found 4 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/tlshd from write access on the directory source. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that tlshd should be allowed write access on the source directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'tlshd' --raw | audit2allow -M my-tlshd # semodule -X 300 -i my-tlshd.pp Additional Information: Source Context system_u:system_r:ktlshd_t:s0 Target Context system_u:object_r:cert_t:s0 Target Objects source [ dir ] Source tlshd Source Path /usr/sbin/tlshd Port Host Source RPM Packages ktls-utils-1.2.1-2.el10.x86_64 Target RPM Packages SELinux Policy RPM selinux-policy-targeted-42.1.7-1.el10.noarch Local Policy RPM selinux-policy-targeted-42.1.7-1.el10.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name dell-per660-21.rhts.eng.pek2.redhat.com Platform Linux dell-per660-21.rhts.eng.pek2.redhat.com 6.12.0-142.el10.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Oct 16 09:11:30 EDT 2025 x86_64 Alert Count 1 First Seen 2025-10-23 23:09:53 EDT Last Seen 2025-10-23 23:09:53 EDT Local ID 956a2baa-138a-4b5c-a041-bd1a15b9c3d9 Raw Audit Messages type=AVC msg=audit(1761275393.108:359): avc: denied { write } for pid=28727 comm="tlshd" name="source" dev="dm-0" ino=150996217 scontext=system_u:system_r:ktlshd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1 type=SYSCALL msg=audit(1761275393.108:359): arch=x86_64 syscall=access success=yes exit=0 a0=55fc5db65b20 a1=2 a2=0 a3=0 items=0 ppid=28715 pid=28727 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=tlshd exe=/usr/sbin/tlshd subj=system_u:system_r:ktlshd_t:s0 key=(null)ARCH=x86_64 SYSCALL=access AUID=unset UID=root GID=root EUID=root SUID=root FSUID=root EGID=root SGID=root FSGID=root Hash: tlshd,ktlshd_t,cert_t,dir,write -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/tlshd from map access on the file /etc/pki/ca-trust/source/README. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow domain to can mmap files Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean. Do setsebool -P domain_can_mmap_files 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that tlshd should be allowed map access on the README file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'tlshd' --raw | audit2allow -M my-tlshd # semodule -X 300 -i my-tlshd.pp Additional Information: Source Context system_u:system_r:ktlshd_t:s0 Target Context system_u:object_r:cert_t:s0 Target Objects /etc/pki/ca-trust/source/README [ file ] Source tlshd Source Path /usr/sbin/tlshd Port Host Source RPM Packages ktls-utils-1.2.1-2.el10.x86_64 Target RPM Packages ca-certificates-2025.2.80_v9.0.305-101.el10.noarch SELinux Policy RPM selinux-policy-targeted-42.1.7-1.el10.noarch Local Policy RPM selinux-policy-targeted-42.1.7-1.el10.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name dell-per660-21.rhts.eng.pek2.redhat.com Platform Linux dell-per660-21.rhts.eng.pek2.redhat.com 6.12.0-142.el10.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Oct 16 09:11:30 EDT 2025 x86_64 Alert Count 1 First Seen 2025-10-23 23:09:53 EDT Last Seen 2025-10-23 23:09:53 EDT Local ID bc06079d-bf64-4223-ad37-5d8927e23d45 Raw Audit Messages type=AVC msg=audit(1761275393.108:360): avc: denied { map } for pid=28727 comm="tlshd" path="/etc/pki/ca-trust/source/README" dev="dm-0" ino=150996218 scontext=system_u:system_r:ktlshd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1761275393.108:360): arch=x86_64 syscall=mmap success=yes exit=140121122963456 a0=0 a1=3a4 a2=1 a3=2 items=0 ppid=28715 pid=28727 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=tlshd exe=/usr/sbin/tlshd subj=system_u:system_r:ktlshd_t:s0 key=(null)ARCH=x86_64 SYSCALL=mmap AUID=unset UID=root GID=root EUID=root SUID=root FSUID=root EGID=root SGID=root FSGID=root Hash: tlshd,ktlshd_t,cert_t,file,map -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/tlshd from map access on the file /etc/pki/ca-trust/source/dell-per660-21.rhts.eng.pek2.redhat.com.1.p11-kit. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow domain to can mmap files Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean. Do setsebool -P domain_can_mmap_files 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that tlshd should be allowed map access on the dell-per660-21.rhts.eng.pek2.redhat.com.1.p11-kit file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'tlshd' --raw | audit2allow -M my-tlshd # semodule -X 300 -i my-tlshd.pp Additional Information: Source Context system_u:system_r:ktlshd_t:s0 Target Context unconfined_u:object_r:cert_t:s0 Target Objects /etc/pki/ca-trust/source/dell- per660-21.rhts.eng.pek2.redhat.com.1.p11-kit [ file ] Source tlshd Source Path /usr/sbin/tlshd Port Host Source RPM Packages ktls-utils-1.2.1-2.el10.x86_64 Target RPM Packages SELinux Policy RPM selinux-policy-targeted-42.1.7-1.el10.noarch Local Policy RPM selinux-policy-targeted-42.1.7-1.el10.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name dell-per660-21.rhts.eng.pek2.redhat.com Platform Linux dell-per660-21.rhts.eng.pek2.redhat.com 6.12.0-142.el10.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Oct 16 09:11:30 EDT 2025 x86_64 Alert Count 1 First Seen 2025-10-23 23:09:53 EDT Last Seen 2025-10-23 23:09:53 EDT Local ID 503bed3d-e578-48bf-a76f-6b7e21787c1c Raw Audit Messages type=AVC msg=audit(1761275393.109:361): avc: denied { map } for pid=28727 comm="tlshd" path="/etc/pki/ca-trust/source/dell-per660-21.rhts.eng.pek2.redhat.com.1.p11-kit" dev="dm-0" ino=151105883 scontext=system_u:system_r:ktlshd_t:s0 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1761275393.109:361): arch=x86_64 syscall=mmap success=yes exit=140121121976320 a0=0 a1=2220 a2=1 a3=2 items=0 ppid=28715 pid=28727 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=tlshd exe=/usr/sbin/tlshd subj=system_u:system_r:ktlshd_t:s0 key=(null)ARCH=x86_64 SYSCALL=mmap AUID=unset UID=root GID=root EUID=root SUID=root FSUID=root EGID=root SGID=root FSGID=root Hash: tlshd,ktlshd_t,cert_t,file,map -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/tlshd from write access on the key labeled kernel_t. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that tlshd should be allowed write access on key labeled kernel_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'tlshd' --raw | audit2allow -M my-tlshd # semodule -X 300 -i my-tlshd.pp Additional Information: Source Context system_u:system_r:ktlshd_t:s0 Target Context system_u:system_r:kernel_t:s0 Target Objects Unknown [ key ] Source tlshd Source Path /usr/sbin/tlshd Port Host Source RPM Packages ktls-utils-1.2.1-2.el10.x86_64 Target RPM Packages SELinux Policy RPM selinux-policy-targeted-42.1.7-1.el10.noarch Local Policy RPM selinux-policy-targeted-42.1.7-1.el10.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name dell-per660-21.rhts.eng.pek2.redhat.com Platform Linux dell-per660-21.rhts.eng.pek2.redhat.com 6.12.0-142.el10.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Oct 16 09:11:30 EDT 2025 x86_64 Alert Count 1 First Seen 2025-10-23 23:09:53 EDT Last Seen 2025-10-23 23:09:53 EDT Local ID a1ffcb9f-a11c-4855-94dc-22c7ffe91d0b Raw Audit Messages type=AVC msg=audit(1761275393.169:362): avc: denied { write } for pid=28727 comm="tlshd" scontext=system_u:system_r:ktlshd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=1 type=SYSCALL msg=audit(1761275393.169:362): arch=x86_64 syscall=add_key success=no exit=ENOPKG a0=55fc3e7831ab a1=7fffe0494c30 a2=55fc5ebac5b0 a3=15fe items=0 ppid=28715 pid=28727 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=tlshd exe=/usr/sbin/tlshd subj=system_u:system_r:ktlshd_t:s0 key=(null)ARCH=x86_64 SYSCALL=add_key AUID=unset UID=root GID=root EUID=root SUID=root FSUID=root EGID=root SGID=root FSGID=root Hash: tlshd,ktlshd_t,kernel_t,key,write