Recently I noticed selinux denial alerts popping up from time to time. (I don’t know the exact cause, but I should remark that I recently installed qemu and virt-manager, and around the same time also the selinux-policy-0 and selinux-policy-targeted-0 had updates.) I thought maybe an autorelabel would solve the issues, but during the relabel genhomedircon fails and setfiles complains about conflicting contexts for several files. Since I attempted to relabel, my system only boots in PERMISSIVE mode, with hundreds of AVC violations logged by ausearch.
I suppose the root cause might be the following error thrown when I execute semodule -B:
$ sudo semodule -B -v
Committing changes:
Found conflicting filecon rules
at /var/lib/selinux/targeted/tmp/modules/400/extra_binsbin/cil:8
at /var/lib/selinux/targeted/tmp/modules/100/ktls/cil:44
Found conflicting filecon rules
at /var/lib/selinux/targeted/tmp/modules/400/extra_binsbin/cil:26
at /var/lib/selinux/targeted/tmp/modules/100/pcm/cil:67
Problems processing filecon rules
Failed post db handling
Post process failed
semodule: Failed!
Any idea how to solve these issues?
$ uname -r
6.12.11-200.fc41.x86_64
$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
(I didn’t customize my selinux setup. Fedora 41 KDE Plasma)