Comments

185 Comments

+1

BZ#1690028 Allow to load libc.so shared library without RTLD_DEEPBIND
BZ#1801869 Invalid data reported by pkg-config

+1 for fixes BZ#1778030

@adamwill @mreynolds could you backport patch at least to rawhide? This bodhi update is obsoleted and thus cannot create issues in f31 updates-testing. But rawhide is more critical.

karma

The update break dogtag in freeIPA

https://bugzilla.redhat.com/show_bug.cgi?id=1783709

@adamwill FYI

@adamwill, Sure this bodhi update caused issues in openQA tests. But it does not mean that the real bug was in selinux-policy. It could just reveal bug in container-selinux.

I rebuild the latest container-selinux from rawhide on f31[1] and I cannot reproduce BZ1776248 with selinux-policy-3.14.4-42.fc31.noarch + container-selinux-2:2.123.0-0.1.dev.git661a904.fc31.noarch

[1] https://koji.fedoraproject.org/koji/taskinfo?taskID=39375295

Workaround described here: https://bugzilla.redhat.com/show_bug.cgi?id=1776034#c5

There is also another workaround downgrade selinux-policcy to -41 + reinstall the package container-slienux https://bugzilla.redhat.com/show_bug.cgi?id=1776248#c5

+1

+1

BZ#1772368 Wrong path in pkg-config file

+1

BZ#1772368 Wrong path in pkg-config file

There is still wrong path in pkg-conf

BZ#1772368 Wrong path in pkg-config file

There is still wrong path in pkg-conf

BZ#1772368 Wrong path in pkg-config file

@jcline could you either unpush python3-urrlinb from f30 updates testing or do the combined update with python-request?

 Problem 1: package python2-requests-2.21.0-2.fc30.noarch requires python2.7dist(urllib3) < 1.25, but none of the providers can be installed                                               
  - cannot install both python2-urllib3-1.25.7-1.fc30.noarch and python2-urllib3-1.24.3-2.fc30.noarch                                                                                      
  - cannot install both python2-urllib3-1.24.3-2.fc30.noarch and python2-urllib3-1.25.7-1.fc30.noarch                                                                                      
  - cannot install both python2-urllib3-1.24.1-3.fc30.noarch and python2-urllib3-1.25.7-1.fc30.noarch                                                                                      
  - cannot install the best update candidate for package python2-urllib3-1.24.3-2.fc30.noarch                                                                                              
  - cannot install the best update candidate for package python2-requests-2.21.0-2.fc30.noarch                                                                                             
 Problem 2: package python3-requests-2.21.0-2.fc30.noarch requires python3.7dist(urllib3) < 1.25, but none of the providers can be installed                                               
  - cannot install both python3-urllib3-1.25.7-1.fc30.noarch and python3-urllib3-1.24.3-2.fc30.noarch                                                                                      
  - cannot install both python3-urllib3-1.24.3-2.fc30.noarch and python3-urllib3-1.25.7-1.fc30.noarch                                                                                      
  - cannot install both python3-urllib3-1.24.1-3.fc30.noarch and python3-urllib3-1.25.7-1.fc30.noarch                                                                                      
  - cannot install the best update candidate for package python3-urllib3-1.24.3-2.fc30.noarch                                                                                              
  - cannot install the best update candidate for package python3-requests-2.21.0-2.fc30.noarch                                                                                             
(try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)

It is caused by following change mentioned in changelog.

- Remove rule allowing all processes to stream connect to unconfined domains
time->Tue Sep 17 04:27:23 2019
type=AVC msg=audit(1568708843.291:460): avc:  denied  { connectto } for  pid=29591 comm="httpd" path="/run/httpd/ipa-custodia.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0

There was an attempt to write custom selinux-policy for custodia But it seems nobody cares about enhancing security in freeIPA cause my MR is opened in upstream for 1.5 year. https://github.com/latchset/ipa-custodia-selinux/pulls

@lvrabec how do you want to handle that?