[DSE-Dev] Bug#1105022: policycoreutils-python-utils: neovim package is unconfined by default, leading to AVC denial on "execmem"

[Debian Admin]

Package: policycoreutils-python-utils
Version: 3.4-1
Severity: important
X-Debbugs-Cc: susadm1n.xyz at gmail.com

Dear Maintainer,

After installing SELinux according to Debian docs ( https://debian-handbook.info/browse/stable/sect.selinux.html & https://wiki.debian.org/SELinux/Setup ), the "nvim" command (part of the "neovim" package) results in an AVC denial on the process when calling "execmem" since the "neovim" package is unconfined by default.

Enabling the "allow_execmem" SELinux Boolean does allow the process to run as intended, but the boolean description (shown in output of "semanage boolean -l" command) specifies that it is dangerous for unconfined processes to use "execmem" and such processes should be reported to "the bugzilla" - I am not sure which Bugzilla to report to, but figured I would start with Debian.

Thanks in advance!

-- System Information:
Debian Release: 12.10
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-34-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages policycoreutils-python-utils depends on:
ii  policycoreutils   3.4-1
ii  python3           3.11.2-1+b1
ii  python3-audit     1:3.0.9-1
ii  python3-selinux   3.4-1+b6
ii  python3-semanage  3.4-1+b5
ii  python3-sepolgen  3.4-1
ii  python3-sepolicy  3.4-1
ii  python3-setools   4.4.1-2
ii  selinux-utils     3.4-1+b6

policycoreutils-python-utils recommends no packages.

policycoreutils-python-utils suggests no packages.

-- no debconf information