Comments

41 Comments

What happend:

  • publicfile module defined selinux file context for /usr/bin/httpd which is different from the standard policy type for /usr/sbin/httpd
  • as part of sbin merge feature, selinux-policy started to ship /usr/sbin = /usr/bin equivalency -> /usr/sbin/httpd is translated to /usr/bin/httpd and after that selinux context is resolved to publicfile..._t
  • selinux-policy dropped publicfile module so that ^^ should not happen
  • BUT during update, selinux-policy rebuild was done in %post phase when publicfile module from the old policy is still installed

After these steps, current built and loaded policy would resolve /usr/sbin/httpd to publicfile..._t even though selinux policy store was already updated to the new version so any subsequent run ofsemodule -B fixed it.

It means that this bug was temporary and would be fixed with update from 41.8-1 (it it wasn't untagged) to anything new, or with semodule -B after update.

I don't know. I expected it would go to stable after I've added libselinux-3.4-2 and waived all test. 3 days ago I noticed that nothing happened but there was no "push to stable" button - https://pagure.io/releng/issue/10832 . 2 days ago @adamwill push it using cli so it's "testing -> stable" now.

Ok, I've found it. @adamwill Thanks! for the report, I'm going to fix it in the next update

Great, thanks. All files in the image without selinux label. How 's the image created? Are the logs available somewhere?

@adamwill is the image available anywhere? I didn't find it.

@adamwill could you please point me to the right place where to find more? I only found:

[2022-05-19T16:25:32.921403Z] [debug] Current version is 4.6^20220201gitab6013d [interface v24] fatal: unsafe repository ('/var/lib/openqa/share/tests/fedora' is owned by someone else) To add an exception for this directory, call:

git config --global --add safe.directory /var/lib/openqa/share/tests/fedora
BZ#1680961 pam_selinux - check whether undefined object classes or permissions are allowed or denied in the current policy
BZ#1813023 selinux-policy-3.14.6-7 with pam-1.3.1-24 blocks SSH logins

@adamwill setsched issue should be covered by https://bugzilla.redhat.com/show_bug.cgi?id=1795524#c75 - FEDORA-2020-fe9ad43e72

The second AVC needs to reported on selinux-policy

I don't think it's related to this update. Is it the only package you updated when this problem appeared? There were issues related to { setsched } based on some glib2 update, and creating a socket seems to be completely unrelated.

The missing dependency was added. Thanks for the report!

I'd like to push the update with notifications. Since https://bugzilla.redhat.com/show_bug.cgi?id=1523406 hadn't been fixed by this, I didn't list this bug in errata.

It wasn't supposed to fix the non-yet-reported problem with dbus-broker. Please file a bug.

/usr/share/setroubleshoot/gui/style.css file is missing in setroubleshoot-3.3.12-2.fc26 and so Setroubleshoot button in sealert browser doesn't work.

/usr/share/setroubleshoot/gui/style.css file is missing in this update and so Setroubleshoot button in sealert browser doesn't work.

This update has been unpushed.

Thanks! I accidentally skipped the patch reverting it. I'll push an update asap.

karma

Looks good.

BZ#1441879 usbguard-0.7.0 is available