Hi,
Can I get some comments here? I'm starting
to do some tests with 2021.08 and I find unlabeled
stuff like the following ones:
[ 10.534555] SELinux: Context Default is not valid (left unmapped).
[ 10.562318] audit: type=1400 audit(1632913977.130:4): avc: denied { read } for pid=108 comm="auditd" name="audit" dev="vda" ino=16387 scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 trawcon="Default"
[ 10.579085] audit: type=1400 audit(1632913977.146:5): avc: denied { open } for pid=108 comm="auditd" path="/var/log/audit" dev="vda" ino=16387 scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 trawcon="Def"
[ 10.594226] audit: type=1400 audit(1632913977.146:6): avc: denied { getattr } for pid=108 comm="auditd" path="/var/log/audit" dev="vda" ino=16387 scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 trawcon=""
[ 10.610371] audit: type=1400 audit(1632913977.146:7): avc: denied { search } for pid=108 comm="auditd" name="audit" dev="vda" ino=16387 scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 trawcon="Default"
[ 10.629470] audit: type=1400 audit(1632913977.197:8): avc: denied { setattr } for pid=109 comm="auditd" name="audit" dev="vda" ino=16387 scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 trawcon="Default"
[ 10.646993] audit: type=1400 audit(1632913977.214:9): avc: denied { write } for pid=109 comm="auditd" name="audit" dev="vda" ino=16387 scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 trawcon="Default"
[ 10.662781] audit: type=1400 audit(1632913977.214:10): avc: denied { add_name } for pid=109 comm="auditd" name="audit.log" scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 trawcon="Default"
[ 10.677266] audit: type=1400 audit(1632913977.214:11): avc: denied { create } for pid=109 comm="auditd" name="audit.log" scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1
These makes me think adding some via to
handle the autorelabel mechanism is still needed.