High number of Selinux issues after upgrading to Fedora 36

dnf history shows you what you made with dnf

1 Like

Ok thanks I guess I’ll be able to restore which groups and things like that I’ve enabled

1 Like

I would just try:

sudo dnf reinstall selinux-*
which re-installs `selinux-policy selinux-policy-targeted

The first time time I removed, reinstalled and rebooted I didn’t have any issues. The second time I had to do a restorecon for /etc/selinux. So I’m removing that recommendation.

2 Likes

I just tried it and rebooted, I still have the problem…

1 Like

Hi, could you please share output of the following commands?

# sudo semodule -lfull
# sudo semanage export
# sudo semodule -B

All of them are completely safe to run (first two just list all your policy modules and selinux customizations and the last rebuilds the system security policy).

Also, did you notice any warnings/errors when reinstalling selinux-policy and selinux-policy-targeted? Reinstallation of those two packages followed by full filesystem relabel (sudo touch /.autorelabel ; reboot) should have resolved the issue, so there is probably something blocking them from installing properly (the actual policy installation is performed in %post/%posttrans scriptlets).

Hi! Thaks for your reply!
Here’s the output of the first command (plese note that I’ve set SElinux to permissive (to avoid the overflow of errors), if I need to put it back like before for running the commands just tell me):

400 my-abrtdumpjourn  pp          
400 my-systemdjournal pp          
300 my-ModemManager   pp          
300 my-NetworkManager pp          
300 my-Watchsh        pp          
300 my-accountsdaemon pp          
300 my-alsactl        pp          
300 my-awqt           pp          
300 my-ecblp          pp          
300 my-gdkpixbufthum  pp          
300 my-irqbalance     pp          
300 my-pklacheckauth  pp          
300 my-polkitd        pp          
300 my-qemusystemx86  pp          
300 my-smartd         pp          
300 my-systemdhostnam pp          
300 my-systemdlogind  pp          
200 flatpak           pp          
200 smartmon          pp          
200 snappy            pp          
200 swtpm             pp          
200 swtpm_svirt       pp          
100 abrt              pp          
100 accountsd         pp          
100 acct              pp          
100 afs               pp          
100 aiccu             pp          
100 aide              pp          
100 ajaxterm          pp          
100 alsa              pp          
100 amanda            pp          
100 amtu              pp          
100 anaconda          pp          
100 antivirus         pp          
100 apache            pp          
100 apcupsd           pp          
100 apm               pp          
100 application       pp          
100 arpwatch          pp          
100 asterisk          pp          
100 auditadm          pp          
100 authconfig        pp          
100 authlogin         pp          
100 automount         pp          
100 avahi             pp          
100 awstats           pp          
100 bacula            pp          
100 base              pp          
100 bcfg2             pp          
100 bind              pp          
100 bitlbee           pp          
100 blkmapd           pp          
100 blueman           pp          
100 bluetooth         pp          
100 boinc             pp          
100 boltd             pp          
100 bootloader        pp          
100 brctl             pp          
100 brltty            pp          
100 bugzilla          pp          
100 bumblebee         pp          
100 cachefilesd       pp          
100 calamaris         pp          
100 callweaver        pp          
100 canna             pp          
100 ccs               pp          
100 cdrecord          pp          
100 certmaster        pp          
100 certmonger        pp          
100 certwatch         pp          
100 cfengine          pp          
100 cgroup            pp          
100 chrome            pp          
100 chronyd           pp          
100 cinder            pp          
100 cipe              pp          
100 clock             pp          
100 clogd             pp          
100 cloudform         pp          
100 cmirrord          pp          
100 cobbler           pp          
100 cockpit           pp          
100 collectd          pp          
100 colord            pp          
100 comsat            pp          
100 condor            pp          
100 conman            pp          
100 conntrackd        pp          
100 consolekit        pp          
100 couchdb           pp          
100 courier           pp          
100 cpucontrol        pp          
100 cpufreqselector   pp          
100 cpuplug           pp          
100 cron              pp          
100 ctdb              pp          
100 cups              pp          
100 cvs               pp          
100 cyphesis          pp          
100 cyrus             pp          
100 daemontools       pp          
100 dbadm             pp          
100 dbskk             pp          
100 dbus              pp          
100 dcc               pp          
100 ddclient          pp          
100 denyhosts         pp          
100 devicekit         pp          
100 dhcp              pp          
100 dictd             pp          
100 dirsrv            pp          
100 dirsrv-admin      pp          
100 dmesg             pp          
100 dmidecode         pp          
100 dnsmasq           pp          
100 dnssec            pp          
100 dovecot           pp          
100 drbd              pp          
100 dspam             pp          
100 entropyd          pp          
100 exim              pp          
100 fail2ban          pp          
100 fcoe              pp          
100 fedoratp          pp          
100 fetchmail         pp          
100 finger            pp          
100 firewalld         pp          
100 firewallgui       pp          
100 firstboot         pp          
100 fprintd           pp          
100 freeipmi          pp          
100 freqset           pp          
100 fstools           pp          
100 ftp               pp          
100 fwupd             pp          
100 games             pp          
100 gdomap            pp          
100 geoclue           pp          
100 getty             pp          
100 git               pp          
100 gitosis           pp          
100 glance            pp          
100 glusterd          pp          
100 gnome             pp          
100 gpg               pp          
100 gpm               pp          
100 gpsd              pp          
100 gssproxy          pp          
100 guest             pp          
100 hddtemp           pp          
100 hostapd           pp          
100 hostname          pp          
100 hsqldb            pp          
100 hwloc             pp          
100 hypervkvp         pp          
100 ibacm             pp          
100 ica               pp          
100 icecast           pp          
100 inetd             pp          
100 init              pp          
100 inn               pp          
100 insights_client   pp          
100 iodine            pp          
100 iotop             pp          
100 ipa               pp          
100 ipmievd           pp          
100 ipsec             pp          
100 iptables          pp          
100 irc               pp          
100 irqbalance        pp          
100 iscsi             pp          
100 isns              pp          
100 jabber            pp          
100 jetty             pp          
100 jockey            pp          
100 journalctl        pp          
100 kdump             pp          
100 kdumpgui          pp          
100 keepalived        pp          
100 kerberos          pp          
100 keyboardd         pp          
100 keystone          pp          
100 kismet            pp          
100 kmscon            pp          
100 kpatch            pp          
100 ksmtuned          pp          
100 ktalk             pp          
100 l2tp              pp          
100 ldap              pp          
100 libraries         pp          
100 likewise          pp          
100 linuxptp          pp          
100 lircd             pp          
100 livecd            pp          
100 lldpad            pp          
100 loadkeys          pp          
100 locallogin        pp          
100 lockdev           pp          
100 logadm            pp          
100 logging           pp          
100 logrotate         pp          
100 logwatch          pp          
100 lpd               pp          
100 lsm               pp          
100 lttng-tools       pp          
100 lvm               pp          
100 mailman           pp          
100 mailscanner       pp          
100 man2html          pp          
100 mandb             pp          
100 mcelog            pp          
100 mediawiki         pp          
100 memcached         pp          
100 milter            pp          
100 minidlna          pp          
100 minissdpd         pp          
100 mip6d             pp          
100 mirrormanager     pp          
100 miscfiles         pp          
100 mock              pp          
100 modemmanager      pp          
100 modutils          pp          
100 mojomojo          pp          
100 mon_statd         pp          
100 mongodb           pp          
100 motion            pp          
100 mount             pp          
100 mozilla           pp          
100 mpd               pp          
100 mplayer           pp          
100 mrtg              pp          
100 mta               pp          
100 munin             pp          
100 mysql             pp          
100 mythtv            pp          
100 naemon            pp          
100 nagios            pp          
100 namespace         pp          
100 ncftool           pp          
100 netlabel          pp          
100 netutils          pp          
100 networkmanager    pp          
100 ninfod            pp          
100 nis               pp          
100 nova              pp          
100 nscd              pp          
100 nsd               pp          
100 nslcd             pp          
100 ntop              pp          
100 ntp               pp          
100 numad             pp          
100 nut               pp          
100 nx                pp          
100 obex              pp          
100 oddjob            pp          
100 opafm             pp          
100 openct            pp          
100 opendnssec        pp          
100 openfortivpn      pp          
100 openhpid          pp          
100 openshift         pp          
100 openshift-origin  pp          
100 opensm            pp          
100 openvpn           pp          
100 openvswitch       pp          
100 openwsman         pp          
100 oracleasm         pp          
100 osad              pp          
100 pads              pp          
100 passenger         pp          
100 pcmcia            pp          
100 pcp               pp          
100 pcscd             pp          
100 pdns              pp          
100 pegasus           pp          
100 permissivedomains cil         
100 pesign            pp          
100 pingd             pp          
100 piranha           pp          
100 pkcs              pp          
100 pkcs11proxyd      pp          
100 pki               pp          
100 plymouthd         pp          
100 podsleuth         pp          
100 policykit         pp          
100 polipo            pp          
100 portmap           pp          
100 portreserve       pp          
100 postfix           pp          
100 postgresql        pp          
100 postgrey          pp          
100 ppp               pp          
100 prelink           pp          
100 prelude           pp          
100 privoxy           pp          
100 procmail          pp          
100 prosody           pp          
100 psad              pp          
100 ptchown           pp          
100 publicfile        pp          
100 pulseaudio        pp          
100 puppet            pp          
100 pwauth            pp          
100 qmail             pp          
100 qpid              pp          
100 quantum           pp          
100 quota             pp          
100 rabbitmq          pp          
100 radius            pp          
100 radvd             pp          
100 raid              pp          
100 rasdaemon         pp          
100 rdisc             pp          
100 readahead         pp          
100 realmd            pp          
100 redis             pp          
100 remotelogin       pp          
100 rhcs              pp          
100 rhev              pp          
100 rhgb              pp          
100 rhnsd             pp          
100 rhsmcertd         pp          
100 ricci             pp          
100 rkhunter          pp          
100 rkt               pp          
100 rlogin            pp          
100 rngd              pp          
100 rolekit           pp          
100 roundup           pp          
100 rpc               pp          
100 rpcbind           pp          
100 rpm               pp          
100 rrdcached         pp          
100 rshd              pp          
100 rssh              pp          
100 rsync             pp          
100 rtas              pp          
100 rtkit             pp          
100 rwho              pp          
100 samba             pp          
100 sambagui          pp          
100 sandboxX          pp          
100 sanlock           pp          
100 sasl              pp          
100 sbd               pp          
100 sblim             pp          
100 screen            pp          
100 secadm            pp          
100 sectoolm          pp          
100 selinuxutil       pp          
100 sendmail          pp          
100 sensord           pp          
100 setrans           pp          
100 setroubleshoot    pp          
100 seunshare         pp          
100 sge               pp          
100 shorewall         pp          
100 slocate           pp          
100 slpd              pp          
100 smartmon          pp          
100 smokeping         pp          
100 smoltclient       pp          
100 smsd              pp          
100 snapper           pp          
100 snmp              pp          
100 snort             pp          
100 sosreport         pp          
100 soundserver       pp          
100 spamassassin      pp          
100 speech-dispatcher pp          
100 squid             pp          
100 ssh               pp          
100 sslh              pp          
100 sssd              pp          
100 staff             pp          
100 stalld            pp          
100 stapserver        pp          
100 stratisd          pp          
100 stunnel           pp          
100 su                pp          
100 sudo              pp          
100 svnserve          pp          
100 swift             pp          
100 sysadm            pp          
100 sysadm_secadm     pp          
100 sysnetwork        pp          
100 sysstat           pp          
100 systemd           pp          
100 tangd             pp          
100 targetd           pp          
100 tcpd              pp          
100 tcsd              pp          
100 telepathy         pp          
100 telnet            pp          
100 tftp              pp          
100 tgtd              pp          
100 thin              pp          
100 thumb             pp          
100 timedatex         pp          
100 tlp               pp          
100 tmpreaper         pp          
100 tomcat            pp          
100 tor               pp          
100 tuned             pp          
100 tvtime            pp          
100 udev              pp          
100 ulogd             pp          
100 uml               pp          
100 unconfined        pp          
100 unconfineduser    pp          
100 unlabelednet      pp          
100 unprivuser        pp          
100 updfstab          pp          
100 usbmodules        pp          
100 usbmuxd           pp          
100 userdomain        pp          
100 userhelper        pp          
100 usermanage        pp          
100 usernetctl        pp          
100 uucp              pp          
100 uuidd             pp          
100 varnishd          pp          
100 vdagent           pp          
100 vhostmd           pp          
100 virt              pp          
100 vlock             pp          
100 vmtools           pp          
100 vmware            pp          
100 vnstatd           pp          
100 vpn               pp          
100 w3c               pp          
100 watchdog          pp          
100 wdmd              pp          
100 webadm            pp          
100 webalizer         pp          
100 wine              pp          
100 wireshark         pp          
100 xen               pp          
100 xguest            pp          
100 xserver           pp          
100 zabbix            pp          
100 zarafa            pp          
100 zebra             pp          
100 zoneminder        pp          
100 zosremote         pp          

The second:

boolean -D
login -D
interface -D
user -D
port -D
node -D
fcontext -D
module -D
ibendport -D
ibpkey -D
permissive -D
port -a -t ipp_port_t -r 's0' -p udp 22161
fcontext -a -f a -t virt_image_t -r 's0' '/mnt/6070F97B70F957EC/VM/win10.qcow2'
fcontext -a -f a -t rpm_exec_t -r 's0' '/usr/share/dnfdaemon/dnfdaemon-system'

And the third command doesn’t output anything… and is rather quick.

As for the errors I can’t remember. If I remember correctly there was one concerning a timeout about what is shown above, ‘/mnt/blahblah/’, which seems to correspond to a virtual machine of windows I have on my system. Maybe some after that but it reboots right after. I’ll run it again to be sure.

sudo restorecon -rv / does an error, restorecon: Could not stat /run/user/1000/doc: Permission denied, not sure if it’s relevant.

Ok so I’ve run sudo touch /.autorelabel ; reboot again, after it reboots it shows the message relabeling ... followed by the drives, then there’s no message for a long time, two lines about that /mnt/..../ drive timing out, then no message for a long time then I get a glimpse of about half a screen of messages and it reboots immediately. But I had the time to see that some of these lines contained ERRORS and some coded strings.

Are there any logs I should look to provide you those messages I do not have the time to see?

Well I found where the logs are, these are the messages printed I described in my previous message:

May 18 21:13:27 localhost.localdomain audit[1620]: FS_RELABEL pid=1620 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=mass relabel exe="/usr/sbin/setfiles" hostname=? addr=? terminal=? res=success'
May 18 21:13:27 localhost.localdomain kernel: audit: type=2309 audit(1652901207.565:1181): pid=1620 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=mass relabel exe="/usr/sbin/setfiles" hostname=? addr=? terminal=? res=success'
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1620]: Warning no default label for /dev/mqueue
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1260]: Cleaning up labels on /tmp
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1647]: ERROR: src/skipcpio/skipcpio.c:91:main(): Cannot open file '/boot/b5aecdd710d14ca682224c6ca7250831/5.12.9-300.fc34.x86_64/initrd'
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1648]: cpio: premature end of archive
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1649]: ERROR: src/skipcpio/skipcpio.c:91:main(): Cannot open file '/boot/b5aecdd710d14ca682224c6ca7250831/5.12.9-300.fc34.x86_64/initrd'
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1650]: gzip: stdin: unexpected end of file
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1651]: cpio: premature end of archive
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1652]: ERROR: src/skipcpio/skipcpio.c:91:main(): Cannot open file '/boot/b5aecdd710d14ca682224c6ca7250831/5.12.9-300.fc34.x86_64/initrd'
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1653]: bzcat: Compressed file ends unexpectedly;
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1653]:         perhaps it is corrupted?  *Possible* reason follows.
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1653]: bzcat: Inappropriate ioctl for device
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1653]:         Input file = (stdin), output file = (stdout)
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1653]: It is possible that the compressed file(s) have become corrupted.
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1653]: You can use the -tvv option to test integrity of such files.
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1653]: You can use the `bzip2recover' program to attempt to recover
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1653]: data from undamaged sections of corrupted files.
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1654]: cpio: premature end of archive
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1655]: ERROR: src/skipcpio/skipcpio.c:91:main(): Cannot open file '/boot/b5aecdd710d14ca682224c6ca7250831/5.12.9-300.fc34.x86_64/initrd'
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1656]: xzcat: (stdin): File format not recognized
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1657]: cpio: premature end of archive
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1659]: /usr/lib/dracut/dracut-initramfs-restore: line 58: lz4: command not found
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1658]: ERROR: src/skipcpio/skipcpio.c:91:main(): Cannot open file '/boot/b5aecdd710d14ca682224c6ca7250831/5.12.9-300.fc34.x86_64/initrd'
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1660]: cpio: premature end of archive
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1661]: ERROR: src/skipcpio/skipcpio.c:91:main(): Cannot open file '/boot/b5aecdd710d14ca682224c6ca7250831/5.12.9-300.fc34.x86_64/initrd'
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1662]: lzop: <stdin>: not a lzop file
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1663]: cpio: premature end of archive
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1664]: ERROR: src/skipcpio/skipcpio.c:91:main(): Cannot open file '/boot/b5aecdd710d14ca682224c6ca7250831/5.12.9-300.fc34.x86_64/initrd'
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1665]: zstd: /*stdin*\: unexpected end of file
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1666]: cpio: premature end of archive
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1644]: Unpacking of /boot/b5aecdd710d14ca682224c6ca7250831/5.12.9-300.fc34.x86_64/initrd to /run/initramfs failed
May 18 21:13:27 localhost.localdomain systemd[1]: Shutting down.

Interresting. Could you please check that your system is really in permissive mode (sestatus would show “Current mode: permissive”)? Permissive mode doesn’t stop AVCs (selinux denial logs) from appearing, it usually does the opposite since in this mode SELinux does not enforce the policy (everything is allowed), but any transgressions against the policy are logged. So if you are not receiving new AVCs, your problem could already be fixed.

Based on the custom modules it seems like the AVCs you were receiving were from all over the place. Would you mind sharing your audit.log (or just the AVCs – sudo ausearch -m AVC,USER_AVC,SELINUX_ERR)?

I set SElinux to permissive everytime I turn on my computer, by typing sudo setenforce 0. Before I have the time, my system has the time to spam me a bit with those alerts, if I open SETroubleshoot it reports a bunch of them as “last seen” just before I entered the command. So I’m not sure the problem is already solved… unless the “last seen” time doesn’t correspond to the original alert, I don’t know.
Here’s the output of sestatus:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

As for sudo ausearch -m AVC,USER_AVC,SELINUX_ERR, if I put the output of this command in a file with >, I get a 434172 lines 45.3MB file. So I’m not going to be able to paste it here entirely, but here’s a bit of the end of the file if that’s what you need:

time->Thu May 19 17:29:13 2022
type=AVC msg=audit(1652974153.864:101221): avc:  denied  { confidentiality } for  pid=13580 comm="04-iscsi" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:13 2022
type=AVC msg=audit(1652974153.877:101222): avc:  denied  { confidentiality } for  pid=13583 comm="11-dhclient" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:NetworkManager_dispatcher_dhclient_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_dhclient_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:13 2022
type=AVC msg=audit(1652974153.881:101223): avc:  denied  { confidentiality } for  pid=13584 comm="20-chrony-dhcp" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:13 2022
type=AVC msg=audit(1652974153.900:101224): avc:  denied  { confidentiality } for  pid=13594 comm="chronyc" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:13 2022
type=AVC msg=audit(1652974153.902:101225): avc:  denied  { confidentiality } for  pid=1530 comm="chronyd" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:14 2022
type=PROCTITLE msg=audit(1652974154.191:101235): proctitle="/usr/lib/systemd/systemd-resolved"
type=PATH msg=audit(1652974154.191:101235): item=1 name="/run/systemd/resolve/netif/.#9Qu7z3W" inode=2637 dev=00:1a mode=0100600 ouid=193 ogid=193 rdev=00:00 obj=system_u:object_r:systemd_resolved_var_run_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1652974154.191:101235): item=0 name="/run/systemd/resolve/netif/" inode=2272 dev=00:1a mode=040700 ouid=193 ogid=193 rdev=00:00 obj=system_u:object_r:systemd_resolved_var_run_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1652974154.191:101235): cwd="/"
type=SYSCALL msg=audit(1652974154.191:101235): arch=c000003e syscall=257 success=yes exit=39 a0=ffffff9c a1=55667288cc10 a2=800c2 a3=180 items=2 ppid=1 pid=1316 auid=4294967295 uid=193 gid=193 euid=193 suid=193 fsuid=193 egid=193 sgid=193 fsgid=193 tty=(none) ses=4294967295 comm="systemd-resolve" exe="/usr/lib/systemd/systemd-resolved" subj=system_u:system_r:systemd_resolved_t:s0 key=(null)
type=AVC msg=audit(1652974154.191:101235): avc:  denied  { confidentiality } for  pid=1316 comm="systemd-resolve" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:system_r:systemd_resolved_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:14 2022
type=AVC msg=audit(1652974154.198:101236): avc:  denied  { confidentiality } for  pid=1377 comm="rtkit-daemon" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:14 2022
type=AVC msg=audit(1652974154.212:101237): avc:  denied  { confidentiality } for  pid=1530 comm="chronyd" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:14 2022
type=AVC msg=audit(1652974154.297:101238): avc:  denied  { confidentiality } for  pid=13268 comm="nm-dispatcher" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:14 2022
type=AVC msg=audit(1652974154.344:101245): avc:  denied  { confidentiality } for  pid=13707 comm="04-iscsi" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:14 2022
type=AVC msg=audit(1652974154.347:101246): avc:  denied  { confidentiality } for  pid=13708 comm="11-dhclient" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:NetworkManager_dispatcher_dhclient_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_dhclient_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:14 2022
type=AVC msg=audit(1652974154.350:101247): avc:  denied  { confidentiality } for  pid=13709 comm="20-chrony-dhcp" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:14 2022
type=AVC msg=audit(1652974154.353:101248): avc:  denied  { confidentiality } for  pid=13712 comm="chronyc" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:14 2022
type=AVC msg=audit(1652974154.953:101252): avc:  denied  { confidentiality } for  pid=1513 comm="setroubleshootd" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:15 2022
type=AVC msg=audit(1652974155.079:101256): avc:  denied  { confidentiality } for  pid=1377 comm="rtkit-daemon" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:15 2022
type=AVC msg=audit(1652974155.506:101263): avc:  denied  { confidentiality } for  pid=13532 comm="pcscd" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:15 2022
type=AVC msg=audit(1652974155.733:101267): avc:  denied  { confidentiality } for  pid=11449 comm="sssd_kcm" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:22 2022
type=AVC msg=audit(1652974162.750:101277): avc:  denied  { confidentiality } for  pid=1563 comm="cupsd" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:29 2022
type=AVC msg=audit(1652974169.839:101289): avc:  denied  { confidentiality } for  pid=13532 comm="pcscd" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:34 2022
type=AVC msg=audit(1652974174.810:101290): avc:  denied  { confidentiality } for  pid=1341 comm="dbus-broker" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:49 2022
type=AVC msg=audit(1652974189.147:101292): avc:  denied  { confidentiality } for  pid=1513 comm="setroubleshootd" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:30:05 2022
type=AVC msg=audit(1652974205.733:101296): avc:  denied  { confidentiality } for  pid=11449 comm="sssd_kcm" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=lockdown permissive=1

You could set the mode in /etc/selinux/config to permissive which would stop the blast of errors at boot and allow things to work normally. Your output shows it as currently set to enforcing.

It does not fix the problem but does mitigate the logged error surge at boot time. You can then continue to track and hopefully fix the actual cause without the spam of errors interfering with normal work.

Ok
It doesn’t help much but I won’t be bothered at boot indeed.

By the way in the log I posted in my last message on the 18th of May (message N°27), there are some errors concerning 5.12.9-300.fc34.x86_64, and I’m pretty sure this is a driver-kernel-nvidia thing I manually uninstalled a while ago (I was running Fedora 35 and didn’t understand why there was both the fedora 35 and the fedora 34 of the thing, maybe it was foolish to do so but I did it). Ever since the kernel complains about not finding a nvidia thing on boot, and switches to nouveau.
Do you think this is preventing SElinux from applying a new policy / cleaning its policy or is this irrelevant?

The lockdown class checks were removed from kernel v5.16. The related permission will be removed from selinux-policy soon, too. To avoid from errors like these please update the kernel.

Oh ok. I do upgrades regularly with sudo dnf upgrade --refresh, but according to uname -r my kernel is still 5.12.9-300.fc34.x86_64 apparently! Despite the fact that I upgraded to F35 then F36 when these versions came out…
Any tips on how to force my kernel to update? Perhaps it got stuck when the Nvidia driver installation broke?

According to dnf list installed | grep kernel, the last kernel is here…

abrt-addon-kerneloops.x86_64                      2.15.1-1.fc36                          @fedora                                          
kernel.x86_64                                     5.12.9-300.fc34                        @updates                                         
kernel.x86_64                                     5.17.7-300.fc36                        @updates                                         
kernel.x86_64                                     5.17.8-300.fc36                        @updates                                         
kernel-core.x86_64                                5.12.9-300.fc34                        @updates                                         
kernel-core.x86_64                                5.17.7-300.fc36                        @updates                                         
kernel-core.x86_64                                5.17.8-300.fc36                        @updates                                         
kernel-devel.x86_64                               5.12.9-300.fc34                        @updates                                         
kernel-devel.x86_64                               5.17.7-300.fc36                        @updates                                         
kernel-devel.x86_64                               5.17.8-300.fc36                        @updates                                         
kernel-devel-matched.x86_64                       5.17.8-300.fc36                        @updates                                         
kernel-headers.x86_64                             5.17.6-300.fc36                        @updates                                         
kernel-modules.x86_64                             5.12.9-300.fc34                        @updates                                         
kernel-modules.x86_64                             5.17.7-300.fc36                        @updates                                         
kernel-modules.x86_64                             5.17.8-300.fc36                        @updates                                         
kernel-modules-extra.x86_64                       5.12.9-300.fc34                        @updates                                         
kernel-modules-extra.x86_64                       5.17.7-300.fc36                        @updates                                         
kernel-modules-extra.x86_64                       5.17.8-300.fc36                        @updates                                         
kernel-srpm-macros.noarch                         1.0-14.fc36                            @fedora                                          
libreport-plugin-kerneloops.x86_64                2.17.1-1.fc36                          @fedora                                          
texlive-l3kernel.noarch                           9:svn59118-55.fc36                     @fedora 

Some people have seen problems with installing/upgrading fedora 36 and the system not properly placing the files in /boot.

Could you please post the output of ls /boot and ls /boot/efi

The threads related show that the initramfs and vmlinuz files that should be in /boot for the fedora 36 kernels were placed in /boot/efi/xxxxxx (where the xxxxxx is a long number representing the machine ID). Thus grub is not properly seeing the kernel updates and newer kernels are unusable.

The apparent fix so far has been to completely remove the directory /boot/efi/xxxxxx with sudo rm -rf /boot/efi/xxxxxxx then sudo reinstall kernel* so the new files are properly placed and grub updates the kernel list properly.

This is one related thread. F36 kernel won't install due to running out of space in /boot/efi and here is another F36 - New kernels not found in bootloader

touch /.autorelabel ; reboot was the last command, I could run on my just upgraded system.
Since then I can’t login anymore.
Symptom After a correct attempt to login (Gui), the the system asks immediately again for the login. With a wrong pw, the system asks for the correct pw.
Trying to boot the rescue system, the boot process fails. It can’t perform a ‘sulogin’
Question Could this be a consequence of restorecon and autorelabel?
Question2 Unfortunately I’ve removed old kernels and sysmlinks, like described in DNF System Upgrade :: Fedora Docs . I can’t guaranty, that I had verified this with an own reboot. Should I start a own thread for this?

Yes. This is worth a dedicated thread. When opening a new thread, add the information if you saw the autorelabel (so, after the reboot, did you see that the autorelabel took place?). Also, did you first upgrade, and after the upgrade and its reboot, you did autorelabel? So, Fedora 36 worked after the upgrade’s reboot & before autorelabel?

Concerning the old kernels and symlinks, you should always reboot and test if the new system boots and works properly before deleting obsolete/old things.

Also, there is a paragraph in the Quick Docs page (so, the DNF upgrade page you mentioned) about SELinux issues: paragraph “Relabel files with the latest SELinux policy”. You may check this first.

Btw, you could also add some logs including from the moments you unsuccessfully tried to log in.

Supplement: If SELinux is the issue, you can find out and make your system let you login again by changing the file /etc/selinux/config → within the file, change SELINUX=enforcing to SELINUX=permissive

You can do the modification by using a live system or so. Be aware that this disables SELinux and is only intended to enable us to repair the system. It is not a good idea to keep SELinux disabled because it is an important & critical element of Fedora’s security architecture. If your system still does not allow you to log in after you changed the config + then reboot, the origin is not SELinux.

These are the files in boot:

config-5.17.7-300.fc36.x86_64
config-5.17.8-300.fc36.x86_64
efi
elf-memtest86+-5.31
extlinux
grub2
initramfs-0-rescue-b5aecdd710d14ca682224c6ca7250831.img
initramfs-5.17.7-300.fc36.x86_64.img
initramfs-5.17.8-300.fc36.x86_64.img
loader
memtest86+-5.31
symvers-5.17.7-300.fc36.x86_64.gz
symvers-5.17.8-300.fc36.x86_64.gz
System.map-5.17.7-300.fc36.x86_64
System.map-5.17.8-300.fc36.x86_64
vmlinuz-0-rescue-b5aecdd710d14ca682224c6ca7250831
vmlinuz-5.17.7-300.fc36.x86_64
vmlinuz-5.17.8-300.fc36.x86_64

and in /boot/efi:

$RECYCLE.BIN
EFI
mach_kernel
Recovery
Recovery.txt
System
System Volume Information

What do you think? I find it weird that I’m stuck with a F34 kernel if the problem came when upgrading from F35 to F36
I’m waiting to see what you think of the files shown above before running the two commands you recommand, they look a bit dangerous ;- ) (even if I have recent backups)