alexsec
December 2, 2025, 12:34am
1
This message appears more than 10-20 times on every system startup after I installed cockpit from the repos.
sedispatch[1041]: Connection Error (Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory): AVC Will be dropped
cockpit is working OK when configuring the system it’s installed on, although it’s complaining about a non-trusted encryption certificate. I guess this is why I also get the following message for about 10 times before a connection is made:
cockpit-tls[7524]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
I haven’t tried any remote access yet.
Can you give me any information about the messages above please?
@alexsec Hi from the sedispatch man page…
sedispatch is audit dispatcher. It scans audit messages for SELinux AVC messages, formats them into a dbus message and sends it to setroubleshootd
Install setroubleshoot-server package, they should disappear, it’s useful for Cockpit as well to see the SELinux issues…
1 Like
@malcolmlewis
It seems like setroubleshoot-server is already installed.
user@TurboX:~> zypper search setroubleshoot
Note: Repository 'Packman Repository' is out-of-date. You can run 'zypper refresh' as root to
update it.
Loading repository data...
Reading installed packages...
S | Name | Summary | Type
---+-----------------------------+-------------------------------------------------+--------
| setroubleshoot | Helps troubleshoot SELinux problems | package
| setroubleshoot-doc | Setroubleshoot documentation | package
i | setroubleshoot-plugins | Helps troubleshoot SELinux problems | package
i | setroubleshoot-plugins-lang | Translations for package setroubleshoot-plugins | package
i | setroubleshoot-server | SELinux troubleshoot server | package
@malcolmlewis
I don’t see it in the Task Manager. Probably not.
@malcolmlewis
Do I start it using systemctl enable --now setroubleshoot-server?
@malcolmlewis
Sorry. I guess, after some google search, I found I should have searched for setroubleshootd.
And it is inactive. So I guess I should run systemctl enable --now setroubleshootd to start it.
Is this correct?
@malcolmlewis
I didn’t work unfortunately. These are the results.
TurboX:~ # systemctl enable --now setroubleshootd
The unit files have no installation config (WantedBy=, RequiredBy=, UpheldBy=,
Also=, or Alias= settings in the [Install] section, and DefaultInstance= for
template units). This means they are not meant to be enabled or disabled using systemctl.
Possible reasons for having these kinds of units are:
• A unit may be statically enabled by being symlinked from another unit's
.wants/, .requires/, or .upholds/ directory.
• A unit's purpose may be to act as a helper for some other unit which has
a requirement dependency on it.
• A unit may be started when needed via activation (socket, path, timer,
D-Bus, udev, scripted systemctl call, ...).
• In case of template units, the unit is meant to be enabled with some
instance name specified.
The service has remained inactive.
@alexsec Hi, ok it starts when Cockpit connects… Now, I’m using the flatpak version on one system to connect to other systems… I don’t see any of those sedispatch items, perhaps because I’m not running the rpm version on any system…
Is the cockpit web server running/enabled?
alexsec
December 2, 2025, 3:50am
11
@malcolmlewis
If you mean the Cockpit Web Service, not at this moment but it gets started automatically by cockpit.socket every time a connection is made and I see it closing automatically again, a few seconds after I close the cockpit window on my browser.
So when it’s running if you check the setroubleshootd service, is that running?
alexsec
December 2, 2025, 4:01am
13
@malcolmlewis
OK, right now I’m connected and the Cockpit Web Service is active, but setroubleshootd.service remains inactive.
What cockpit packages are installed?
alexsec
December 2, 2025, 4:16am
15
@malcolmlewis
user@TurboX:~> zypper search --installed-only cockpit
Loading repository data...
Reading installed packages...
S | Name | Summary | Type
---+------------------------+------------------------------------------------------------------------------+--------
i | cockpit | Web Console for Linux servers | package
i+ | cockpit | Pattern for Cockpit, a web based remote system management interface | pattern
i | cockpit-bridge | Cockpit bridge server-side component | package
i | cockpit-firewalld | Allows Cockpit access through the firewall | package
i | cockpit-networkmanager | Cockpit user interface for networking, using NetworkManager | package
i | cockpit-packagekit | Cockpit user interface for packages | package
i | cockpit-packages | A cockpit module for (un)installing packages | package
i | cockpit-repos | A Cockpit module for managing system repositories | package
i | cockpit-selinux | Cockpit SELinux package | package
i | cockpit-storaged | Cockpit user interface for storage, using udisks | package
i | cockpit-system | Cockpit admin interface package for configuring and troubleshooting a system | package
i | cockpit-ws | Cockpit Web Service | package
i | cockpit-ws-selinux | SELinux security policy for cockpit-ws | package
i+ | patterns-cockpit | Pattern for Cockpit, a web based remote system management interface | package
alexsec
December 2, 2025, 4:29am
17
@arvidjaar
TurboX:~ # ausearch -m avc -ts boot
----
time->Mon Dec 1 23:10:21 2025
type=AVC msg=audit(1764623421.255:119): apparmor="STATUS" operation="profile_load" profile="unconfined" name="dovecot-deliver" pid=1043 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:21 2025
type=AVC msg=audit(1764623421.403:120): apparmor="STATUS" operation="profile_load" profile="unconfined" name="dovecot-director" pid=1045 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:21 2025
type=AVC msg=audit(1764623421.437:121): apparmor="STATUS" operation="profile_load" profile="unconfined" name="dovecot-doveadm-server" pid=1069 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:21 2025
type=AVC msg=audit(1764623421.646:122): apparmor="STATUS" operation="profile_load" profile="unconfined" name="dovecot-dovecot-auth" pid=1070 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:22 2025
type=AVC msg=audit(1764623422.356:123): apparmor="STATUS" operation="profile_load" profile="unconfined" name="dovecot-imap" pid=1074 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:22 2025
type=AVC msg=audit(1764623422.704:124): apparmor="STATUS" operation="profile_load" profile="unconfined" name="dovecot-dovecot-lda" pid=1072 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:22 2025
type=AVC msg=audit(1764623422.704:125): apparmor="STATUS" operation="profile_load" profile="unconfined" name="dovecot-dovecot-lda//sendmail" pid=1072 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:22 2025
type=AVC msg=audit(1764623422.906:126): apparmor="STATUS" operation="profile_load" profile="unconfined" name="dovecot-lmtp" pid=1079 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:23 2025
type=AVC msg=audit(1764623423.170:127): apparmor="STATUS" operation="profile_load" profile="unconfined" name="dovecot-imap-login" pid=1075 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:23 2025
type=AVC msg=audit(1764623423.285:128): apparmor="STATUS" operation="profile_load" profile="unconfined" name="dovecot-managesieve" pid=1081 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:23 2025
type=AVC msg=audit(1764623423.344:129): apparmor="STATUS" operation="profile_load" profile="unconfined" name="dovecot-log" pid=1080 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:23 2025
type=AVC msg=audit(1764623423.569:130): apparmor="STATUS" operation="profile_load" profile="unconfined" name="dovecot-managesieve-login" pid=1082 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:23 2025
type=AVC msg=audit(1764623423.676:131): apparmor="STATUS" operation="profile_load" profile="unconfined" name="dovecot-pop3" pid=1083 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:23 2025
type=AVC msg=audit(1764623423.968:132): apparmor="STATUS" operation="profile_load" profile="unconfined" name="dovecot-pop3-login" pid=1084 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:24 2025
type=AVC msg=audit(1764623424.151:133): apparmor="STATUS" operation="profile_load" profile="unconfined" name="dovecot-replicator" pid=1085 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:24 2025
type=AVC msg=audit(1764623424.319:134): apparmor="STATUS" operation="profile_load" profile="unconfined" name="dovecot-script-login" pid=1089 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:24 2025
type=AVC msg=audit(1764623424.362:135): apparmor="STATUS" operation="profile_load" profile="unconfined" name="dovecot-ssl-params" pid=1095 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:24 2025
type=AVC msg=audit(1764623424.473:136): apparmor="STATUS" operation="profile_load" profile="unconfined" name="dovecot-stats" pid=1099 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:25 2025
type=AVC msg=audit(1764623425.057:139): apparmor="STATUS" operation="profile_load" profile="unconfined" name="apache2" pid=1103 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:25 2025
type=AVC msg=audit(1764623425.057:140): apparmor="STATUS" operation="profile_load" profile="unconfined" name="apache2//DEFAULT_URI" pid=1103 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:25 2025
type=AVC msg=audit(1764623425.057:141): apparmor="STATUS" operation="profile_load" profile="unconfined" name="apache2//HANDLING_UNTRUSTED_INPUT" pid=1103 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:25 2025
type=AVC msg=audit(1764623425.057:142): apparmor="STATUS" operation="profile_load" profile="unconfined" name="apache2//phpsysinfo" pid=1103 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:25 2025
type=AVC msg=audit(1764623425.346:143): apparmor="STATUS" operation="profile_load" profile="unconfined" name="avahi-daemon" pid=1115 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:25 2025
type=AVC msg=audit(1764623425.883:145): apparmor="STATUS" operation="profile_load" profile="unconfined" name="dnsmasq" pid=1123 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:25 2025
type=AVC msg=audit(1764623425.883:146): apparmor="STATUS" operation="profile_load" profile="unconfined" name="dnsmasq//libvirt_leaseshelper" pid=1123 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:25 2025
type=AVC msg=audit(1764623425.979:147): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/libexec/snapd/snap-confine" pid=1102 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:25 2025
type=AVC msg=audit(1764623425.979:148): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/libexec/snapd/snap-confine//mount-namespace-capture-helper" pid=1102 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:26 2025
type=AVC msg=audit(1764623426.532:150): apparmor="STATUS" operation="profile_load" profile="unconfined" name="identd" pid=1130 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:26 2025
type=AVC msg=audit(1764623426.710:151): apparmor="STATUS" operation="profile_load" profile="unconfined" name="dovecot" pid=1128 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:26 2025
type=AVC msg=audit(1764623426.794:152): apparmor="STATUS" operation="profile_load" profile="unconfined" name="mdnsd" pid=1132 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:26 2025
type=AVC msg=audit(1764623426.949:153): apparmor="STATUS" operation="profile_load" profile="unconfined" name="nmbd" pid=1134 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:27 2025
type=AVC msg=audit(1764623427.102:154): apparmor="STATUS" operation="profile_load" profile="unconfined" name="nscd" pid=1135 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:27 2025
type=AVC msg=audit(1764623427.300:155): apparmor="STATUS" operation="profile_load" profile="unconfined" name="ntpd" pid=1136 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:27 2025
type=AVC msg=audit(1764623427.555:156): apparmor="STATUS" operation="profile_load" profile="unconfined" name="smbd" pid=1137 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:27 2025
type=AVC msg=audit(1764623427.720:157): apparmor="STATUS" operation="profile_load" profile="unconfined" name="traceroute" pid=1139 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:27 2025
type=AVC msg=audit(1764623427.731:158): apparmor="STATUS" operation="profile_load" profile="unconfined" name="smbldap-useradd" pid=1138 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:27 2025
type=AVC msg=audit(1764623427.731:159): apparmor="STATUS" operation="profile_load" profile="unconfined" name="smbldap-useradd///etc/init.d/nscd" pid=1138 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:28 2025
type=AVC msg=audit(1764623428.015:160): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/{bin,sbin}/updatedb" pid=1140 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:28 2025
type=AVC msg=audit(1764623428.021:161): apparmor="STATUS" operation="profile_load" profile="unconfined" name="winbindd" pid=1141 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:28 2025
type=AVC msg=audit(1764623428.035:162): apparmor="STATUS" operation="profile_load" profile="unconfined" name="uwsgi-core" pid=1144 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:28 2025
type=AVC msg=audit(1764623428.055:163): apparmor="STATUS" operation="profile_load" profile="unconfined" name="virtiofsd" pid=1146 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:28 2025
type=AVC msg=audit(1764623428.062:164): apparmor="STATUS" operation="profile_load" profile="unconfined" name="vdens" pid=1145 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:28 2025
type=AVC msg=audit(1764623428.062:165): apparmor="STATUS" operation="profile_load" profile="unconfined" name="vivaldi-bin" pid=1147 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:28 2025
type=AVC msg=audit(1764623428.070:166): apparmor="STATUS" operation="profile_load" profile="unconfined" name="vpnns" pid=1148 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:28 2025
type=AVC msg=audit(1764623428.082:167): apparmor="STATUS" operation="profile_load" profile="unconfined" name="wpcom" pid=1150 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:28 2025
type=AVC msg=audit(1764623428.091:168): apparmor="STATUS" operation="profile_load" profile="unconfined" name="wike" pid=1149 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:28 2025
type=AVC msg=audit(1764623428.185:169): apparmor="STATUS" operation="profile_load" profile="unconfined" name="zgrep" pid=1151 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:28 2025
type=AVC msg=audit(1764623428.185:170): apparmor="STATUS" operation="profile_load" profile="unconfined" name="zgrep//helper" pid=1151 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:28 2025
type=AVC msg=audit(1764623428.185:171): apparmor="STATUS" operation="profile_load" profile="unconfined" name="zgrep//sed" pid=1151 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:30 2025
type=AVC msg=audit(1764623430.664:173): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/snap/snapd/25577/usr/lib/snapd/snap-confine" pid=1170 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:30 2025
type=AVC msg=audit(1764623430.664:174): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/snap/snapd/25577/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=1170 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:30 2025
type=AVC msg=audit(1764623430.688:175): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/snap/snapd/25202/usr/lib/snapd/snap-confine" pid=1169 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:30 2025
type=AVC msg=audit(1764623430.688:176): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/snap/snapd/25202/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=1169 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:39 2025
type=AVC msg=audit(1764623439.962:258): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/libexec/snapd/snap-confine" pid=1393 comm="apparmor_parser"
----
time->Mon Dec 1 23:10:39 2025
type=AVC msg=audit(1764623439.973:259): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/libexec/snapd/snap-confine//mount-namespace-capture-helper" pid=1393 comm="apparmor_parser"
TurboX:~ #
So, you do not really use SELinux and the message comes exactly from the tool that attempts to forward the audit log to the setroubleshootd. Educated guess is that setroublelshootd refuses to start because SELinux is not active.
If this message bothers you, uninstall setroubleshoot-server or find out how to disable sedispatch invocation.
1 Like