The problem is resolved with a local selinux module with these extra permissions granted to systemd_resolved_t:
allow systemd_resolved_t init_runtime_t:sock_file create; allow systemd_resolved_t init_runtime_t:dir watch; The confusion was caused by [1], or something else that caused the kernel to not print the avc: lines on policy denial. By luck, one of the boot-ups exposed this. Earlier boots might have exposed the lines, but the audit2* commands seem to only process avc: lines after the audit daemon is started, so I might have missed the kernel log entry, because I was assuming that audit2why would have shown me something. I'm not sure why delaying the service startup by a couple seconds/until after systemd-tmpfiles finishes causes the service bring-up to succeed, so the correct fix is probably more than just adding those two extra permissions, but it works in the meantime. Best, Antonio [1] https://github.com/linux-audit/audit-kernel/issues/17
OpenPGP_0x72DB026E04C1C768.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
