getting "avc: denied" messages in system logs

[Akshaybaisla]

On applying Flatcar recommendations as mentioned in https://www.flatcar.org/docs/latest/setup/security/selinux/ . when checking system logs getting many messages as "avc: denied". what we have to do now?
avc log message-
" localhost kernel: audit: type=1400 audit(1648446800.796:86): avc: denied { bpf } for pid=1 comm="systemd" capability=39 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=0

localhost kernel: audit: type=1400 audit(1648446800.796:91): avc: denied { perfmon } for pid=1 comm="systemd" capability=38 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=0

localhost audit[1]: AVC avc: denied { bpf } for pid=1 comm="systemd" capability=39 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=0 "

[tormath1]

hi @Akshaybaisla thanks for your feedback - this is a known issue: #509 and it should be solved with the next SELinux upgrade.

If these AVC messages are blocking your workload, you can still temporary keep SELinux to permissive mode.

[Akshaybaisla]

hi @tormath1 When SELinux upgrade will be released?

[tormath1]

Hi, upgrade is quite in progress and we mainly wait for this issue: #479 in order to ship more standard SELinux module for handling containers. You can subscribe to the issue to track progress on it.

Can you describe a bit your workload ? As far as I can tell, these errors should not impact it directly.

[tormath1]

Fixed in: flatcar/scripts#917