On Mon, Sep 21, 2020 at 10:00 AM Zdenek Pytela zpytela@redhat.com wrote:
On Sun, Sep 20, 2020 at 11:52 AM Cătălin George Feștilă catalinfest@gmail.com wrote:
After a relabel I got this , any idea ? [root@desk mythcat]# ausearch -c 'Xorg' --raw | audit2allow -M my-Xorg libsepol.sepol_string_to_security_class: unrecognized class lockdown ******************** IMPORTANT *********************** To make this policy package active, execute:
semodule -i my-Xorg.pp
[root@desk mythcat]# semodule -X 300 -i my-Xorg.pp Failed to resolve allow statement at /var/lib/selinux/mls/tmp/modules/300/my-Xorg/cil:7 semodule: Failed! [root@desk mythcat]# semodule -X 300 -i my-Xorg.pp Failed to resolve allow statement at /var/lib/selinux/mls/tmp/modules/300/my-Xorg/cil:7 semodule: Failed! [root@desk mythcat]# ausearch -c 'X' --raw | audit2allow -M my-X libsepol.sepol_string_to_security_class: unrecognized class lockdown ******************** IMPORTANT *********************** To make this policy package active, execute:
semodule -i my-X.pp
[root@desk mythcat]# semodule -X 300 -i my-X.pp Failed to resolve allow statement at /var/lib/selinux/mls/tmp/modules/300/my-X/cil:11 semodule: Failed!
Hi,
mls with X is not supported; however, we do not seem to have the lockdown class in Fedora at all - did you download this policy from the refpolicy repo or how did you get it installed to your system?
Remember that we build the -mls policy with deny_unknown=1, so any class that is defined in the kernel, but not in the policy, will cause unfixable denials...