After upgrading to Fedora 28, I got the following message in the system log: Unable to fix SELinux security context of /sys/fs/bpf: Permission denied I ran touch ./autorelabel and rebooted, and now get this message every time I boot up: SELinux: Class bpf not defined in policy. I suspect some kind of SELinux policy update is needed to fix this.
Correction: that should be touch /.autorelabel.
Hi, Could you remount bpf? It should be fixed then. Thanks.
I have tried to remount /sys/fs/bpf but this error message appeared later again. I adhere to Neil Kownacki's opinion, that some kind of SELinux policy update is needed to fix this. Please reopen this bug ID.
The "SELinux: Class bpf not defined in policy." message is relatively harmless on default Fedora systems as object classes which are undefined in the loaded SELinux policy are not restricted by SELinux. In other words, any applications using eBPF should not be blocked by SELinux for their use of eBPF. We should consider defining the bpf object class in the Fedora SELinux policy to see what policy changes are needed, but that should happen in Rawhide and not in any of the stable Fedora releases as the chance for disruption is too high.
Is that "relatively harmless" as similarly defined by Douglas Adams? Meanwhile how can this really be fixed now in FC28? Repeat... Please reopen this bug ID.
(In reply to John Dodson from comment #5) > Is that "relatively harmless" as similarly defined by Douglas Adams? It is as I defined in my comment above: > "... as object classes which are undefined in the loaded SELinux > policy are not restricted by SELinux. In other words, any > applications using eBPF should not be blocked by SELinux for > their use of eBPF." If you are worried about SELinux blocking access to eBPF on Fedora due to the missing object class, that isn't going to happen due to how the default Fedora SELinux policy is configured (accesses to unknown object classes are allowed). If you are worried that SELinux is not blocking access to eBPF on Fedora due to the missing object class, you are right to be worried (see above).