Currently, /var/lib/selinux (and all files and directories in it) are labelled as semanage_var_lib_t. However, as active policy stores will be hosted in it, files will need to be labelled as selinux_config_t, semanage_store_t, etc. See also /etc/selinux definitions: /etc/selinux(/.*)? all files system_u:object_r:selinux_config_t:s0 /etc/selinux/([^/]*/)?contexts(/.*)? all files system_u:object_r:default_context_t:s0 /etc/selinux/([^/]*/)?contexts/files(/.*)? all files system_u:object_r:file_context_t:s0 /etc/selinux/([^/]*/)?modules(/.*)? all files system_u:object_r:semanage_store_t:s0 /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK regular file system_u:object_r:semanage_read_lock_t:s0 /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK regular file system_u:object_r:semanage_trans_lock_t:s0 /etc/selinux/([^/]*/)?policy(/.*)? all files system_u:object_r:policy_config_t:s0 /etc/selinux/([^/]*/)?setrans\.conf regular file system_u:object_r:selinux_config_t:s0 /etc/selinux/([^/]*/)?seusers regular file system_u:object_r:selinux_config_t:s0 /etc/selinux/([^/]*/)?users(/.*)? regular file system_u:object_r:selinux_config_t:s0 The solution could be as simple as introducing an equivalence although the "active/" part in /var/lib/selinux/mcs/active makes be believe that it is better to set the contexts correct immediately. Reproducible: Always
commit 4270746b108fd90b377127c6f20998af640a4869 in master Update policy for selinux userspace moving the policy store to /var/lib/selinux
r1 is now stable