SELinux is preventing /usr/libexec/rtkit-daemon from sys_ptrace access on the cap_userns labeled rtkit_daemon_t. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that rtkit-daemon should be allowed sys_ptrace access on cap_userns labeled rtkit_daemon_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'rtkit-daemon' --raw | audit2allow -M my-rtkitdaemon # semodule -X 300 -i my-rtkitdaemon.pp Additional Information: Source Context system_u:system_r:rtkit_daemon_t:s0 Target Context system_u:system_r:rtkit_daemon_t:s0 Target Objects Unknown [ cap_userns ] Source rtkit-daemon Source Path /usr/libexec/rtkit-daemon Port Host localhost.localdomain Source RPM Packages rtkit-0.11-19.el8.x86_64 Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.3-54.el8_3.2.noarch Local Policy RPM selinux-policy-targeted-3.14.3-54.el8_3.2.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 4.18.0-240.el8.x86_64 #1 SMP Fri Jan 15 11:48:38 MSK 2021 x86_64 x86_64 Alert Count 1 First Seen 2021-02-24 16:26:23 EST Last Seen 2021-02-24 16:26:23 EST Local ID 63cbf820-d877-4a0b-bc7d-01ca06260689 Raw Audit Messages type=AVC msg=audit(1614201983.930:203): avc: denied { sys_ptrace } for pid=911 comm="rtkit-daemon" capability=19 scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=cap_userns permissive=0 type=SYSCALL msg=audit(1614201983.930:203): arch=x86_64 syscall=readlink success=no exit=EACCES a0=7ffded68de30 a1=7ffded68dfa0 a2=7f a3=0 items=0 ppid=1 pid=911 auid=4294967295 uid=172 gid=172 euid=172 suid=172 fsuid=172 egid=172 sgid=172 fsgid=172 tty=(none) ses=4294967295 comm=rtkit-daemon exe=/usr/libexec/rtkit-daemon subj=system_u:system_r:rtkit_daemon_t:s0 key=(null) Hash: rtkit-daemon,rtkit_daemon_t,rtkit_daemon_t,cap_userns,sys_ptrace