Bug 1575275

Summary: Fedora 28 - SELinux: Class bpf not defined in policy.
Product: [Fedora] Fedora Reporter: Neil Kownacki <njkkow>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 28CC: Claude.Frantz, dwalsh, jwadodson, lvrabec, mgrepl, plautrba, pmoore
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-21 15:51:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Neil Kownacki 2018-05-05 15:42:42 UTC 
After upgrading to Fedora 28, I got the following message in the system log:

Unable to fix SELinux security context of /sys/fs/bpf: Permission denied


I ran touch ./autorelabel and rebooted, and now get this message every time I boot up:

SELinux:  Class bpf not defined in policy.


I suspect some kind of SELinux policy update is needed to fix this.
Comment 1 Neil Kownacki 2018-05-05 15:45:53 UTC 
Correction: that should be touch /.autorelabel.
Comment 2 Lukas Vrabec 2018-05-21 15:51:34 UTC 
Hi,

Could you remount bpf? It should be fixed then. 

Thanks.
Comment 3 Claude Frantz 2018-07-16 12:16:52 UTC 
I have tried to remount /sys/fs/bpf but this error message appeared later again. I adhere to  Neil Kownacki's opinion, that some kind of SELinux policy update is needed to fix this. Please reopen this bug ID.
Comment 4 Paul Moore 2018-07-16 15:53:16 UTC 
The "SELinux:  Class bpf not defined in policy." message is relatively harmless on default Fedora systems as object classes which are undefined in the loaded SELinux policy are not restricted by SELinux.  In other words, any applications using eBPF should not be blocked by SELinux for their use of eBPF.

We should consider defining the bpf object class in the Fedora SELinux policy to see what policy changes are needed, but that should happen in Rawhide and not in any of the stable Fedora releases as the chance for disruption is too high.
Comment 5 John Dodson 2018-08-07 04:47:55 UTC 
Is that "relatively harmless" as similarly defined by Douglas Adams?

Meanwhile how can this really be fixed now in FC28?

Repeat... Please reopen this bug ID.
Comment 6 Paul Moore 2018-08-07 15:42:20 UTC 
(In reply to John Dodson from comment #5)
> Is that "relatively harmless" as similarly defined by Douglas Adams?

It is as I defined in my comment above:

> "... as object classes which are undefined in the loaded SELinux
>  policy are not restricted by SELinux.  In other words, any
>  applications using eBPF should not be blocked by SELinux for
>  their use of eBPF."

If you are worried about SELinux blocking access to eBPF on Fedora due to the missing object class, that isn't going to happen due to how the default Fedora SELinux policy is configured (accesses to unknown object classes are allowed).

If you are worried that SELinux is not blocking access to eBPF on Fedora due to the missing object class, you are right to be worried (see above).