1575275 – Fedora 28 - SELinux: Class bpf not defined in policy.

Bug 1575275 - Fedora 28 - SELinux: Class bpf not defined in policy.

Summary: Fedora 28 - SELinux: Class bpf not defined in policy.

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	28
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-05-05 15:42 UTC by Neil Kownacki
Modified:	2018-08-07 15:42 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-05-21 15:51:34 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Neil Kownacki 2018-05-05 15:42:42 UTC

After upgrading to Fedora 28, I got the following message in the system log:

Unable to fix SELinux security context of /sys/fs/bpf: Permission denied


I ran touch ./autorelabel and rebooted, and now get this message every time I boot up:

SELinux:  Class bpf not defined in policy.


I suspect some kind of SELinux policy update is needed to fix this.

Comment 1 Neil Kownacki 2018-05-05 15:45:53 UTC

Correction: that should be touch /.autorelabel.

Comment 2 Lukas Vrabec 2018-05-21 15:51:34 UTC

Hi,

Could you remount bpf? It should be fixed then. 

Thanks.

Comment 3 Claude Frantz 2018-07-16 12:16:52 UTC

I have tried to remount /sys/fs/bpf but this error message appeared later again. I adhere to  Neil Kownacki's opinion, that some kind of SELinux policy update is needed to fix this. Please reopen this bug ID.

Comment 4 Paul Moore 2018-07-16 15:53:16 UTC

The "SELinux:  Class bpf not defined in policy." message is relatively harmless on default Fedora systems as object classes which are undefined in the loaded SELinux policy are not restricted by SELinux.  In other words, any applications using eBPF should not be blocked by SELinux for their use of eBPF.

We should consider defining the bpf object class in the Fedora SELinux policy to see what policy changes are needed, but that should happen in Rawhide and not in any of the stable Fedora releases as the chance for disruption is too high.

Comment 5 John Dodson 2018-08-07 04:47:55 UTC

Is that "relatively harmless" as similarly defined by Douglas Adams?

Meanwhile how can this really be fixed now in FC28?

Repeat... Please reopen this bug ID.

Comment 6 Paul Moore 2018-08-07 15:42:20 UTC

(In reply to John Dodson from comment #5)
> Is that "relatively harmless" as similarly defined by Douglas Adams?

It is as I defined in my comment above:

> "... as object classes which are undefined in the loaded SELinux
>  policy are not restricted by SELinux.  In other words, any
>  applications using eBPF should not be blocked by SELinux for
>  their use of eBPF."

If you are worried about SELinux blocking access to eBPF on Fedora due to the missing object class, that isn't going to happen due to how the default Fedora SELinux policy is configured (accesses to unknown object classes are allowed).

If you are worried that SELinux is not blocking access to eBPF on Fedora due to the missing object class, you are right to be worried (see above).

Note You need to log in before you can comment on or make changes to this bug.