Comments

37 Comments

@adamwill, I worked with @dwalsh on fixes, so from my POV it's good to go, but let's wait for formal ack from @dwalsh. As @lslebodn proposed on IRC, this should be in group update selinux-policy + container-selinux package. BUT we need increase selinux-policy required in container-selinux package.

@adamwill, would it be possible to run testsuite with scratch builds? (I could provide scratch builds)

THanks, Lukas.

Hi All, Thank you for reports.
Both policies mentioned in the report are not shipped by selinux-policy package, (containers-selinux and flatpak) but we're investigating the issue.

Thanks, Lukas.

karma

CVE fixed on my workstation with this version of sudo.

BZ#1761584 CVE-2019-14287 sudo: Privilege escalation via 'Runas' specification with 'ALL' keyword [fedora-all]

@adamwill, We have fixes ready in F31. Going to create new builds for Fedora 31.

@adamwill, We have fixes ready in F31. Going to create new builds for Fedora 31.

@adamwill, We have fixes ready in F31. Going to create new builds for Fedora 31.

karma

Build fixes bz1713291

BZ#1623371 selinux-policy build failing because of broken sepolicy manpage

sunwire, I added comment, please reply, I'll try to fix it ASAP.

Fixed issue #155974 in my Fedora 27 workstation

@zdenek, #1554776 looks like its caused by new version of systemd.

@stevestorey,

tcp port 1234 is defined as monopd_port_t and commit for this is in repo from 2005-09-13 so, you cannot use -a in semanage becuase it's already defined.

lvrabec@lvrabec-workstation ~ » rpm -q selinux-policy selinux-policy-3.13.1-283.24.fc27.noarch lvrabec@lvrabec-workstation ~ » sudo semanage port -m -t ssh_port_t -p tcp 1234 1 ↵ lvrabec@lvrabec-workstation ~ » sudo semanage port -l | grep 1234
monopd_port_t tcp 1234 ssh_port_t tcp 1234, 22

After update...

lvrabec@lvrabec-workstation ~ » rpm -q selinux-policy
selinux-policy-3.13.1-283.26.fc27.noarch lvrabec@lvrabec-workstation ~ » sudo semanage port -m -t ssh_port_t -p tcp 1234
lvrabec@lvrabec-workstation ~ » sudo semanage port -l | grep 1234
monopd_port_t tcp 1234 ssh_port_t tcp 1234, 22

It looks like you have some custom modifications on your system (e.g: systemdmodules-syscapability) you are stopped by neverallow rule.

This is not issue in selinux-policy update but on your system.

Lukas.

I fixed some bugs related to selinux-policy from this thread and add couple of new ones from bugzilla.