Description of problem: `fixfiles check` or `fixfiles -v restore` generates very noisy messages, because it thinks `/sys/kernel/debug` needs to be relabelled, and it does not know what label to apply. # fixfiles -v restore ... /sbin/setfiles: Warning no default label for /sys/kernel/debug/mei_wdt ... $ man fixfiles ... By default it will relabel all mounted ext2, ext3, xfs and jfs file systems as long as they do not have a security context mount option. Version-Release number of selected component (if applicable): policycoreutils-2.5-19.fc25.x86_64 How reproducible: always Steps to Reproduce: 1. Run `fixfiles check` with full privileges e.g. using `sudo`. Actual results: Warning: Skipping the following R/O filesystems: /sys/fs/cgroup Checking / /boot /dev /dev/hugepages /dev/mqueue /dev/pts /dev/shm /home /run /run/user/1000 /run/user/1001 /run/user/42 /sys /sys/fs/pstore /sys/kernel/debug /tmp ... /sbin/setfiles: Warning no default label for /sys/kernel/debug/mei_wdt ... Expected results: 1. "Warning no default label" should not be spammed on a clean system. 2. It is expected for debugfs to have new files chucked into it, so SELinux should not be configured to complain about files it doesn't know about. If a default label is required, it can easily default to "access via sudo only". debugfs is for debugging the kernel, it should *not* be used by any system service. 3. fixfiles' behaviour should not outright violate the spirit and letter of `man fixfiles`. 4. If the behaviour is actually intended, `man fixfiles` should explain WTF it wants to touch filesystems like /sys/. Even if they are not intended to generate warnings, this behaviour is highly surprising. The files in virtual filesystems like sysfs are created by the kernel during boot, and I can find no mechanism to tell the _kernel_ what label each individual file should be created with. My prior assumption was that if there was any label, it would be simply blanket-applied to the whole of sysfs, and any attempt of tools like fixfiles to change labels one file at a time would fail.
Current behaviour has been explained in this thread: https://www.spinics.net/lists/selinux/msg21225.html
The warning is a bug/regression. Will take it up on the mailing list.
Actually, the warning isn't a regression, although I think it is unhelpful and should be removed.
This message is a reminder that Fedora 25 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 25. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '25'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 25 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Co-incidentally, the just-released Fedora 27 is the first to include the version with the fix - https://github.com/SELinuxProject/selinux/commit/1cd972fc81757d6157afa192da99473243dfce8b It still triggers on the file /dev/mqueue/, but that's it. (I expect it could be avoided by copying the way the two rules for /dev/hugepages/ work). Much easier to ignore than the previous spam.
Fedora 25 changed to end-of-life (EOL) status on 2017-12-12. Fedora 25 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.