What were you trying to do that didn't work?

Using systemd's run0 instead of sudo to invoke dnf

What is the impact of this issue to you?

I cannot use run0 as a sudo replacement, which is inconvenient as someone who tests systemd, without disabling selinux (which I would rather not do)

Please provide the package NVR for which the bug is seen:

$ rpm -q selinux-policy systemd
selinux-policy-40.13.22-1.el10.noarch
systemd-257-3.el10.aarch64

How reproducible is this bug?:

Always

Steps to reproduce

1.  run0 dnf --help
2.  
3.  

Expected results

DNF help information printed

Actual results

Nothing printed, the shell prompt reappears, SELinux Troubleshooter popped up

SELinux is preventing /usr/lib/systemd/systemd-executor from entrypoint access on the file /usr/bin/dnf-3.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd-executor should be allowed entrypoint access on the dnf-3 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '(dnf)' --raw | audit2allow -M my-dnf
# semodule -X 300 -i my-dnf.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-
                              s0:c0.c1023
Target Context                system_u:object_r:rpm_exec_t:s0
Target Objects                /usr/bin/dnf-3 [ file ]
Source                        (dnf)
Source Path                   /usr/lib/systemd/systemd-executor
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           systemd-257-3.el10.aarch64
Target RPM Packages           python3-dnf-4.20.0-10.el10.noarch
SELinux Policy RPM            selinux-policy-targeted-40.13.22-1.el10.noarch
Local Policy RPM              selinux-policy-targeted-40.13.22-1.el10.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 6.12.0-43.el10.aarch64
                              #1 SMP PREEMPT_DYNAMIC Mon Jan 20 13:13:13 UTC
                              2025 aarch64
Alert Count                   1
First Seen                    2025-02-11 15:31:13 CST
Last Seen                     2025-02-11 15:31:13 CST
Local ID                      ef7cca0b-312f-429b-aed1-59c2012c5721

Raw Audit Messages
type=AVC msg=audit(1739309473.598:254): avc:  denied  { entrypoint } for  pid=5806 comm="(dnf)" path="/usr/bin/dnf-3" dev="dm-1" ino=134353653 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file permissive=0

type=SYSCALL msg=audit(1739309473.598:254): arch=aarch64 syscall=execve success=no exit=EACCES a0=aaaae6fe5080 a1=aaaae6fe5ea0 a2=aaaae700a680 a3=1 items=0 ppid=1 pid=5806 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=7 comm=(dnf) exe=/usr/lib/systemd/systemd-executor subj=system_u:system_r:init_t:s0 key=(null)

Hash: (dnf),unconfined_t,rpm_exec_t,file,entrypoint