4:52 a.m.
After a relabel I got this , any idea ?
[root@desk mythcat]# ausearch -c 'Xorg' --raw | audit2allow -M my-Xorg
libsepol.sepol_string_to_security_class: unrecognized class lockdown
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-Xorg.pp
[root@desk mythcat]# semodule -X 300 -i my-Xorg.pp
Failed to resolve allow statement at /var/lib/selinux/mls/tmp/modules/300/my-Xorg/cil:7
semodule: Failed!
[root@desk mythcat]# semodule -X 300 -i my-Xorg.pp
Failed to resolve allow statement at /var/lib/selinux/mls/tmp/modules/300/my-Xorg/cil:7
semodule: Failed!
[root@desk mythcat]# ausearch -c 'X' --raw | audit2allow -M my-X
libsepol.sepol_string_to_security_class: unrecognized class lockdown
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-X.pp
[root@desk mythcat]# semodule -X 300 -i my-X.pp
Failed to resolve allow statement at /var/lib/selinux/mls/tmp/modules/300/my-X/cil:11
semodule: Failed!
2:59 a.m.
On Sun, Sep 20, 2020 at 11:52 AM Cătălin George Feștilă <
catalinfest(a)gmail.com> wrote:
After a relabel I got this , any idea ?
[root@desk mythcat]# ausearch -c 'Xorg' --raw | audit2allow -M my-Xorg
libsepol.sepol_string_to_security_class: unrecognized class lockdown
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-Xorg.pp
[root@desk mythcat]# semodule -X 300 -i my-Xorg.pp
Failed to resolve allow statement at
/var/lib/selinux/mls/tmp/modules/300/my-Xorg/cil:7
semodule: Failed!
[root@desk mythcat]# semodule -X 300 -i my-Xorg.pp
Failed to resolve allow statement at
/var/lib/selinux/mls/tmp/modules/300/my-Xorg/cil:7
semodule: Failed!
[root@desk mythcat]# ausearch -c 'X' --raw | audit2allow -M my-X
libsepol.sepol_string_to_security_class: unrecognized class lockdown
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-X.pp
[root@desk mythcat]# semodule -X 300 -i my-X.pp
Failed to resolve allow statement at
/var/lib/selinux/mls/tmp/modules/300/my-X/cil:11
semodule: Failed!
Hi,
mls with X is not supported; however, we do not seem to have the lockdown
class in Fedora at all - did you download this policy from the refpolicy
repo or how did you get it installed to your system?
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
--
Zdenek Pytela
Security SELinux team
3:15 a.m.
On Mon, Sep 21, 2020 at 10:00 AM Zdenek Pytela <zpytela(a)redhat.com> wrote:
On Sun, Sep 20, 2020 at 11:52 AM Cătălin George Feștilă
<catalinfest(a)gmail.com> wrote:
>
> After a relabel I got this , any idea ?
> [root@desk mythcat]# ausearch -c 'Xorg' --raw | audit2allow -M my-Xorg
> libsepol.sepol_string_to_security_class: unrecognized class lockdown
> ******************** IMPORTANT ***********************
> To make this policy package active, execute:
>
> semodule -i my-Xorg.pp
>
> [root@desk mythcat]# semodule -X 300 -i my-Xorg.pp
> Failed to resolve allow statement at
/var/lib/selinux/mls/tmp/modules/300/my-Xorg/cil:7
> semodule: Failed!
> [root@desk mythcat]# semodule -X 300 -i my-Xorg.pp
> Failed to resolve allow statement at
/var/lib/selinux/mls/tmp/modules/300/my-Xorg/cil:7
> semodule: Failed!
> [root@desk mythcat]# ausearch -c 'X' --raw | audit2allow -M my-X
> libsepol.sepol_string_to_security_class: unrecognized class lockdown
> ******************** IMPORTANT ***********************
> To make this policy package active, execute:
>
> semodule -i my-X.pp
>
> [root@desk mythcat]# semodule -X 300 -i my-X.pp
> Failed to resolve allow statement at
/var/lib/selinux/mls/tmp/modules/300/my-X/cil:11
> semodule: Failed!
Hi,
mls with X is not supported; however, we do not seem to have the lockdown class in Fedora
at all - did you download this policy from the refpolicy repo or how did you get it
installed to your system?
Remember that we build the -mls policy with deny_unknown=1, so any
class that is defined in the kernel, but not in the policy, will cause
unfixable denials...
--
Ondrej Mosnacek
Software Engineer, Platform Security - SELinux kernel
Red Hat, Inc.
5:08 p.m.
This alert did not appear from the beginning and I think it could be something spread.
Something similar later appeared for smartd.
I'm new with mls policy and settings, but a good SELinux policy don't touch the
Xorg ...
I used SELinux permisive without kernel settings to load SELinux with kernel.
This output is for :
[root@desk mythcat]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: mls
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: denied
Memory protection checking: actual (secure)
Max kernel policy version: 33
4:59 p.m.
No, I don't download or create an SELinux policy, this is generated into Selinux
Alerts.
1336
days inactive
1339
days old
selinux@lists.fedoraproject.org
4 comments
3 participants
participants (3)
-
Cătălin George Feștilă -
Ondrej Mosnacek -
Zdenek Pytela