On Mon, Sep 21, 2020 at 10:00 AM Zdenek Pytela <zpytela@xxxxxxxxxx> wrote: > On Sun, Sep 20, 2020 at 11:52 AM Cătălin George Feștilă <catalinfest@xxxxxxxxx> wrote: >> >> After a relabel I got this , any idea ? >> [root@desk mythcat]# ausearch -c 'Xorg' --raw | audit2allow -M my-Xorg >> libsepol.sepol_string_to_security_class: unrecognized class lockdown >> ******************** IMPORTANT *********************** >> To make this policy package active, execute: >> >> semodule -i my-Xorg.pp >> >> [root@desk mythcat]# semodule -X 300 -i my-Xorg.pp >> Failed to resolve allow statement at /var/lib/selinux/mls/tmp/modules/300/my-Xorg/cil:7 >> semodule: Failed! >> [root@desk mythcat]# semodule -X 300 -i my-Xorg.pp >> Failed to resolve allow statement at /var/lib/selinux/mls/tmp/modules/300/my-Xorg/cil:7 >> semodule: Failed! >> [root@desk mythcat]# ausearch -c 'X' --raw | audit2allow -M my-X >> libsepol.sepol_string_to_security_class: unrecognized class lockdown >> ******************** IMPORTANT *********************** >> To make this policy package active, execute: >> >> semodule -i my-X.pp >> >> [root@desk mythcat]# semodule -X 300 -i my-X.pp >> Failed to resolve allow statement at /var/lib/selinux/mls/tmp/modules/300/my-X/cil:11 >> semodule: Failed! > > Hi, > > mls with X is not supported; however, we do not seem to have the lockdown class in Fedora at all - did you download this policy from the refpolicy repo or how did you get it installed to your system? Remember that we build the -mls policy with deny_unknown=1, so any class that is defined in the kernel, but not in the policy, will cause unfixable denials... -- Ondrej Mosnacek Software Engineer, Platform Security - SELinux kernel Red Hat, Inc. _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx