On Mon, Sep 21, 2020 at 10:00 AM Zdenek Pytela <zpytela(a)redhat.com> wrote:
On Sun, Sep 20, 2020 at 11:52 AM Cătălin George Feștilă
<catalinfest(a)gmail.com> wrote:
>
> After a relabel I got this , any idea ?
> [root@desk mythcat]# ausearch -c 'Xorg' --raw | audit2allow -M my-Xorg
> libsepol.sepol_string_to_security_class: unrecognized class lockdown
> ******************** IMPORTANT ***********************
> To make this policy package active, execute:
>
> semodule -i my-Xorg.pp
>
> [root@desk mythcat]# semodule -X 300 -i my-Xorg.pp
> Failed to resolve allow statement at
/var/lib/selinux/mls/tmp/modules/300/my-Xorg/cil:7
> semodule: Failed!
> [root@desk mythcat]# semodule -X 300 -i my-Xorg.pp
> Failed to resolve allow statement at
/var/lib/selinux/mls/tmp/modules/300/my-Xorg/cil:7
> semodule: Failed!
> [root@desk mythcat]# ausearch -c 'X' --raw | audit2allow -M my-X
> libsepol.sepol_string_to_security_class: unrecognized class lockdown
> ******************** IMPORTANT ***********************
> To make this policy package active, execute:
>
> semodule -i my-X.pp
>
> [root@desk mythcat]# semodule -X 300 -i my-X.pp
> Failed to resolve allow statement at
/var/lib/selinux/mls/tmp/modules/300/my-X/cil:11
> semodule: Failed!
Hi,
mls with X is not supported; however, we do not seem to have the lockdown class in Fedora
at all - did you download this policy from the refpolicy repo or how did you get it
installed to your system?
Remember that we build the -mls policy with deny_unknown=1, so any
class that is defined in the kernel, but not in the policy, will cause
unfixable denials...
--
Ondrej Mosnacek
Software Engineer, Platform Security - SELinux kernel
Red Hat, Inc.