Created attachment 866127 [details]
SELinux AVCs

Operating System: openSUSE MicroOS
SELinux status, mode and policy name: enabled, enforcing, targeted
SELinux policy version and repository:
Repository     : openSUSE-Tumbleweed-Oss
Name           : selinux-policy-targeted
Version        : 20230321-1.1
Arch           : noarch
Vendor         : openSUSE
Installed Size : 24.0 MiB
Installed      : Yes (automatically)
Status         : up-to-date
The software (incl. version) that is affected by the SELinux issue and the
error message: cockpit

SELinux Audit log: attached

Any other important details:
This is a fresh MicroOS VM from the qcow2 image [0]. I just created the VM,
started it and added the root user.

I installed cockpit following the instructions from [1]:

$ transactional-update pkg install -t pattern microos-cockpit

This completed and I rebooted the system. The instructions are evidently not
enough, as many cockpit packages including cockpit are not installed by this,
and of course the cockpit socket is not present and cockpit cannot be started.
Therefore, I launched another transactional update to install cockpit:

$ transactional-update pkg install cockpit

This now breaks with this error:

```
(4/5) Installing: cockpit-ws-276.1-4.2.x86_64 [...
SELinux:  Could not open policy file <= /etc/selinux/targeted/policy/policy.33:
 Permission denied
/usr/sbin/load_policy:  Can't load policy:  Permission denied
grep: /etc/pam.d/cockpit: No such file or directory
done]
```

There are several AVCs (attached), I'm not sure if they are related.

[0]
https://download.opensuse.org/tumbleweed/appliances/openSUSE-MicroOS.x86_64-ContainerHost-kvm-and-xen.qcow2
[1]
https://documentation.suse.com/sle-micro/5.3/html/SLE-Micro-all/article-cockpit-slemicro.html