I've seen similar before.
In this case, your script probably wanted to look up information about a user by UID. To
do so, it called each of the NSS modules listed in the passwd: line of /etc/nsswitch.conf.
One of those modules made a D-Bus call to a process confined by init_t, which was allowed.
But the SELinux policy prevented the process within init_t from sending its reply back to
the client running in unconfined_t.
This is basically a bug in the policy:
https://github.com/SELinuxProject/refpolicy/issues/18
If you can reproduce this on Fedora or CentOS Stream then it's worth filing a bug on
Red Hat bugzilla (but of course have a search first to see if this particular behaviour
has been seen before).
As for what you can do to fix it in the short term, the suggested policy from audit2allow
looks OK to me. If you're worried about processes within init_t attacking
certmonger_unconfined_t via D-Bus messages then maybe not... there is a macro,
init_dbus_chat, that you might want to use in order to make your policy module a bit more
declerative...
You might have to go around this loop a few times until your script starts working fully.
At that point you could ask on the SELinux mailing list for advice on how to clean the
policy up properly.
--
Sam Morris <
https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9