# [SELinux] kernel 5.4.x: No support for "watch"

## deagol

After updating my kernel from 5.3 to 5.4 I had suspicious messages in my log. (I tried it last week with sys-kernel/gentoo-sources-5.4.0 and backed out due to the issue. Today I tried it again with sys-kernel/gentoo-sources-5.4.2):

It's primarily this one here on the system I used for testing:

```
Dec  8 14:49:01 web kernel: audit: type=1400 audit(1575812941.870:2069): avc:  denied  { watch } for  pid=2826 comm="crond" path="/var/spool/cron/crontabs" dev="sda3" ino=2539899 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:cron_spool_t tclass=dir permissive=0

```

It became quickly clear that linux 5.4 added some new capabilities for selinux to also control file system notifications (fanotify, inotify, dnotify) and that my policy does not know about that.

I did not test it, but it looks like cron won't notice if someone updates a cron file till it's restarted...

And it looks like this could cause some hard to spot problems for other programms, too. So I tried to find a way to either update the security policies to a compatible version or find some way to allow all of the new "watch" violations till a new security policy is available.

I first tried to audit2allow, to get the desired policy updates. But that failed:

```
web ~ # grep watch /var/log/avc.log | head -1 | audit2allow 

libsepol.sepol_string_to_av_perm: could not convert watch to av bit

web ~ # 
```

I then first updated all policies to "2.20190201-r1" and after that did not help to "9999". (Normally the system is using stable, with only the kernel ~amd64.) In the end I used that in /etc/portage/package.keywords

```
sys-apps/checkpolicy **

sys-libs/libsemanage **

sys-libs/libsepol **

sys-libs/libselinux **

sec-policy/selinux-apache **

sec-policy/selinux-apm **

sec-policy/selinux-base **

sec-policy/selinux-base-policy **

sec-policy/selinux-dirmngr **

sec-policy/selinux-git **

sec-policy/selinux-gpg **

sec-policy/selinux-kerberos **

sec-policy/selinux-logrotate **

sec-policy/selinux-mandb **

sec-policy/selinux-mysql **

sec-policy/selinux-ntp **

sec-policy/selinux-openrc **

sec-policy/selinux-phpfpm **

sec-policy/selinux-rngd **

sec-policy/selinux-rpc **

sec-policy/selinux-samba **

sec-policy/selinux-screen **

sec-policy/selinux-shutdown **

sec-policy/selinux-sudo **

sys-apps/selinux-python **

```

But this did not change anything... I still had the "denys" for watch in the log and audit2allow was still unable to handle it. I nevertheless tried to add it to selocal:

```
web ~ # selocal -a "allow crond_t cron_spool_t:dir watch;" -c "Kernel 5.4 Fix #1"

web ~ # selocal -b

~/.selocal ~

## Building selocal.pp (in ~/.selocal):

# make -f /usr/share/selinux/strict/include/Makefile selocal.pp

Compiling strict selocal module

selocal.te:138:ERROR 'permission watch is not defined for class dir' at token ';' on line 1517:

allow crond_t cron_spool_t:dir watch; # Kernel 5.4 Fix #1

allow phpfpm_t pop_port_t:tcp_socket name_connect; # FPM Fix #17

/usr/bin/checkmodule:  error(s) encountered while parsing configuration

make: *** [/usr/share/selinux/strict/include/Makefile:166: tmp/selocal.mod] Error 1

~

web ~ #
```

Now the funny thing is, checkpolicy told me on install it can handle up to policy 32:

```
 * This checkpolicy can compile version 32 policy.
```

But my kernel still claims to be only policy version 31 - the same as kernel 5.3:

```
web ~ # sestatus 

SELinux status:                 enabled

SELinuxfs mount:                /sys/fs/selinux

SELinux root directory:         /etc/selinux

Loaded policy name:             strict

Current mode:                   enforcing

Mode from config file:          enforcing

Policy MLS status:              disabled

Policy deny_unknown status:     denied

Memory protection checking:     actual (secure)

Max kernel policy version:      31
```

I'm probably just missing something simple, my selinux skills are a bit rusty.... But it kind of looks like the policy version should have been bumped and the user space tools are not ready to handle "watch", yet...

As "last resort" solution I've now just undone commit ac5656d8a4cd ("fanotify, inotify, dnotify, security: add security hook for fs notifications")  from the kernel which seems to finally have the desired effect. 

But what is the "correct solution for that?

----------

## deagol

I've now asked upstream for help and got the pointer I was missing: link

The problem is only Gentoo's default policy to deny any unknown policy requests. We can simply change the setting till the policies and the user space has catched up.

Assuming Gentoo default settings the following should do the trick:

```
echo "handle-unknown = allow" >> /etc/selinux/semanage.conf; semodule -B
```

sestatus can be used to confirm it did work:

```
# sestatus | grep deny_unknown

Policy deny_unknown status:     allowed
```

All users of selinux in enforcing mode running a kernel >= 5.4.0 will need that setting for the foreseeable future, I believe.

----------

## papas

in my system after upgrade selinux-base and selinux-base-policy to -9999 seems to recognize "watch" permission. Using audit2allow for create a policy and i think is working.

```

master@gentoo ~ $ cat  personalPolicy.te | grep watch

        class file { append create execmod execute execute_no_trans getattr ioctl link lock map open read relabelfrom relabelto rename setattr unlink watch watch_reads write };

        class dir { add_name create getattr map mounton open read relabelfrom relabelto remove_name rename reparent rmdir search setattr watch write };

        class lnk_file { create getattr read relabelto rename setattr unlink watch };

        class blk_file { getattr ioctl lock open read watch };

allow chromium_t etc_t:dir watch;

allow chromium_t locale_t:dir watch;

allow chromium_t root_t:dir watch;

allow crond_t cron_spool_t:dir watch;

allow crond_t system_cron_spool_t:dir watch;

allow crond_t system_cron_spool_t:file watch;

allow devicekit_disk_t etc_t:dir watch;

allow devicekit_disk_t mount_runtime_t:dir watch;

allow devicekit_disk_t mount_runtime_t:file { unlink watch watch_reads };

allow dirmngr_t user_tmp_t:dir watch;

allow getty_t getty_runtime_t:file watch;

allow gpg_agent_t portage_tmp_t:dir { add_name create getattr read search setattr watch write };

#       constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

allow gpg_agent_t user_tmp_t:dir watch;

#       constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

#       constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

#       constrain file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

allow java_t lib_t:dir { add_name remove_name watch write };

#       constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

allow java_t user_home_dir_t:dir { create rmdir setattr watch };

allow java_t user_home_t:dir watch;

allow java_t usr_t:dir { add_name remove_name setattr watch write };

allow java_t xdg_cache_t:dir watch;

#       constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

#       constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

#       constrain file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

#       constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

#       constrain file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

allow mozilla_t device_t:dir watch;

allow mozilla_t etc_t:dir watch;

allow mozilla_t gnome_xdg_config_t:dir watch;

allow mozilla_t locale_t:dir watch;

allow mozilla_t mozilla_tmp_t:file watch;

allow mozilla_t root_t:dir watch;

allow mozilla_t user_home_dir_t:dir watch;

allow mozilla_t user_home_t:dir watch;

allow mozilla_t usr_t:dir watch;

allow mozilla_t xdg_config_t:dir watch;

allow mozilla_t xdg_data_t:dir watch;

allow policykit_t consolekit_var_run_t:dir watch;

allow policykit_t etc_t:dir watch;

allow policykit_t init_runtime_t:dir { read watch };

allow policykit_t usr_t:dir watch;

allow portage_fetch_t portage_tmp_t:dir watch;

allow portage_fetch_t user_runtime_t:dir { add_name create getattr read remove_name search watch write };

allow pulseaudio_t device_t:dir watch;

allow pulseaudio_t init_runtime_t:dir { read watch };

#       constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

allow staff_dbusd_t accountsd_var_lib_t:file watch;

allow staff_dbusd_t dbusd_etc_t:dir watch;

allow staff_dbusd_t etc_t:file watch;

#       constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

allow staff_dbusd_t usr_t:dir watch;

allow staff_dbusd_t usr_t:file watch;

allow staff_dbusd_t xdg_config_t:dir { open watch };

allow staff_dbusd_t xdg_config_t:file watch;

#       constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

allow staff_dbusd_t xdg_data_t:dir watch;

#       constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

#       constrain file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

#       constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

allow staff_t accountsd_var_lib_t:file watch;

allow staff_t bin_t:dir watch;

allow staff_t dosfs_t:dir watch;

allow staff_t etc_t:dir watch;

allow staff_t etc_t:file { link relabelfrom watch };

allow staff_t etc_t:lnk_file watch;

allow staff_t exports_t:file watch;

allow staff_t fonts_t:dir { map setattr watch };

#       constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

#       constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

#       constrain file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

#       constrain file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

allow staff_t home_root_t:dir watch;

allow staff_t lib_t:dir watch;

allow staff_t locale_t:dir { setattr watch };

allow staff_t locale_t:file watch;

allow staff_t portage_tmp_t:dir { map watch };

allow staff_t root_t:dir watch;

allow staff_t self:file watch;

allow staff_t selinux_config_t:file { relabelto watch };

#       constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

#       constrain file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

allow staff_t user_home_dir_t:dir watch;

#       constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

allow staff_t user_home_t:dir watch;

#       constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

allow staff_t user_home_t:file watch;

#       constrain file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

allow staff_t usr_t:dir watch;

allow staff_t usr_t:file { append watch };

allow staff_t xdg_cache_t:dir watch;

#       constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

allow staff_t xdg_cache_t:file watch;

#       constrain file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

allow staff_t xdg_config_t:dir watch;

#       constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

allow staff_t xdg_config_t:file watch;

#       constrain file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

allow staff_t xdg_data_t:dir watch;

#       constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

allow staff_t xdg_data_t:file watch;

allow staff_t xdg_downloads_t:dir watch;

allow staff_t xdg_downloads_t:file watch;

allow staff_t xdg_pictures_t:dir watch;

allow sysadm_t device_t:dir watch;

allow system_dbusd_t dbusd_etc_t:dir watch;

allow system_dbusd_t usr_t:dir { add_name create remove_name watch write };

allow udev_t fixed_disk_device_t:blk_file watch;

#       constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

#       constrain file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

allow xdm_t dbusd_etc_t:dir watch;

allow xdm_t etc_t:file watch;

allow xdm_t usr_t:dir watch;

allow xdm_t usr_t:file watch;

allow xdm_t xkb_var_lib_t:dir watch;

```

as for the 

```

Max kernel policy version:      31

```

i think kernel guys, they dont "merge" it yet. 

My security.h (5.4.6) against the live source

```
 

master@gentoo ~ $ diff -y security.h /usr/src/linux/security/selinux/include/security.h 

/* SPDX-License-Identifier: GPL-2.0 */                          /* SPDX-License-Identifier: GPL-2.0 */

/*                                                              /*

 * Security server interface.                                    * Security server interface.

 *                                                               *

 * Author : Stephen Smalley, <sds@tycho.nsa.gov>                 * Author : Stephen Smalley, <sds@tycho.nsa.gov>

 *                                                               *

 */                                                              */

#ifndef _SELINUX_SECURITY_H_                                    #ifndef _SELINUX_SECURITY_H_

#define _SELINUX_SECURITY_H_                                    #define _SELINUX_SECURITY_H_

#include <linux/compiler.h>                                     #include <linux/compiler.h>

#include <linux/dcache.h>                                       #include <linux/dcache.h>

#include <linux/magic.h>                                        #include <linux/magic.h>

#include <linux/types.h>                                        #include <linux/types.h>

#include <linux/refcount.h>                                     #include <linux/refcount.h>

#include <linux/workqueue.h>                                    #include <linux/workqueue.h>

#include "flask.h"                                              #include "flask.h"

#define SECSID_NULL                     0x00000000 /* unspeci   #define SECSID_NULL                     0x00000000 /* unspeci

#define SECSID_WILD                     0xffffffff /* wildcar   #define SECSID_WILD                     0xffffffff /* wildcar

#define SECCLASS_NULL                   0x0000 /* no class */   #define SECCLASS_NULL                   0x0000 /* no class */

/* Identify specific policy version changes */                  /* Identify specific policy version changes */

#define POLICYDB_VERSION_BASE           15                      #define POLICYDB_VERSION_BASE           15

#define POLICYDB_VERSION_BOOL           16                      #define POLICYDB_VERSION_BOOL           16

#define POLICYDB_VERSION_IPV6           17                      #define POLICYDB_VERSION_IPV6           17

#define POLICYDB_VERSION_NLCLASS        18                      #define POLICYDB_VERSION_NLCLASS        18

#define POLICYDB_VERSION_VALIDATETRANS  19                      #define POLICYDB_VERSION_VALIDATETRANS  19

#define POLICYDB_VERSION_MLS            19                      #define POLICYDB_VERSION_MLS            19

#define POLICYDB_VERSION_AVTAB          20                      #define POLICYDB_VERSION_AVTAB          20

#define POLICYDB_VERSION_RANGETRANS     21                      #define POLICYDB_VERSION_RANGETRANS     21

#define POLICYDB_VERSION_POLCAP         22                      #define POLICYDB_VERSION_POLCAP         22

#define POLICYDB_VERSION_PERMISSIVE     23                      #define POLICYDB_VERSION_PERMISSIVE     23

#define POLICYDB_VERSION_BOUNDARY       24                      #define POLICYDB_VERSION_BOUNDARY       24

#define POLICYDB_VERSION_FILENAME_TRANS 25                      #define POLICYDB_VERSION_FILENAME_TRANS 25

#define POLICYDB_VERSION_ROLETRANS      26                      #define POLICYDB_VERSION_ROLETRANS      26

#define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS    27              #define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS    27

#define POLICYDB_VERSION_DEFAULT_TYPE   28                      #define POLICYDB_VERSION_DEFAULT_TYPE   28

#define POLICYDB_VERSION_CONSTRAINT_NAMES       29              #define POLICYDB_VERSION_CONSTRAINT_NAMES       29

#define POLICYDB_VERSION_XPERMS_IOCTL   30                      #define POLICYDB_VERSION_XPERMS_IOCTL   30

#define POLICYDB_VERSION_INFINIBAND             31              #define POLICYDB_VERSION_INFINIBAND             31

#define POLICYDB_VERSION_GLBLUB         32                    <

/* Range of policy versions we understand*/                     /* Range of policy versions we understand*/

#define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE            #define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE

#define POLICYDB_VERSION_MAX   POLICYDB_VERSION_GLBLUB        | #define POLICYDB_VERSION_MAX   POLICYDB_VERSION_INFINIBAND

```

https://github.com/torvalds/linux/blob/master/security/selinux/include/security.h

----------

## y351

Hi,

I met some trouble with watch message that i found suspect...

Kernel : 5.5.7-gentoo

From the logs /var/log/audit/audit.log :

 *Quote:*   

> 
> 
> type=AVC msg=audit(1583748767.566:7056): avc:  denied  { watch } for  pid=5922 comm="gmain" path="/usr" dev="dm-1" ino=261 scontext=staff_u:staff_r:mozilla_t tcontext=system_u:object_r:usr_t tclass=dir permissive=0
> 
> type=AVC msg=audit(1583748755.566:7031): avc:  denied  { watch } for  pid=5922 comm="gmain" path="/usr/local/share/applications" dev="dm-1" ino=259225 scontext=staff_u:staff_r:mozilla_t tcontext=system_u:object_r:usr_t tclass=dir permissive=0
> ...

 

 *Quote:*   

> 
> 
> SELinux status:                 enabled
> 
> SELinuxfs mount:                /sys/fs/selinux
> ...

 

Here is the policy that i should apply to avoid these "denied" although i don't know why...

 *Quote:*   

> 
> 
> require {
> 
>         type user_home_dir_t;
> ...

 

----------

