Bug 2069718

Summary: RFE: Add support for "self" keyword in type transitions
Product: Red Hat Enterprise Linux 9 Reporter: Ondrej Mosnacek <omosnace>
Component: libsepolAssignee: Petr Lautrbach <plautrba>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact: Jan Fiala <jafiala>
Priority: high    
Version: 9.0CC: jafiala, lvrabec, mmalik, omosnace, plautrba, vmojzis
Target Milestone: rcKeywords: AutoVerified, FutureFeature, Reopened, Triaged
Target Release: 9.1   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libsepol-3.4-1.1.el9 Doc Type: Enhancement
Doc Text:
.SELinux supports the `self` keyword in type transitions SELinux tooling now supports type transition rules with the `self` keyword in the policy sources. Support for type transitions with the `self` keyword prepares the SELinux policy for labeling of anonymous inodes.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-15 11:19:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ondrej Mosnacek 2022-03-29 14:29:14 UTC 
The newly added anon_inode class relies on type transitions of the form <domain> <domain>:<typeA> <typeB>. However, SELinux userspace currently doesn't support using the "self" keyword, which makes writing policy for this class tricky. Thus, it is necessary to implement this support so that anon_inode/userfaultfd/io_uring rules can be reasonably implemented in selinux-policy.

I'll be working on the upstream implementation, then I'll switch this to plautrba/vmojzis to handle the backport.
Comment 2 Ondrej Mosnacek 2022-06-09 13:01:11 UTC 
The support is included in the 3.4 upstream release, so closing this as duplicate of BZ 2079276.

*** This bug has been marked as a duplicate of bug 2079276 ***
Comment 3 Ondrej Mosnacek 2022-06-09 14:02:56 UTC 
Reopening after discussion with plautrba and mmalik.
Comment 6 Petr Lautrbach 2022-06-09 14:12:19 UTC 
https://src.fedoraproject.org/tests/selinux/blob/main/f/libsepol/self-keyword-in-type-rules
Comment 18 errata-xmlrpc 2022-11-15 11:19:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libsepol bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8337