When working with a SELinux-enabled system, you will notice that some policies are far from perfect. That is to be expected, since there are a lot more policies and SELinux policy modules than we can thoroughly test. That is why bug reports are very important for us as they give us much-needed feedback on the state of the policies. Also, since we follow the reference policy closely, patches are also sent upstream so that other distributions can benefit from the updates.
However, debugging and fixing SELinux policies also means that we need to
identify a proper policy failure, find the root cause of this failure and have
an optimal solution. Since we are talking about
That is one of the reasons why we created this bugreport as it helps you, as the feedback-providing user, to both properly figure out why a failure occurs and how to fix it, but also why we are quite strict in the acceptance of patches.
When reporting SELinux policy fixes based on AVC denials,
In this section, we'll go into the details of creating a helpful bug report for SELinux policies in case you have an AVC denial (which means SELinux is prohibiting a certain privilege request) that results in the failure of the application.
When you get one or more AVC denials, try to structure them into logically coherent sets. We cannot easily deal with several dozen denials. Most of the time, you either get multiple denials of the same cause, or the denials are not truely related.
When we need to fix the SELinux policy, nine out of ten times we focus on one or a few related denials and come up with a proper fix. When there is an abundance of AVC denials, we need to skim through them (which we usually then do one at a time) which puts a lot of stress on you (the reporter) as we will ask you hundred-and-one questions and requests for testing.
When you report a SELinux policy related bug, make sure you are ready to test the results that we want to put in. We cannot test out all applications ourselves. Sometimes, a failure is even only reproducable on a specific setup.
More than once, we get bug reports on SELinux policy denials where the user is still running in permissive mode. He is reporting the denials because he is afraid that he will not be able to run it in enforcing mode without the denials being fixed.
However, denials can be
For this reason, we urge you to give us not only the AVC denial information, but also the application failure log output when running in enforcing mode.
The