After a relabel I got this , any idea ? [root@desk mythcat]# ausearch -c 'Xorg' --raw | audit2allow -M my-Xorg libsepol.sepol_string_to_security_class: unrecognized class lockdown ******************** IMPORTANT *********************** To make this policy package active, execute:
semodule -i my-Xorg.pp
[root@desk mythcat]# semodule -X 300 -i my-Xorg.pp Failed to resolve allow statement at /var/lib/selinux/mls/tmp/modules/300/my-Xorg/cil:7 semodule: Failed! [root@desk mythcat]# semodule -X 300 -i my-Xorg.pp Failed to resolve allow statement at /var/lib/selinux/mls/tmp/modules/300/my-Xorg/cil:7 semodule: Failed! [root@desk mythcat]# ausearch -c 'X' --raw | audit2allow -M my-X libsepol.sepol_string_to_security_class: unrecognized class lockdown ******************** IMPORTANT *********************** To make this policy package active, execute:
semodule -i my-X.pp
[root@desk mythcat]# semodule -X 300 -i my-X.pp Failed to resolve allow statement at /var/lib/selinux/mls/tmp/modules/300/my-X/cil:11 semodule: Failed!
On Sun, Sep 20, 2020 at 11:52 AM Cătălin George Feștilă < catalinfest@gmail.com> wrote:
After a relabel I got this , any idea ? [root@desk mythcat]# ausearch -c 'Xorg' --raw | audit2allow -M my-Xorg libsepol.sepol_string_to_security_class: unrecognized class lockdown ******************** IMPORTANT *********************** To make this policy package active, execute:
semodule -i my-Xorg.pp
[root@desk mythcat]# semodule -X 300 -i my-Xorg.pp Failed to resolve allow statement at /var/lib/selinux/mls/tmp/modules/300/my-Xorg/cil:7 semodule: Failed! [root@desk mythcat]# semodule -X 300 -i my-Xorg.pp Failed to resolve allow statement at /var/lib/selinux/mls/tmp/modules/300/my-Xorg/cil:7 semodule: Failed! [root@desk mythcat]# ausearch -c 'X' --raw | audit2allow -M my-X libsepol.sepol_string_to_security_class: unrecognized class lockdown ******************** IMPORTANT *********************** To make this policy package active, execute:
semodule -i my-X.pp
[root@desk mythcat]# semodule -X 300 -i my-X.pp Failed to resolve allow statement at /var/lib/selinux/mls/tmp/modules/300/my-X/cil:11 semodule: Failed!
Hi,
mls with X is not supported; however, we do not seem to have the lockdown class in Fedora at all - did you download this policy from the refpolicy repo or how did you get it installed to your system?
_______________________________________________
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or...
On Mon, Sep 21, 2020 at 10:00 AM Zdenek Pytela zpytela@redhat.com wrote:
On Sun, Sep 20, 2020 at 11:52 AM Cătălin George Feștilă catalinfest@gmail.com wrote:
After a relabel I got this , any idea ? [root@desk mythcat]# ausearch -c 'Xorg' --raw | audit2allow -M my-Xorg libsepol.sepol_string_to_security_class: unrecognized class lockdown ******************** IMPORTANT *********************** To make this policy package active, execute:
semodule -i my-Xorg.pp
[root@desk mythcat]# semodule -X 300 -i my-Xorg.pp Failed to resolve allow statement at /var/lib/selinux/mls/tmp/modules/300/my-Xorg/cil:7 semodule: Failed! [root@desk mythcat]# semodule -X 300 -i my-Xorg.pp Failed to resolve allow statement at /var/lib/selinux/mls/tmp/modules/300/my-Xorg/cil:7 semodule: Failed! [root@desk mythcat]# ausearch -c 'X' --raw | audit2allow -M my-X libsepol.sepol_string_to_security_class: unrecognized class lockdown ******************** IMPORTANT *********************** To make this policy package active, execute:
semodule -i my-X.pp
[root@desk mythcat]# semodule -X 300 -i my-X.pp Failed to resolve allow statement at /var/lib/selinux/mls/tmp/modules/300/my-X/cil:11 semodule: Failed!
Hi,
mls with X is not supported; however, we do not seem to have the lockdown class in Fedora at all - did you download this policy from the refpolicy repo or how did you get it installed to your system?
Remember that we build the -mls policy with deny_unknown=1, so any class that is defined in the kernel, but not in the policy, will cause unfixable denials...
This alert did not appear from the beginning and I think it could be something spread. Something similar later appeared for smartd. I'm new with mls policy and settings, but a good SELinux policy don't touch the Xorg ... I used SELinux permisive without kernel settings to load SELinux with kernel. This output is for : [root@desk mythcat]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: mls Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: denied Memory protection checking: actual (secure) Max kernel policy version: 33
No, I don't download or create an SELinux policy, this is generated into Selinux Alerts.
selinux@lists.fedoraproject.org
-
Cătălin George Feștilă -
Ondrej Mosnacek -
Zdenek Pytela