On initial creation by sudo, /var/logsudo-io is created with var_log_t instead of the expected sudo_log_t. Reproducible: Always Steps to Reproduce: 1. Enable IO logging with: Defaults log_output Defaults log_input 2. Run a command with sudo 3. ls -lZRa /var/log/sudo* Actual Results: -rw-------. 1 root root unconfined_u:object_r:var_log_t:s0 98402 May 3 14:35 /var/log/sudo_debug -rw-------. 1 root root unconfined_u:object_r:var_log_t:s0 1468819 May 3 14:35 /var/log/sudoers_debug /var/log/sudo-io: total 16 drwx------. 3 root root unconfined_u:object_r:var_log_t:s0 4096 May 3 14:35 ./ drwxr-xr-x. 12 root root system_u:object_r:var_log_t:s0 4096 May 3 14:35 ../ drwx------. 3 root root unconfined_u:object_r:var_log_t:s0 4096 May 3 14:35 00/ -rw-------. 1 root root unconfined_u:object_r:var_log_t:s0 7 May 3 14:35 seq /var/log/sudo-io/00: total 12 drwx------. 3 root root unconfined_u:object_r:var_log_t:s0 4096 May 3 14:35 ./ drwx------. 3 root root unconfined_u:object_r:var_log_t:s0 4096 May 3 14:35 ../ drwx------. 3 root root unconfined_u:object_r:var_log_t:s0 4096 May 3 14:35 00/ /var/log/sudo-io/00/00: total 12 drwx------. 3 root root unconfined_u:object_r:var_log_t:s0 4096 May 3 14:35 ./ drwx------. 3 root root unconfined_u:object_r:var_log_t:s0 4096 May 3 14:35 ../ drwx------. 2 root root unconfined_u:object_r:var_log_t:s0 4096 May 3 14:35 01/ /var/log/sudo-io/00/00/01: total 44 drwx------. 2 root root unconfined_u:object_r:var_log_t:s0 4096 May 3 14:35 ./ drwx------. 3 root root unconfined_u:object_r:var_log_t:s0 4096 May 3 14:35 ../ -rw-------. 1 root root unconfined_u:object_r:var_log_t:s0 61 May 3 14:35 log -rw-------. 1 root root unconfined_u:object_r:var_log_t:s0 6677 May 3 14:35 log.json -rw-------. 1 root root unconfined_u:object_r:var_log_t:s0 25 May 3 14:35 stderr -rw-------. 1 root root unconfined_u:object_r:var_log_t:s0 25 May 3 14:35 stdin -rw-------. 1 root root unconfined_u:object_r:var_log_t:s0 25 May 3 14:35 stdout -r--------. 1 root root unconfined_u:object_r:var_log_t:s0 42 May 3 14:35 timing -rw-------. 1 root root unconfined_u:object_r:var_log_t:s0 25 May 3 14:35 ttyin -rw-------. 1 root root unconfined_u:object_r:var_log_t:s0 30 May 3 14:35 ttyout Expected Results: Files created with sudo_log_t, per: # restorecon -r -v /var/log/sudo* Relabeled /var/log/sudo-io from unconfined_u:object_r:var_log_t:s0 to unconfined_u:object_r:sudo_log_t:s0 Relabeled /var/log/sudo-io/00 from unconfined_u:object_r:var_log_t:s0 to unconfined_u:object_r:sudo_log_t:s0 Relabeled /var/log/sudo-io/00/00 from unconfined_u:object_r:var_log_t:s0 to unconfined_u:object_r:sudo_log_t:s0 Relabeled /var/log/sudo-io/00/00/01 from unconfined_u:object_r:var_log_t:s0 to unconfined_u:object_r:sudo_log_t:s0 Relabeled /var/log/sudo-io/00/00/01/ttyin from unconfined_u:object_r:var_log_t:s0 to unconfined_u:object_r:sudo_log_t:s0 Relabeled /var/log/sudo-io/00/00/01/stdin from unconfined_u:object_r:var_log_t:s0 to unconfined_u:object_r:sudo_log_t:s0 Relabeled /var/log/sudo-io/00/00/01/stderr from unconfined_u:object_r:var_log_t:s0 to unconfined_u:object_r:sudo_log_t:s0 Relabeled /var/log/sudo-io/00/00/01/timing from unconfined_u:object_r:var_log_t:s0 to unconfined_u:object_r:sudo_log_t:s0 Relabeled /var/log/sudo-io/00/00/01/log from unconfined_u:object_r:var_log_t:s0 to unconfined_u:object_r:sudo_log_t:s0 Relabeled /var/log/sudo-io/00/00/01/stdout from unconfined_u:object_r:var_log_t:s0 to unconfined_u:object_r:sudo_log_t:s0 Relabeled /var/log/sudo-io/00/00/01/log.json from unconfined_u:object_r:var_log_t:s0 to unconfined_u:object_r:sudo_log_t:s0 Relabeled /var/log/sudo-io/00/00/01/ttyout from unconfined_u:object_r:var_log_t:s0 to unconfined_u:object_r:sudo_log_t:s0 Relabeled /var/log/sudo-io/seq from unconfined_u:object_r:var_log_t:s0 to unconfined_u:object_r:sudo_log_t:s0 Also, the debug logs are created with var_log_t, but restorecon doesn't change their type. But unsure if they should really have sudo_log_t as well.
This bug appears to have been reported against 'rawhide' during the Fedora Linux 42 development cycle. Changing version to 42.
See a similar ticket resolution: https://github.com/fedora-selinux/selinux-policy/pull/1575
FEDORA-2025-d93e219f23 (selinux-policy-42.4-1.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-d93e219f23
FEDORA-2025-d93e219f23 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-d93e219f23` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-d93e219f23 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-d93e219f23 (selinux-policy-42.4-1.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report.