Comments

331 Comments

OK, so mock -r fedora-rawhide-x86_64 init && mock -r fedora-rawhide-x86_64 remove '*rpm-macros' fails with:

  Running scriptlet: binutils-2.32-23.fc31.x86_64                                                                                                                                                                          22/53 
error: failed to exec scriptlet interpreter /bin/sh: Permission denied
error: %preun(binutils-2.32-23.fc31.x86_64) scriptlet failed, exit status 127

Error in PREUN scriptlet in rpm package binutils
  Erasing          : libssh-config-0.9.0-6.fc31.noarch                                                                                                                                                                     23/53 
error: binutils-2.32-23.fc31.x86_64: erase failed
*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that dnf should be allowed entrypoint access on the bash file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'dnf' --raw | audit2allow -M my-dnf
# semodule -X 300 -i my-dnf.pp


Additional Information:
Source Context                unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:object_r:mock_var_lib_t:s0
Target Objects                /usr/bin/bash [ file ]
Source                        dnf
Source Path                   dnf
Port                          <Unknown>
Host                          carbon
Source RPM Packages           
Target RPM Packages           bash-5.0.7-1.fc30.x86_64
Policy RPM                    selinux-policy-3.14.3-41.fc30.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     carbon
Platform                      Linux carbon 5.1.19-300.fc30.x86_64 #1 SMP Mon Jul
                              22 16:32:45 UTC 2019 x86_64 x86_64
Alert Count                   17
First Seen                    2019-08-10 15:51:55 CEST
Last Seen                     2019-08-11 11:15:31 CEST
Local ID                      7e4896a3-a0f7-41a8-b8a5-ac7622bf68c5

Raw Audit Messages
type=AVC msg=audit(1565514931.596:907): avc:  denied  { entrypoint } for  pid=2114 comm="dnf" path="/usr/bin/bash" dev="dm-1" ino=1727060 scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mock_var_lib_t:s0 tclass=file permissive=0


Hash: dnf,rpm_script_t,mock_var_lib_t,file,entrypoint

With selinux enabled and this mock version. Works fine with previous mock version (from stable).

It seems that mock otherwise works. Not sure if the denials are important or not.

$ mock -r fedora-rawhide-x86_64 --enablerepo=local init
...

(AVC denial notification when installing packages)

$ sealert -l '*'
...
SELinux is preventing dnf from entrypoint access on the file /usr/bin/bash.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/usr/bin/bash default label should be shell_exec_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /usr/bin/bash

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that dnf should be allowed entrypoint access on the bash file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'dnf' --raw | audit2allow -M my-dnf
# semodule -X 300 -i my-dnf.pp


Additional Information:
Source Context                unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:object_r:mock_var_lib_t:s0
Target Objects                /usr/bin/bash [ file ]
Source                        dnf
Source Path                   dnf
Port                          <Unknown>
Host                          carbon
Source RPM Packages           
Target RPM Packages           bash-5.0.7-1.fc30.x86_64
Policy RPM                    selinux-policy-3.14.3-41.fc30.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     carbon
Platform                      Linux carbon 5.1.19-300.fc30.x86_64 #1 SMP Mon Jul
                              22 16:32:45 UTC 2019 x86_64 x86_64
Alert Count                   4
First Seen                    2019-08-10 15:51:55 CEST
Last Seen                     2019-08-10 15:52:09 CEST
Local ID                      7e4896a3-a0f7-41a8-b8a5-ac7622bf68c5

Raw Audit Messages
type=AVC msg=audit(1565445129.101:549): avc:  denied  { entrypoint } for  pid=30796 comm="dnf" path="/usr/bin/bash" dev="dm-1" ino=1728912 scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mock_var_lib_t:s0 tclass=file permissive=0


Hash: dnf,rpm_script_t,mock_var_lib_t,file,entrypoint

SELinux is preventing groupadd from read access on the lnk_file run.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that groupadd should be allowed read access on the run lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'groupadd' --raw | audit2allow -M my-groupadd
# semodule -X 300 -i my-groupadd.pp


Additional Information:
Source Context                unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c102
                              3
Target Context                unconfined_u:object_r:mock_var_lib_t:s0
Target Objects                run [ lnk_file ]
Source                        groupadd
Source Path                   groupadd
Port                          <Unknown>
Host                          carbon
Source RPM Packages           
Target RPM Packages           filesystem-3.10-1.fc30.x86_64
Policy RPM                    selinux-policy-3.14.3-41.fc30.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     carbon
Platform                      Linux carbon 5.1.19-300.fc30.x86_64 #1 SMP Mon Jul
                              22 16:32:45 UTC 2019 x86_64 x86_64
Alert Count                   12
First Seen                    2019-08-10 15:46:58 CEST
Last Seen                     2019-08-10 15:57:42 CEST
Local ID                      c73a2255-ca38-4478-90f1-89e6386c8b9d

Raw Audit Messages
type=AVC msg=audit(1565445462.986:646): avc:  denied  { read } for  pid=2278 comm="groupadd" name="run" dev="dm-1" ino=1710665 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mock_var_lib_t:s0 tclass=lnk_file permissive=0


Hash: groupadd,groupadd_t,mock_var_lib_t,lnk_file,read

I can uninstall tracker and keep GNOME Boxes. Thanks.

I've removed the link to #1665490.

karma

This is needed to make FEDORA-2019-64c013e73f installable. qgis starts, I am unfortunately not able to test anything further.

karma

no regressions noted.

oh, python3-rpy-2.9.5-3.fc29 is part of this update, but the buildroot override is only for R itself. carry on.

nothing provides R-core = 3.5.3 needed by python3-rpy-2.9.5-2.fc29.x86_64

$ wifi-radar 
  File "/usr/sbin/wifi-radar", line 179
    except OSError, exception:
                  ^
SyntaxError: invalid syntax
karma

Seems to work fine so far.

Seems the desktop still desktops.

So far so good.

So far so good.

Getting some crash reports by ABRT that it doesn't allow to report. Nothing that I would notice without ABRT.

So far so good.

So far so good.

You cannot drop python2-more-itertools from stable releases. Also I consider update from 4.1.0 to 7.0.0 a bit dangerous as well.

You cannot drop python2-more-itertools from stable releases. Also I consider update from 4.1.0 to 7.0.0 a bit dangerous as well.

What does this do (you can N it, when it asks Is this ok [y/N])?

$ sudo dnf --releasever=30 --setopt=module_platform_id=platform:f30 --enablerepo=updates-testing distro-sync