEBUG Upgrade: selinux-policy-40.23-1.fc40.noarch

emanuc · June 21, 2024, 3:13pm

sealert -l caa39702-a58e-4987-862b-13d1cbf7b69b

SELinux impedisce a chrome un accesso execheap su un processo.
⏎
⏎
***** Plugin allow_execheap(53.1 confidenza) suggerisce********************

Se non pensi chrome dovrebbe avere bisogno di mappare la memoria heap che è sia scrivibile che eseguibile.
Quindi è necessario riportare un bug. Questo è un accesso potenzialmente pericoloso.
Fai
contattare il proprio amministratore di sicurezza e riportare il problema.
⏎
⏎
***** Plugin catchall_boolean(42.6 confidenza) suggerisce******************

Se lo desidera allow selinuxuser to execheap
Quindi è necessario informare SELinux abilitando il booleano 'selinuxuser_execheap' .

Fai
setsebool -P selinuxuser_execheap 1
⏎
⏎
***** Plugin catchall(5.76 confidenza) suggerisce**************************

Se ci credi chrome dovrebbe essere consentito execheap accesso ai processi etichettati unconfined_t per impostazione predefinita.
Quindi si dovrebbe riportare il problema come bug.
E' possibile generare un modulo di politica locale per consentire questo accesso.
Fai
consentire questo accesso per ora eseguendo:
# ausearch -c 'chrome' --raw | audit2allow -M my-$MODULE_NOME
# semodule -X 300 -i miei-chrome.pp


Informazioni addizionali:
Contesto della sorgente       unconfined_u:unconfined_r:unconfined_t:s0-
                              s0:c0.c1023
Contesto target               unconfined_u:unconfined_r:unconfined_t:s0-
                              s0:c0.c1023
Oggetti target                Sconosciuto [ process ]
Sorgente                      chrome
Percorso della sorgente       chrome
Porta                         <Sconosciuto>
Host                          fedora
Sorgente Pacchetti RPM        
Pacchetti RPM target          
SELinux Policy RPM            selinux-policy-targeted-40.23-1.fc40.noarch
Local Policy RPM              selinux-policy-targeted-40.23-1.fc40.noarch
Selinux abilitato             True
Tipo di politica              targeted
Modalità Enforcing            Enforcing
Host Name                     fedora
Piattaforma                   Linux fedora 6.9.4-200.fc40.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Wed Jun 12 13:33:34 UTC 2024
                              x86_64
Conteggio avvisi              242
Primo visto                   2024-06-18 20:05:14 CEST
Ultimo visto                  2024-06-21 16:58:20 CEST
ID locale                     caa39702-a58e-4987-862b-13d1cbf7b69b

Messaggi Raw Audit
type=AVC msg=audit(1718981900.51:414): avc:  denied  { execheap } for  pid=15913 comm="chrome" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0


Hash: chrome,unconfined_t,unconfined_t,process,execheap

To simplify, I am translating part of that message, as it is in Italian:

SELinux prevents chrome from execheap access on a process.

***** Plugin allow_execheap (53.1 confidence) suggests ********************

If you don’t think chrome should need to map heap memory that is both writable and executable, then it is necessary to report a bug. This is potentially dangerous access. Contact your security administrator and report the issue.

***** Plugin catchall_boolean (42.6 confidence) suggests ******************

If you want to allow selinuxuser to execheap, then it is necessary to inform SELinux by enabling the ‘selinuxuser_execheap’ boolean.

Run:
setsebool -P selinuxuser_execheap 1

***** Plugin catchall (5.76 confidence) suggests **************************

If you believe chrome should be allowed execheap access to processes labeled unconfined_t by default, then you should report the issue as a bug. You can generate a local policy module to allow this access. Allow this access for now by running:

py0xc3 · June 21, 2024, 3:28pm

Can you provide again, as of now / today:
sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today and
sudo journalctl -g avc:..denied --since "2024-06-19 00:01:00"

I just want to verify that the other denial is solved in your case, and that only the execheap is remaining…

Also, please let me know what day and time you have applied the update FEDORA-2024-2bc43119f3.

emanuc · June 21, 2024, 3:37pm

cat /var/log/dnf.* | grep selinux-policy-40.23-1.fc40

2024-06-21T15:11:56+0200 INFO Downloading: http://mirror.vpsnet.com/fedora/linux/updates/testing/40/Everything/x86_64/Packages/s/selinux-policy-40.23-1.fc40.noarch.rpm
2024-06-21T15:12:26+0200 DEBUG Aggiornati: selinux-policy-40.23-1.fc40.noarch
2024-06-21T15:12:26+0200 DDEBUG /var/cache/dnf/updates-testing-448cf8eff887bf4a/packages/selinux-policy-40.23-1.fc40.noarch.rpm eliminato
2024-06-21T15:11:59+0200 SUBDEBUG Upgrade: selinux-policy-40.23-1.fc40.noarch

sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today

Summary

----
type=AVC msg=audit(21/06/2024 16:55:04.922:306) : avc:  denied  { execheap } for  pid=14878 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:04.930:308) : avc:  denied  { execheap } for  pid=14887 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:04.963:310) : avc:  denied  { execheap } for  pid=14909 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:04.975:312) : avc:  denied  { execheap } for  pid=14920 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:04.985:314) : avc:  denied  { execheap } for  pid=14930 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:05.084:316) : avc:  denied  { execheap } for  pid=14943 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:05.132:318) : avc:  denied  { execheap } for  pid=14955 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:05.142:320) : avc:  denied  { execheap } for  pid=14964 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:05.177:322) : avc:  denied  { execheap } for  pid=14973 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:05.190:324) : avc:  denied  { execheap } for  pid=14982 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:12.186:328) : avc:  denied  { execheap } for  pid=15078 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:25.405:331) : avc:  denied  { execheap } for  pid=15145 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:27.363:333) : avc:  denied  { execheap } for  pid=15156 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:27.372:335) : avc:  denied  { execheap } for  pid=15165 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:27.387:337) : avc:  denied  { execheap } for  pid=15174 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:27.395:339) : avc:  denied  { execheap } for  pid=15183 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:27.418:341) : avc:  denied  { execheap } for  pid=15192 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:27.428:343) : avc:  denied  { execheap } for  pid=15201 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:27.448:346) : avc:  denied  { execheap } for  pid=15211 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:27.461:348) : avc:  denied  { execheap } for  pid=15220 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:32.484:350) : avc:  denied  { execheap } for  pid=15307 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:57:28.508:354) : avc:  denied  { execheap } for  pid=15494 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:57:29.702:356) : avc:  denied  { execheap } for  pid=15507 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:57:29.707:358) : avc:  denied  { execheap } for  pid=15515 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:57:29.724:360) : avc:  denied  { execheap } for  pid=15525 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:57:29.732:362) : avc:  denied  { execheap } for  pid=15534 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:57:29.752:364) : avc:  denied  { execheap } for  pid=15543 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:57:29.760:366) : avc:  denied  { execheap } for  pid=15552 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:57:29.777:368) : avc:  denied  { execheap } for  pid=15561 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:57:29.791:370) : avc:  denied  { execheap } for  pid=15570 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:57:30.310:372) : avc:  denied  { execheap } for  pid=15579 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:57:30.314:374) : avc:  denied  { execheap } for  pid=15587 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:57:31.398:378) : avc:  denied  { execheap } for  pid=15608 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:58:09.859:382) : avc:  denied  { execheap } for  pid=15708 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:58:11.208:384) : avc:  denied  { execheap } for  pid=15722 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:58:11.220:386) : avc:  denied  { execheap } for  pid=15731 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:58:11.241:388) : avc:  denied  { execheap } for  pid=15741 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:58:11.249:390) : avc:  denied  { execheap } for  pid=15749 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:58:11.269:392) : avc:  denied  { execheap } for  pid=15759 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:58:11.281:394) : avc:  denied  { execheap } for  pid=15768 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:58:11.302:396) : avc:  denied  { execheap } for  pid=15777 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:58:11.312:398) : avc:  denied  { execheap } for  pid=15786 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:58:12.931:402) : avc:  denied  { execheap } for  pid=15823 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:58:12.937:404) : avc:  denied  { execheap } for  pid=15831 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:58:18.249:406) : avc:  denied  { execheap } for  pid=15868 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:58:18.257:408) : avc:  denied  { execheap } for  pid=15877 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:58:18.269:410) : avc:  denied  { execheap } for  pid=15886 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:58:20.041:412) : avc:  denied  { execheap } for  pid=15904 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:58:20.051:414) : avc:  denied  { execheap } for  pid=15913 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0

sudo journalctl -g avc:..denied --since "2024-06-19 00:01:00"

https://pastebin.com/4EDFFy71

py0xc3 · June 21, 2024, 10:35pm

Can you add some data of

/var/lib/machines
/media/emanu/dati
/media/emanu/game

I don’t need information about their contents or so.

But do I expect right that the two media folders are not always plugged in on boot but sometimes they are? If so, please try to boot with them and then we can check if they cause again the systemd-fstab-g denial (so I need the last two outputs you provided with them). Alternatively, if you know for sure that the two have been already plugged in in one of the boots that were contained in the output of your last post and that these boots have taken place after 2024-06-21T15:12:26 (so that the outputs contain a boot that contained from the beginning 40.23-1.fc40 and that has had the two media devices plugged in the way as it is usual for you, then you can just confirm.

I consider that one (systemd-fstab-g) of the two issues is solved and only the other (execheap) remains. But I would like to verify for sure. If that is the case, I could merge the data of this topic with another one.

What do you use /var/lib/machines for? Do you have an idea why your system considers it at some boots and in some not? I assume that is an external device in your case? If so, the same as above: ensure that there is a boot output here that is from after 40.23-1.fc40 but with the /var/lib/machines condition appearing.

I still struggle to understand the execheap thing…

py0xc3 · June 22, 2024, 11:04am

There is a user who said the update to 6.9.5 had an impact on their issue (not yet clear if it is the execheap denials they experience). So far we had no problem to link the denials to the selinux-policy updates, but its worth to take every chance, and as it is indicated that the execheap issue is not the same as the systemd-fstab-g:

As you have already the current selinux-policy update, it would be nice if you update to 6.9.5, reboot (verify the kernel with uname -r), and verify if the issue persists or if anything in the journalctl and ausearch logs change.

emanuc · June 22, 2024, 3:51pm

Sure. To be precise, I can access the folders; for me, in my case, it’s just a complaint from the logs about the journaling that I’ve never seen before. Otherwise, everything works fine.

/var/lib/machines: It’s a Btrfs subvolume, it actually doesn’t serve any purpose for me; I placed it on the toplevel (flat) during the Fedora installation using Blivet. The reason is that systemd-nspawn automatically creates a nested subvolume of “var/lib/machines,” and this causes issues in case of rollback and snapshot scheduling (deletion).

/media/emanu/dati
/media/emanu/game
These two Mount Points are hard disks and work without problems, they are mounted and can read and write.

I can provide my Fstab configuration for greater clarity:

cat /etc/fstab

Summary

#
# /etc/fstab
# Created by anaconda on Wed Mar 27 15:01:58 2024
#
# Accessible filesystems, by reference, are maintained under '/dev/disk/'.
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info.
#
# After editing this file, run 'systemctl daemon-reload' to update systemd
# units generated from this file.
#
UUID=9c1c4ece-ece6-4c69-8b21-ea85865d2abf /                       btrfs   noatime,compress=zstd:1,subvol=@ 0 0
UUID=C5A0-7101          /boot/efi               vfat    umask=0077,shortname=winnt 0 2
UUID=9c1c4ece-ece6-4c69-8b21-ea85865d2abf /home                   btrfs   noatime,compress=zstd:1,subvol=@home    0 0
UUID=9c1c4ece-ece6-4c69-8b21-ea85865d2abf /opt                    btrfs   noatime,compress=zstd:1,subvol=opt 0 0
UUID=9c1c4ece-ece6-4c69-8b21-ea85865d2abf /var/cache              btrfs   noatime,compress=zstd:1,subvol=var_cache 0 0
UUID=9c1c4ece-ece6-4c69-8b21-ea85865d2abf /var/lib/flatpak        btrfs   noatime,compress=zstd:1,subvol=var_lib_flatpak 0 0
UUID=9c1c4ece-ece6-4c69-8b21-ea85865d2abf /var/lib/libvirt        btrfs   noatime,compress=zstd:1,subvol=var_lib_libvirt 0 0
UUID=9c1c4ece-ece6-4c69-8b21-ea85865d2abf /var/lib/machines       btrfs   noatime,compress=zstd:1,subvol=var_lib_machines 0 0
UUID=9c1c4ece-ece6-4c69-8b21-ea85865d2abf /var/log                btrfs   noatime,compress=zstd:1,subvol=var_log 0 0
UUID=9c1c4ece-ece6-4c69-8b21-ea85865d2abf /var/tmp                btrfs   noatime,compress=zstd:1,subvol=var_tmp 0 0

# Mount vari dischi
LABEL=backup /media/emanu/backup btrfs compress-force=zstd:10,autodefrag,nofail,noauto 0 0
UUID=f265041b-2c7c-4135-b0c9-ab424428b3d1 /media/emanu/game/ btrfs noatime,nofail,autodefrag,compress-force=zstd:1,subvol=@game 0 0
UUID=2c3cd9ff-2940-4388-96af-daa0a3410ada /media/emanu/dati/ btrfs noatime,nofail,autodefrag,compress-force=zstd:3,subvol=@dati 0 0
LABEL=backup2T /media/emanu/backup2T btrfs noatime,space_cache=v2,compress-force=zstd:10,autodefrag,nofail,noauto 0 0
# Disco SSD per le VM
UUID=95d14f9d-8717-4ea0-8a79-34603a7269fe /media/emanu/ssd/ btrfs noatime,nofail,autodefrag,compress-force=zstd:1 0 0

mount -t btrfs

Summary

/dev/nvme0n1p2 on / type btrfs (rw,noatime,seclabel,compress=zstd:1,ssd,discard=async,space_cache=v2,subvolid=975,subvol=/@)
/dev/nvme0n1p2 on /opt type btrfs (rw,noatime,seclabel,compress=zstd:1,ssd,discard=async,space_cache=v2,subvolid=974,subvol=/opt)
/dev/nvme0n1p2 on /home type btrfs (rw,noatime,seclabel,compress=zstd:1,ssd,discard=async,space_cache=v2,subvolid=666,subvol=/@home)
/dev/nvme0n1p2 on /var/cache type btrfs (rw,noatime,seclabel,compress=zstd:1,ssd,discard=async,space_cache=v2,subvolid=972,subvol=/var_cache)
/dev/nvme0n1p2 on /var/lib/flatpak type btrfs (rw,noatime,seclabel,compress=zstd:1,ssd,discard=async,space_cache=v2,subvolid=267,subvol=/var_lib_flatpak)
/dev/nvme0n1p2 on /var/lib/libvirt type btrfs (rw,noatime,seclabel,compress=zstd:1,ssd,discard=async,space_cache=v2,subvolid=969,subvol=/var_lib_libvirt)
/dev/nvme0n1p2 on /var/lib/machines type btrfs (rw,noatime,seclabel,compress=zstd:1,ssd,discard=async,space_cache=v2,subvolid=973,subvol=/var_lib_machines)
/dev/nvme0n1p2 on /var/log type btrfs (rw,noatime,seclabel,compress=zstd:1,ssd,discard=async,space_cache=v2,subvolid=971,subvol=/var_log)
/dev/nvme0n1p2 on /var/tmp type btrfs (rw,noatime,seclabel,compress=zstd:1,ssd,discard=async,space_cache=v2,subvolid=970,subvol=/var_tmp)
/dev/sda on /media/emanu/ssd type btrfs (rw,noatime,seclabel,compress-force=zstd:1,ssd,discard=async,space_cache=v2,autodefrag,subvolid=5,subvol=/)
/dev/sdb1 on /media/emanu/dati type btrfs (rw,noatime,seclabel,compress-force=zstd:3,space_cache=v2,autodefrag,subvolid=256,subvol=/@dati)
/dev/sdc on /media/emanu/game type btrfs (rw,noatime,seclabel,compress-force=zstd:1,space_cache=v2,autodefrag,subvolid=257,subvol=/@game)

After upgrading the SELinux policy and concurrently with the kernel upgrade “6.9.5-200.fc40.x86_64,” I no longer see SELinux complaints in the logs.
Currently, the only issue with SELinux is with Chrome flatpak, but it is not always reproducible. For example, right now it works without problems.

Even after updating the kernel, the issue with Chrome flatpak remains.

cat /var/log/dnf.* | grep kernel.6.9.5-200.fc40

2024-06-21T17:59:23+0200 INFO Downloading: http://fedora.ip-connect.info/linux/updates/testing/40/Everything/x86_64/Packages/k/kernel-6.9.5-200.fc40.x86_64.rpm
2024-06-21T18:03:56+0200 DEBUG Installati: kernel-6.9.5-200.fc40.x86_64
2024-06-21T18:02:41+0200 SUBDEBUG Installed: kernel-6.9.5-200.fc40.x86_64

For example, yesterday I had issues with Chrome, but today I haven’t had any, at least not so far, with a boot time of around 5 hours.

 sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
<no matches>

sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts yesterday

Summary

----
type=AVC msg=audit(21/06/2024 16:55:04.922:306) : avc:  denied  { execheap } for  pid=14878 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:04.930:308) : avc:  denied  { execheap } for  pid=14887 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:04.963:310) : avc:  denied  { execheap } for  pid=14909 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:04.975:312) : avc:  denied  { execheap } for  pid=14920 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:04.985:314) : avc:  denied  { execheap } for  pid=14930 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:05.084:316) : avc:  denied  { execheap } for  pid=14943 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:05.132:318) : avc:  denied  { execheap } for  pid=14955 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:05.142:320) : avc:  denied  { execheap } for  pid=14964 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:05.177:322) : avc:  denied  { execheap } for  pid=14973 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:05.190:324) : avc:  denied  { execheap } for  pid=14982 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:12.186:328) : avc:  denied  { execheap } for  pid=15078 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:25.405:331) : avc:  denied  { execheap } for  pid=15145 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:27.363:333) : avc:  denied  { execheap } for  pid=15156 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:27.372:335) : avc:  denied  { execheap } for  pid=15165 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:27.387:337) : avc:  denied  { execheap } for  pid=15174 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:27.395:339) : avc:  denied  { execheap } for  pid=15183 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:27.418:341) : avc:  denied  { execheap } for  pid=15192 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:27.428:343) : avc:  denied  { execheap } for  pid=15201 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:27.448:346) : avc:  denied  { execheap } for  pid=15211 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:27.461:348) : avc:  denied  { execheap } for  pid=15220 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:55:32.484:350) : avc:  denied  { execheap } for  pid=15307 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:57:28.508:354) : avc:  denied  { execheap } for  pid=15494 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:57:29.702:356) : avc:  denied  { execheap } for  pid=15507 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:57:29.707:358) : avc:  denied  { execheap } for  pid=15515 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:57:29.724:360) : avc:  denied  { execheap } for  pid=15525 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:57:29.732:362) : avc:  denied  { execheap } for  pid=15534 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:57:29.752:364) : avc:  denied  { execheap } for  pid=15543 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:57:29.760:366) : avc:  denied  { execheap } for  pid=15552 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:57:29.777:368) : avc:  denied  { execheap } for  pid=15561 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:57:29.791:370) : avc:  denied  { execheap } for  pid=15570 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:57:30.310:372) : avc:  denied  { execheap } for  pid=15579 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:57:30.314:374) : avc:  denied  { execheap } for  pid=15587 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:57:31.398:378) : avc:  denied  { execheap } for  pid=15608 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:58:09.859:382) : avc:  denied  { execheap } for  pid=15708 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:58:11.208:384) : avc:  denied  { execheap } for  pid=15722 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:58:11.220:386) : avc:  denied  { execheap } for  pid=15731 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:58:11.241:388) : avc:  denied  { execheap } for  pid=15741 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:58:11.249:390) : avc:  denied  { execheap } for  pid=15749 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:58:11.269:392) : avc:  denied  { execheap } for  pid=15759 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:58:11.281:394) : avc:  denied  { execheap } for  pid=15768 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:58:11.302:396) : avc:  denied  { execheap } for  pid=15777 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:58:11.312:398) : avc:  denied  { execheap } for  pid=15786 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:58:12.931:402) : avc:  denied  { execheap } for  pid=15823 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:58:12.937:404) : avc:  denied  { execheap } for  pid=15831 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:58:18.249:406) : avc:  denied  { execheap } for  pid=15868 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:58:18.257:408) : avc:  denied  { execheap } for  pid=15877 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:58:18.269:410) : avc:  denied  { execheap } for  pid=15886 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:58:20.041:412) : avc:  denied  { execheap } for  pid=15904 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 16:58:20.051:414) : avc:  denied  { execheap } for  pid=15913 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:53:21.622:271) : avc:  denied  { execheap } for  pid=25774 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:53:21.630:273) : avc:  denied  { execheap } for  pid=25783 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:53:21.665:275) : avc:  denied  { execheap } for  pid=25807 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:53:21.675:277) : avc:  denied  { execheap } for  pid=25819 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:53:21.685:279) : avc:  denied  { execheap } for  pid=25828 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:53:21.786:281) : avc:  denied  { execheap } for  pid=25841 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:53:21.839:283) : avc:  denied  { execheap } for  pid=25853 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:53:21.846:285) : avc:  denied  { execheap } for  pid=25862 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:53:41.283:301) : avc:  denied  { execheap } for  pid=25973 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:53:41.291:303) : avc:  denied  { execheap } for  pid=25983 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:53:41.300:305) : avc:  denied  { execheap } for  pid=25992 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:53:44.115:327) : avc:  denied  { execheap } for  pid=26108 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:53:44.135:329) : avc:  denied  { execheap } for  pid=26117 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:53:47.645:331) : avc:  denied  { execheap } for  pid=26152 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:53:49.225:333) : avc:  denied  { execheap } for  pid=26163 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:53:52.067:335) : avc:  denied  { execheap } for  pid=26198 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:53:52.273:337) : avc:  denied  { execheap } for  pid=26207 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:53:54.300:339) : avc:  denied  { execheap } for  pid=26216 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:53:54.306:341) : avc:  denied  { execheap } for  pid=26220 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:54:00.265:343) : avc:  denied  { execheap } for  pid=26439 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:54:00.275:345) : avc:  denied  { execheap } for  pid=26448 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:54:00.307:347) : avc:  denied  { execheap } for  pid=26472 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:54:00.319:349) : avc:  denied  { execheap } for  pid=26484 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:54:00.329:351) : avc:  denied  { execheap } for  pid=26493 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:54:00.415:353) : avc:  denied  { execheap } for  pid=26506 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:54:00.463:355) : avc:  denied  { execheap } for  pid=26518 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:54:00.473:357) : avc:  denied  { execheap } for  pid=26526 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:54:00.521:359) : avc:  denied  { execheap } for  pid=26536 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:54:00.530:361) : avc:  denied  { execheap } for  pid=26544 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:54:04.032:363) : avc:  denied  { execheap } for  pid=26580 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:54:04.042:365) : avc:  denied  { execheap } for  pid=26589 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:54:04.062:367) : avc:  denied  { execheap } for  pid=26598 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:54:04.071:369) : avc:  denied  { execheap } for  pid=26607 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:54:04.096:371) : avc:  denied  { execheap } for  pid=26616 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:54:04.104:373) : avc:  denied  { execheap } for  pid=26625 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:54:04.123:375) : avc:  denied  { execheap } for  pid=26634 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:54:04.137:377) : avc:  denied  { execheap } for  pid=26643 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:54:05.431:379) : avc:  denied  { execheap } for  pid=26699 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=AVC msg=audit(21/06/2024 23:54:05.435:381) : avc:  denied  { execheap } for  pid=26707 comm=chrome scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0

py0xc3 · June 22, 2024, 4:09pm

Do you have them plugged in always when booting? My suspicion is that they were not always plugged in because they are contained in logs when booting only occasionally. I expected that’s the reason.

However, so far, I tend to assume the systemd-fstab-g you experienced is solved. It seems that only the one with regards to encrypted devices remains, which is not yours. The other systemd-fstab-g denial has been already confirmed to be solved in some cases. But feel free to observe and report if it re-appears (so, a systemd-fstab-g denial).

As far as it concerns the chrome / execheap, I tend to keep it in mind and hope it gets solved with the next adjustments of policy (there are still open issues of the last policy, which are to be solved in the subsequent updates; the maintainer is working on it). I have added them already to the last bug report, and if this develops as a long term github issue (there is already one), I will mention also in the github ticket that these two appeared along with each other. I guess we get rid of them over time, but as Chrome is not officially supported, the dedicated time invested in Chrome issues is limited, especially as it is not proven that this denial is not intended (it can be also an issue in Chrome).

Whatever, as you have no problem with Chrome, my suggestion is to accept the denials rather than allowing the action they prevent.

py0xc3 · June 28, 2024, 4:31pm

Since the execheap issue is the only one remaining here (and we now know with high certainty that it is a separate issue), and since the execheap case is now mostly centralized in another topic, I suggest to consider this one solved and focus the execheap stuff in the other topic:

People with execheap denials might follow there, primarily beginning with post 30

Thanks for making us aware and providing so much information @emanuc !

Topic		Replies	Views
F42 - Akonadi and SELinux journalctl error messages Ask Fedora kde , f42	0	88	April 21, 2025
SELinux is preventing gnome-shell from map access on the file /var/lib/flatpak/ Ask Fedora selinux	6	1112	February 4, 2021
Flatpak update to 1.10 cause setroubleshootd take lots of cpu usage Ask Fedora f33 , flatpak , power-management , selinux	13	3644	April 6, 2021
High number of Selinux issues after upgrading to Fedora 36 Ask Fedora f36 , selinux	76	4166	June 24, 2022
Selinux crashes Flatpak version of VScodium on Fedora KDE Spin 40 Ask Fedora kde , flatpak , security , selinux , coredump	14	835	January 30, 2025

Repeated security messages from SELinux

Related topics