Selinux configuration for kmscon

Hi,

I’m trying to revive the kmscon package in copr:
https://copr.fedorainfracloud.org/coprs/jfalempe/kmscon/

I updated to the latest upstream branch, and fixed a few bugs, and now it’s compiling and installing fine. I still have one problem with selinux. When you login with kmscon, selinux prevent login to start /usr/bin/bash.

Here is the error:
type=AVC msg=audit(1734616353.638:2269): avc: denied { transition } for pid=1778908 comm=“login” path=“/usr/bin/bash” dev=“dm-1” ino=2236030 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0

What is the recommended way to solve this kind of issue?
I don’t know much about selinux, and my current workaround is “sudo setenforce 0” which is not great.

It would be nice to fix it in the package, so that users that want to install it won’t have to run some selinux command to make it work.

Thanks,

1 Like

If you need a persistent workaround, create a permissive policy module:

If you want to fix the issue, follow the packaging guidelines:

Here’s an example of a properly packaged SELinux module:

Thanks for the quick response.

So, I’ve run audit2allow, it has generated a kmscon.te (and .pp),
Now I can add this file in the package, and run “semodule -i kmscon.pp” in the %post part of the installation?
Or should that be a separate step in the installation process (I mean not a part of “dnf install kmscon”)?

SELinux Policy Modules Packaging Draft - Fedora Project Wiki

This document is outdated. Please use SELinux/IndependentPolicy - Fedora Project Wiki instead.

2 Likes