unconfined_u:unconfined_r:unconfined_t is unable to configure safesetid

[shammancer]

Hello,

I'm playing around with custom kernel and trying out safesetid and I'm unable to configure safesetid LSM when SELinux is in enforcing mode.

Fedora Release

$ cat /etc/redhat-release

Fedora release 39 (Thirty Nine)

Policy packages:

$ dnf list --installed | grep selinux-policy

selinux-policy.noarch 39.5-1.fc39 @updates
selinux-policy-targeted.noarch 39.5-1.fc39 @updates

Reproducer command:

sudo bash -c "echo \"1001:1002\" > /sys/kernel/security/safesetid/uid_allowlist_policy"

Audit Message:

Mar 22 12:28:30 lfd441-fedora39-uefi audit[1201]: AVC avc: denied { mac_admin } for pid=1201 comm="bash" capability=33 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2 permissive=0