From Fedora Project Wiki

New features in SELinux policy

Since February 9th, the selinux-policy package in Fedora Rawhide and the future Fedora 34 contains enhancements to make the policy up-to-date with current kernel, refer to [1] for more details.

There is currently no known issue related to the change. Despite extensive testing, it is not possible cover all possible scenarios though and eliminate all problems, so it can happen some new denial pops up.

We will monitor the situation to be able to respond in timely manner. If anyone happens to find a problem, please follow these steps to work around the issues:

  • set the system into SELinux permissive mode, effective till reboot:
setenforce 0
  • re-run the scenario, e. g. restart a service
  • collect AVC denials:
ausearch -i -m avc -ts recent
type=AVC msg=audit(02/07/2021 19:43:03.703:68) : avc:  denied  { watch } for  pid=468 comm=systemd-resolve path=/ dev="vda2" ino=256 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
type=AVC msg=audit(02/07/2021 19:43:03.735:73) : avc:  denied  { watch } for  pid=468 comm=systemd-resolve path=/run/dbus/system_bus_socket dev="tmpfs" ino=891 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
  • Cut the following parts from the audit records to be used in CIL language:
    • type part of scontext
    • type part of tcontext
    • tclass
    • permissions inside braces {}
  • based on the output, create a local selinux policy module in the CIL language:
cat > local_watch_policy.cil
(allow systemd_resolved_t root_t (dir (watch)))
(allow systemd_resolved_t system_dbusd_var_run_t (sock_file (watch)))
  • install the policy module:
semodule -i local_watch_policy.cil
  • create a bugzilla or a github issue
https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora
https://github.com/fedora-selinux/selinux-policy/issues
  • once the problem is fixed in upstream policy, remove the local module:
semodule -r local_watch_policy.cil

[1] https://fedoraproject.org/wiki/Changes/Make_selinux_policy_uptodate_with_current_kernel

[2] https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora

[3] https://github.com/fedora-selinux/selinux-policy/issues

Retrieved from "https://fedoraproject.org/w/index.php?title=SELinux/New_features_in_SELinux_policy&oldid=604215"