When a new SELinux policy is build (or the policy is reloaded), the following failure occurs:
libsemanage.semanage_make_sandbox: Could not copy files to sandbox /etc/selinux/strict/modules/tmp. (Permission denied)
This is due to a change in policy for semanage between r9 and r10. In r10, the "modules" directory is assumed to be created using a named file transition into "semanage_store_t". On existing systems however, the directory is already available (and with selinux_config_t).
The following simple fix resolves this issue, and will also be in r11.
semanage fcontext -a -t semanage_store_t /etc/selinux/strict/modules
restorecon -R /etc/selinux/strict/modules
In hardened-dev overlay, rev 11
In main tree, ~arched