Dec 8 14:49:01 web kernel: audit: type=1400 audit(1575812941.870:2069):
avc: denied { watch } for pid=2826 comm="crond"
path="/var/spool/cron/crontabs" dev="sda3" ino=2539899
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:cron_spool_t
tclass=dir permissive=0
I ended up reverting commit ac5656d8a4cd ("fanotify, inotify, dnotify,
security: add security hook for fs notifications") and asked in the gentoo
forum - so far without success (link above) - how that should work properly.
If there is a way to use an unmodified kernel >= 5.4.0 with older (so far
all current) selinux tools and policies I did miss it.
Do you have a pointer how I can keep the commit ac5656d8a4cd in a selinux
enabled system in enforcing mode without breaking all file change
notifications?
Alexander
I do not believe there is a regression. However support in the policy for this functionality may be lagging behind (be non existent as of now).
You could try this as a temporary workaround:
echo "(handleunknown allow)" > mytest.cil && sudo semodule -i mytest.cil
If that works then that should tell selinux to ignore the watch access vector permissions (and any other permission unknown to the policy).
Thank you very much, that was the tip I was missing
While the workaround itself is not working
$ echo "(handleunknown allow)" > mytest.cil && sudo semodule -i mytest.cil
Password:
Policy can not have more than one handleunknown
Failed to verify cil database
Failed to verify cil database
/usr/sbin/semodule: Failed!
that was the "knob" I was missing and with your tip I found the way how
this is intended to be handled.
I've now simply executed these commands
echo "handle-unknown = allow" >> /etc/selinux/semanage.conf
semodule -B
Which solves the issue without any reverts.
Alexander
