Description of problem:

1. grep ConditionPathExists /usr/lib/systemd/user/restorecond_user.service
   ConditionPathExists=/etc/selinux/restorecond_user.conf
   #

Version-Release number of selected component (if applicable):
policycoreutils-3.5-1.el9.x86_64
policycoreutils-dbus-3.5-1.el9.noarch
policycoreutils-devel-3.5-1.el9.x86_64
policycoreutils-gui-3.5-1.el9.noarch
policycoreutils-newrole-3.5-1.el9.x86_64
policycoreutils-python-utils-3.5-1.el9.noarch
policycoreutils-restorecond-3.5-1.el9.x86_64
policycoreutils-sandbox-3.5-1.el9.x86_64
selinux-policy-38.1.11-2.el9_2.noarch
selinux-policy-devel-38.1.11-2.el9_2.noarch
selinux-policy-doc-38.1.11-2.el9_2.noarch
selinux-policy-mls-38.1.11-2.el9_2.noarch
selinux-policy-targeted-38.1.11-2.el9_2.noarch

How reproducible:

• always

Steps to Reproduce:
1. get a RHEL-9.2 machine (targeted policy is active)
2. create a new user that is confined by SELinux (staff_u, user_u - useradd -Z ...)
3. set password for the new user
4. log in as the new user
5. start the restorecond_user service (systemctl --user start restorecond_user.service)
6. search for SELinux denials

Actual results:

---

type=PROCTITLE msg=audit(04/21/2023 09:46:01.146:401) : proctitle=/usr/sbin/restorecond -u
type=PATH msg=audit(04/21/2023 09:46:01.146:401) : item=0 name=/etc/selinux/restorecond_user.conf inode=17561326 dev=fd:02 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:selinux_config_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(04/21/2023 09:46:01.146:401) : cwd=/home/staff-user
type=SYSCALL msg=audit(04/21/2023 09:46:01.146:401) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x3 a1=0x561514d3a2e0 a2=0x42 a3=0x0 items=1 ppid=4599 pid=4717 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=3 comm=restorecond exe=/usr/sbin/restorecond subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(04/21/2023 09:46:01.146:401) : avc: denied

{ watch } for pid=4717 comm=restorecond path=/etc/selinux/restorecond_user.conf dev="vda2" ino=17561326 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=0
----
type=PROCTITLE msg=audit(04/21/2023 09:55:38.472:584) : proctitle=/usr/sbin/restorecond -u
type=PATH msg=audit(04/21/2023 09:55:38.472:584) : item=0 name=/etc/selinux/restorecond_user.conf inode=17561326 dev=fd:02 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:selinux_config_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(04/21/2023 09:55:38.472:584) : cwd=/home/user-user
type=SYSCALL msg=audit(04/21/2023 09:55:38.472:584) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x3 a1=0x5633587ec2e0 a2=0x42 a3=0x0 items=1 ppid=8974 pid=9096 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=8 comm=restorecond exe=/usr/sbin/restorecond subj=user_u:user_r:user_t:s0 key=(null)
type=AVC msg=audit(04/21/2023 09:55:38.472:584) : avc: denied { watch }

for pid=9096 comm=restorecond path=/etc/selinux/restorecond_user.conf dev="vda2" ino=17561326 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=0

---

Expected results:

• no SELinux denials
• the restorecond_user service runs in enforcing mode