I use Fedora Kinoite 42
One is systemd-homed: Systemd-homed major issues
Another is hibernation: Setup hibernation on Fedora Atomic Desktops - #2 by aaravchen
But there are many more smaller issues, which aren’t OOTB fixed…
If anyone else finds such kindly post in this forum thread…
To add any of the following policies on your system, run:
sudo checkmodule -M -m -o ${POLICYNAME}.mod ${POLICYNAME}.te(Compile)sudo semodule_package -o ${POLICYNAME}.pp -m ${POLICYNAME}.mod(Package)sudo semodule -i ${POLICYNAME}.pp(Add to your system)- Reboot and confirm that it is applied (That denial doesn’t reappear).
- Delete the
${POLICYNAME}.{te,mod,pp}files - NO, don’t change the booleans mentioned there… They will be applied when you apply the fixes, just where required. Manually changing the booleans will cause system-wide changes, and enough of those can open up the strong security of selinux.
The file name and the policy name in the file should be the same.
The suffix like _errorfixes is added in order to avoid conflicting with policies of the same name which already exist, which could cause further issues…
Catching the issues:
If you are fixing such issues, please make sure that each policy is in a separate policyfile… you can ask help right in this thread.
When there is only 1 policy denial, kindly immediately make a policy with sudo audit2allow -b -M ${whatever_it_is}_errorfixes and share the ${whatever_it_is}_errorfixes.te file to this thread.
The audit2allow command will create the ${whatever_it_is}_errorfixes.pp
file for you, apply it with sudo semodule -i ${whatever_it_is}_errorfixes.pp and reboot.
This will make sure that any other such error will not be mixed with this one.
The issues I found:
Just after boot, the 1st denial report in audit2allow -b is of bootupd.
To fix it, create bootupd_errorfixes.te with:
module bootupd_errorfixes 1.0;
require {
type install_exec_t;
type var_run_t;
type root_t;
type bootupd_t;
type fs_t;
class file { execute execute_no_trans getattr map open read };
class dir write;
class filesystem remount;
}
#============= bootupd_t ==============
allow bootupd_t fs_t:filesystem remount;
allow bootupd_t install_exec_t:file { execute execute_no_trans open read };
#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow bootupd_t install_exec_t:file map;
#!!!! This avc can be allowed using the boolean 'daemons_dump_core'
allow bootupd_t root_t:dir write;
allow bootupd_t var_run_t:file getattr;
And run the 3 above commands to apply this in your system.
Next I found is of logrotate. logrotate_errorfixes.te:
module logrotate_errorfixes 1.0;
require {
type logrotate_t;
type var_t;
class file { getattr };
}
#============= logrotate_t ==============
allow logrotate_t var_t:file getattr;
Compile and apply it.
When running systemctl daemon-reload, another issue crops up, fixed by systemd_generic_generator_errorfixes.te:
module systemd_generic_generator_errorfixes 1.0;
require {
type shell_exec_t;
type install_exec_t;
type passwd_file_t;
type var_run_t;
type systemd_generic_generator_t;
class file { execute execute_no_trans getattr map open read };
}
#============= systemd_generic_generator_t ==============
allow systemd_generic_generator_t install_exec_t:file { execute execute_no_trans getattr open read };
#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow systemd_generic_generator_t install_exec_t:file map;
allow systemd_generic_generator_t passwd_file_t:file { getattr open read };
#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow systemd_generic_generator_t shell_exec_t:file map;
allow systemd_generic_generator_t shell_exec_t:file execute;
allow systemd_generic_generator_t var_run_t:file getattr;
Apply it just as before.
AND kindly do the same for all other errors you find, and do post it in this thread.