1. Please describe the problem: the following is logged to dmesg: [ 18.039730] SELinux: Permission watch in class filesystem not defined in policy. [ 18.039739] SELinux: Permission watch in class file not defined in policy. [ 18.039739] SELinux: Permission watch_mount in class file not defined in policy. [ 18.039740] SELinux: Permission watch_sb in class file not defined in policy. [ 18.039741] SELinux: Permission watch_with_perm in class file not defined in policy. [ 18.039742] SELinux: Permission watch_reads in class file not defined in policy. [ 18.039747] SELinux: Permission watch in class dir not defined in policy. [ 18.039748] SELinux: Permission watch_mount in class dir not defined in policy. [ 18.039749] SELinux: Permission watch_sb in class dir not defined in policy. [ 18.039750] SELinux: Permission watch_with_perm in class dir not defined in policy. [ 18.039750] SELinux: Permission watch_reads in class dir not defined in policy. [ 18.039757] SELinux: Permission watch in class lnk_file not defined in policy. [ 18.039758] SELinux: Permission watch_mount in class lnk_file not defined in policy. [ 18.039759] SELinux: Permission watch_sb in class lnk_file not defined in policy. [ 18.039759] SELinux: Permission watch_with_perm in class lnk_file not defined in policy. [ 18.039760] SELinux: Permission watch_reads in class lnk_file not defined in policy. [ 18.039764] SELinux: Permission watch in class chr_file not defined in policy. [ 18.039765] SELinux: Permission watch_mount in class chr_file not defined in policy. [ 18.039766] SELinux: Permission watch_sb in class chr_file not defined in policy. [ 18.039766] SELinux: Permission watch_with_perm in class chr_file not defined in policy. [ 18.039767] SELinux: Permission watch_reads in class chr_file not defined in policy. [ 18.039771] SELinux: Permission watch in class blk_file not defined in policy. [ 18.039771] SELinux: Permission watch_mount in class blk_file not defined in policy. [ 18.039772] SELinux: Permission watch_sb in class blk_file not defined in policy. [ 18.039773] SELinux: Permission watch_with_perm in class blk_file not defined in policy. [ 18.039773] SELinux: Permission watch_reads in class blk_file not defined in policy. [ 18.039778] SELinux: Permission watch in class sock_file not defined in policy. [ 18.039779] SELinux: Permission watch_mount in class sock_file not defined in policy. [ 18.039779] SELinux: Permission watch_sb in class sock_file not defined in policy. [ 18.039780] SELinux: Permission watch_with_perm in class sock_file not defined in policy. [ 18.039781] SELinux: Permission watch_reads in class sock_file not defined in policy. [ 18.039785] SELinux: Permission watch in class fifo_file not defined in policy. [ 18.039785] SELinux: Permission watch_mount in class fifo_file not defined in policy. [ 18.039786] SELinux: Permission watch_sb in class fifo_file not defined in policy. [ 18.039787] SELinux: Permission watch_with_perm in class fifo_file not defined in policy. [ 18.039788] SELinux: Permission watch_reads in class fifo_file not defined in policy. [ 18.039991] SELinux: the above unknown classes and permissions will be allowed [ 18.039997] SELinux: policy capability network_peer_controls=1 [ 18.039998] SELinux: policy capability open_perms=1 [ 18.039999] SELinux: policy capability extended_socket_class=1 [ 18.039999] SELinux: policy capability always_check_network=0 [ 18.040000] SELinux: policy capability cgroup_seclabel=1 [ 18.040001] SELinux: policy capability nnp_nosuid_transition=1 2. What is the Version-Release number of the kernel: 5.4.2-300.fc31.x86_64 3. Did it work previously in Fedora? If so, what kernel version did the issue *first* appear? Old kernels are available for download at https://koji.fedoraproject.org/koji/packageinfo?packageID=8 : This issue is new 4. Can you reproduce this issue? If so, please provide the steps to reproduce the issue below: Install kernel-5.4.2-300.fc31.x86_64 as per test day instructions 5. Does this problem occur with the latest Rawhide kernel? To install the Rawhide kernel, run ``sudo dnf install fedora-repos-rawhide`` followed by ``sudo dnf update --enablerepo=rawhide kernel``: This is the rawhide/testing kernel 6. Are you running any modules that not shipped with directly Fedora's kernel?: no 7. Please attach the kernel logs. You can get the complete kernel log for a boot with ``journalctl --no-hostname -k > dmesg.txt``. If the issue occurred on a previous boot, use the journalctl ``-b`` flag. see above
note that this also occurs for kernel-5.4.5-300.fc31.x86_64
I believe this is actually an SELinux policy issue, I'm going to adjust the component I logged this bug against. Basically the policy doesn't cover these items and so just allows them.
version of selinux-policy-targeted is 3.14.4-43.fc31
still happening with 5.4.10-200.fc31.x86_64 and selinux-policy 3.14.4-44
2020.02.02 - same issue for selinux-policy-targeted.noarch the version 3.14.4-45.fc31 [root@desk mythcat]# uname -a Linux desk 5.4.14-200.fc31.x86_64 #1 SMP Thu Jan 23 13:06:12 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux [root@desk mythcat]# dnf search selinux-policy-targeted Last metadata expiration check: 2:14:53 ago on Sun 02 Feb 2020 01:28:54 PM EET. =========================================== Name Exactly Matched: selinux-policy-targeted ============================================ selinux-policy-targeted.noarch : SELinux targeted base policy [root@desk mythcat]# dnf list selinux-policy-targeted.noarch Last metadata expiration check: 2:18:07 ago on Sun 02 Feb 2020 01:28:54 PM EET. Installed Packages selinux-policy-targeted.noarch 3.14.4-45.fc31 @updates
Still happens on 5.4.17-200.fc31.x86_64, BUT NOT on a system built originally with fc30. So perhaps it's related to something leftover from older installs. I'll look further when I have some time.
Can be reproduce on a fresh F31 install with selinux-policy-targeted 3.14.4-49 on kernel 5.5.8-200.
This is still happening on 5.5.9-200
still happening on 5.6.6-200.fc31.x86_64
still occuring in 5.6.14-300.fc32.x86_64
still happening 5.6.15-300.fc32.x86_64 and selinux-policy 3.14.5-39.fc32
I can confirm this bug also exist in rawhide
The only place I can find all the "keywords" in these errors mentioned is the file, /etc/selinux/targeted/policy/policy.31 on an FC31 machine. & I assume that will be the case for FC32/rawhide etc. I'm reminded of it at every reboot of a number of machines that all have different policy.31 files.
Folks, The reason is that kernel already supports watch permission, but they haven't been included in the policy yet.
Wow! Thanks - at last an admission that what we are seeing is not really a problem but an artefact of a change we don't & are probably not expected to understand! (yet) It would have been nice to have had this information 6 months ago when the problem was originally reported, everyone would have been a lot more relaxed about it! Maybe there should be a "kernel development suppression list of errors" on mainline kernels, that are really only relevant to rawhide? Or if it's defined in the policy the error should be "not implemented in kernel - yet"?
Seems to me they are in the /etc/selinux/targeted/policy/policy.31 file
Ryan, you've changed the component but not the assignee. Currently, it's still assigned to the Kernel Maintainer List. Since it's a selinux policy issue perhaps there is a more appropriate assignee for it, as well?
(In reply to Georg Sauthoff from comment #17) > Ryan, you've changed the component but not the assignee. > > Currently, it's still assigned to the Kernel Maintainer List. > > Since it's a selinux policy issue perhaps there is a more appropriate > assignee for it, as well? I agree, however I have no access to modify the assignee...perhaps someone on the Kernel Maintainer List can re-assign it appropriately? Also this issue is still present in the current version of selinux and the 5.7 series kerenl.
Still happening in 5.9.2-300.x86_64.fc33 and selinux-policy-targeted 3.14.6-29.fc33.
The permissions should be added to the policy soon.
Resolved in Fedora 34 since selinux-policy-3.14.7-20.fc34.
ok...but this is not resolved in F33 yet. F34 isn't due for release until approx April and we don't have selinux-policy-3.14.7 in F33. Further the bug was lodged against F33, so when are we going to get the policy update in the current active version of Fedora [33]?
correction, the bug was lodged against F31...but it's currently flagged against 33
You are right the new permissions were introduced into kernel way earlier than to selinux-policy. The changes in selinux-policy though were quite big so we do not plan to backport them to older releases in order not to break any existing setup - once the permission is defined in the policy, it is evaluated, so it is possible some services would stop working and we don't want to make it happen in the middle of the release cycle.
Changing the status to more appropriate value. Summary of the changes: https://fedoraproject.org/wiki/Changes/Make_selinux_policy_uptodate_with_current_kernel
(In reply to Zdenek Pytela from comment #25) > Changing the status to more appropriate value. > Summary of the changes: > https://fedoraproject.org/wiki/Changes/ > Make_selinux_policy_uptodate_with_current_kernel My target is to use Linux Kernel 5.4 with SELinux enabled in enforcing mode, and the default handling of unknown classes is to deny. The "watch" will then be denied. If I have to solve this problem, which one do you recommend? 1. To allow all unknown classes. 2. To upgrade to the latest selinux-policy I'm unfamiliar with the development strategy of selinux-policy, is it safe/useful to use the latest policy on an older kernel?