As suggested in another topic, I’m opening up this one about the SELinux alert spam.
So, yes I can just turn off the alerts, but I expect they are showing for a reason, and best not to ignore them.
As one example, I have 138 errors of gnome-shell attempting to write to dbus-XodxlWoUr5 (not sure if that’s an i or an l though). The last time this happened was about an hour ago.
It says if I believe it should have access than I should file it as a bug, and set up a new policy to allow access for now… but that’s kind of the whole problem with SELinux alerts.
I don’t know what gnome-shell is doing, or what this dbus sock_file is, so I don’t know if I want it to be doing that or not.
I guess I could ask the application developers, but in my experience they (not specifically GNOME developers, just in general) don’t respond so well to such requests.
A confined service like gnome-shell working in the selinux domain xdm_t will probably never match something that is in the target domain unconfined_service_t.
Looking up what matches the source xdm_t, object unix_stream_socket and permission connectto on my Fedora 32 I came up with this:
Should that mess things up so you can’t use the system it will be relabeled on hard reboot. On the other hand if it solves the problem you can make it persistent with
semanage fcontext -a -t xdm_t /tmp/dbus-UpA49W7ZOx
(You could also start with checking if the file should have some other label than unconfined_service_t with the command “matchpathcon -V /tmp/dbus-UpA49W7Z0x”)
i think there are few people who really understand selinux and it is a management nightmare. in addition there are these inconsistencies with silverblue and at the end of the day you may want to ask yourself: what’s the point?
selinux has been around for some time, and it is a good security tool. I really appreciate that Fedora still embraces this kind of security management, instead of letting software developers run wild and do whatever they want.
I think it would be helpful for everyone if it was easier to understand and use though. It’s certainly gotten better over the years, but still has potential for improvement.
Today’s boot is looking much better, only a handful of “ignore” messages are showing. I’ll continue to monitor the situation and post where appropriate.