Comments

33 Comments

Additional Information: Source Context system_u:system_r:vpnc_t:s0 Target Context system_u:system_r:vpnc_t:s0 Target Objects Unknown [ process ] Source nm-vpnc-service Source Path nm-vpnc-service Port <Unknown> Host notebook Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.5-41.fc32.noarch Local Policy RPM selinux-policy-targeted-3.14.5-41.fc32.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name notebook Platform Linux notebook 5.6.19-300.fc32.x86_64 #1 SMP Wed Jun 17 16:10:48 UTC 2020 x86_64 x86_64 Alert Count 10 First Seen 2020-05-25 17:28:41 CEST Last Seen 2020-06-24 19:46:32 CEST Local ID 027f28f6-4e8d-4486-aa34-8d946eb37349

Raw Audit Messages type=AVC msg=audit(1593020792.685:292): avc: denied { setsched } for pid=2907 comm="nm-vpnc-service" scontext=system_u:system_r:vpnc_t:s0 tcontext=system_u:system_r:vpnc_t:s0 tclass=process permissive=0

BZ#1817528 SELinux is preventing nm-vpnc-service from using the 'setsched' accesses on a process.
karma

Update working as expected on 06-8e-09 -- new microcode is applied at boot after running dracut

Is there a reason the microcode_ctl update doesn't automatically run dracut?

BZ#1795348 CVE-2020-0548 microcode_ctl: hw: Vector Register Data Sampling [fedora-all]
BZ#1795349 CVE-2020-0549 microcode_ctl: hw: L1D Cache Eviction Sampling [fedora-all]
BZ#1845630 CVE-2020-0543 microcode_ctl: hw: Special Register Buffer Data Sampling (SRBDS) [fedora-all]
Test Case microcode update
BZ#1839185 thunderbird-68.9.0 is available
BZ#1817330 Firefox cannot open mailto links
BZ#1831670 thunderbird-68.8.0 is available
karma

Red Hat sees this update as a critical security update: https://access.redhat.com/errata/RHSA-2020:2046

BZ#1831670 thunderbird-68.8.0 is available

Sorry forgot to put it into a code block... there is still a reference to /sbin/sln in the scriptlets

$ yum reinstall glibc
Last metadata expiration check: 0:12:05 ago on Mo 03 Sep 2018 13:41:26 CEST.
Dependencies resolved.
================================================================================
 Package        Arch            Version                  Repository        Size
================================================================================
Reinstalling:
 glibc          x86_64          2.27-32.fc28             updates          3.6 M

Transaction Summary
================================================================================

Total download size: 3.6 M
Is this ok [y/N]: y
Downloading Packages:
glibc-2.27-32.fc28.x86_64.rpm                   2.8 MB/s | 3.6 MB     00:01
--------------------------------------------------------------------------------
Total                                           1.5 MB/s | 3.6 MB     00:02
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1
  Running scriptlet: glibc-2.27-32.fc28.x86_64                              1/2
  Reinstalling     : glibc-2.27-32.fc28.x86_64                              1/2
  Running scriptlet: glibc-2.27-32.fc28.x86_64                              1/2
  Erasing          : glibc-2.27-32.fc28.x86_64                              2/2
  Running scriptlet: glibc-2.27-32.fc28.x86_64                              2/2
/var/tmp/rpm-tmp.FQWpDI: line 5: /sbin/sln: No such file or directory
  Verifying        : glibc-2.27-32.fc28.x86_64                              1/2
  Verifying        : glibc-2.27-32.fc28.x86_64                              2/2

Reinstalled:
  glibc.x86_64 2.27-32.fc28

Complete!

Somewhere in the scriptlets a reference to sln was not removed: Last metadata expiration check: 0:12:05 ago on Mo 03 Sep 2018 13:41:26 CEST. Dependencies resolved. ================================================================================ Package Arch Version Repository Size ================================================================================ Reinstalling: glibc x86_64 2.27-32.fc28 updates 3.6 M

Transaction Summary

Total download size: 3.6 M Is this ok [y/N]: y Downloading Packages: glibc-2.27-32.fc28.x86_64.rpm 2.8 MB/s | 3.6 MB 00:01


Total 1.5 MB/s | 3.6 MB 00:02
Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: glibc-2.27-32.fc28.x86_64 1/2 Reinstalling : glibc-2.27-32.fc28.x86_64 1/2 Running scriptlet: glibc-2.27-32.fc28.x86_64 1/2 Erasing : glibc-2.27-32.fc28.x86_64 2/2 Running scriptlet: glibc-2.27-32.fc28.x86_64 2/2 /var/tmp/rpm-tmp.FQWpDI: line 5: /sbin/sln: No such file or directory Verifying : glibc-2.27-32.fc28.x86_64 1/2 Verifying : glibc-2.27-32.fc28.x86_64 2/2

Reinstalled: glibc.x86_64 2.27-32.fc28

Greetings Klaas

flush_l1d shows up in cpu flags, /sys/devices/system/cpu/vulnerabilities/l1tf works -- lgtm

Shouldn't the mitigations include this:

uname -a

Linux notebook 4.17.14-201.fc28.x86_64 #1 SMP Tue Aug 14 18:31:07 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

ls /sys/devices/system/cpu/vulnerabilities/l1tf

ls: cannot access '/sys/devices/system/cpu/vulnerabilities/l1tf': No such file or directory

I have an error in scriptlets while installing the package: [...] Running scriptlet: kernel-core-4.13.16-300.fc27.x86_64 152/152 cat: write error: Broken pipe [...]

at first glance I can't find where the cat is going wrong

karma

Works fine, fixes the false positive kernel update notice issue