FEDORA-2016-cbdde50ec4 created by lvrabec 3 years ago for Fedora 25
stable

More info: http://koji.fedoraproject.org/koji/buildinfo?buildID=794433


Build fixes starting VM in enforcing mode and using confined users in F25

How to install

sudo dnf upgrade --advisory=FEDORA-2016-cbdde50ec4

This update has been submitted for testing by lvrabec.

3 years ago

This update has obsoleted selinux-policy-3.13.1-210.fc25, and has inherited its bugs and notes.

3 years ago

This update has been pushed to testing.

3 years ago
User Icon frieben commented & provided feedback 3 years ago
karma

This update does not fix bug 1367280.

User Icon lslebodn commented & provided feedback 3 years ago

Is it expected to see such messages in upgrade?

Upgrading : selinux-policy-targeted-3.13.1-211.fc25.noarch 5/24

/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /var/lib/kubelet(/.*)? (system_u:object_r:svirt_sandbox_file_t:s0 and system_u:object_r:docker_var_lib_t:s0).

/etc/selinux/targeted/contexts/files/file_contexts: Invalid argument

libsemanage.semanage_install_final_tmp: setfiles returned error code 1. (No such file or directory).

/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /var/lib/kubelet(/.*)? (system_u:object_r:svirt_sandbox_file_t:s0 and system_u:object_r:docker_var_lib_t:s0).

/etc/selinux/targeted/contexts/files/file_contexts: Invalid argument

libsemanage.semanage_install_final_tmp: setfiles returned error code 1. (No such file or directory).

/usr/sbin/semodule: Failed!

Upgrading : docker-selinux-2:1.12.1-7.git49151a1.fc25.x86_64 6/24

/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /var/lib/kubelet(/.*)? (system_u:object_r:svirt_sandbox_file_t:s0 and system_u:object_r:docker_var_lib_t:s0).

/etc/selinux/targeted/contexts/files/file_contexts: Invalid argument

libsemanage.semanage_install_final_tmp: setfiles returned error code 1. (No such file or directory).

/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /var/lib/kubelet(/.*)? (system_u:object_r:svirt_sandbox_file_t:s0 and system_u:object_r:docker_var_lib_t:s0).

/etc/selinux/targeted/contexts/files/file_contexts: Invalid argument

libsemanage.semanage_install_final_tmp: setfiles returned error code 1. (No such file or directory).

/usr/sbin/semodule: Failed!

User Icon heikoada commented & provided feedback 3 years ago
karma

LGTM

User Icon viorel commented & provided feedback 3 years ago

[root@omiday selinux]# last -n1 reboot reboot system boot 4.8.0-0.rc4.git0 Sat Sep 3 23:09 still running

wtmp begins Mon Jul 25 17:00:39 2016 [root@omiday selinux]# ausearch -m avc -ts 23:09 | grep "{ getattr }" type=AVC msg=audit(1472965784.408:145): avc: denied { getattr } for pid=1 comm="systemd" path="/run/systemd/inaccessible/blk" dev="tmpfs" ino=11093 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0

(Possible) Related boot logs:

Sep 03 23:09:42 omiday.can.local kernel: SELinux: 32768 avtab hash slots, 105642 rules. Sep 03 23:09:42 omiday.can.local kernel: SELinux: 32768 avtab hash slots, 105642 rules. Sep 03 23:09:42 omiday.can.local kernel: SELinux: 8 users, 14 roles, 5046 types, 305 bools, 1 sens, 1024 cats Sep 03 23:09:42 omiday.can.local kernel: SELinux: 94 classes, 105642 rules Sep 03 23:09:42 omiday.can.local kernel: SELinux: Permission validate_trans in class security not defined in policy. Sep 03 23:09:42 omiday.can.local kernel: SELinux: Permission module_load in class system not defined in policy. Sep 03 23:09:42 omiday.can.local kernel: SELinux: the above unknown classes and permissions will be allowed Sep 03 23:09:42 omiday.can.local kernel: SELinux: Completing initialization. Sep 03 23:09:42 omiday.can.local kernel: SELinux: Setting up existing superblocks. Sep 03 23:09:42 omiday.can.local systemd[1]: Successfully loaded SELinux policy in 90.371ms. Sep 03 23:09:42 omiday.can.local systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/fifo: Permission denied Sep 03 23:09:42 omiday.can.local systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/blk: Permission denied Sep 03 23:09:42 omiday.can.local systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/chr: Permission denied Sep 03 23:09:42 omiday.can.local systemd[1]: Relabelled /dev and /run in 20.204ms. Sep 03 23:09:42 omiday.can.local systemd-journald[1080]: Journal started Sep 03 23:09:41 omiday.can.local audit: MAC_STATUS enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 Sep 03 23:09:42 omiday.can.local audit: MAC_POLICY_LOAD policy loaded auid=4294967295 ses=4294967295 Sep 03 23:09:42 omiday.can.local audit[1]: AVC avc: denied { relabelto } for pid=1 comm="systemd" name="fifo" dev="tmpfs" ino=11094 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=fifo_file permissive=0 Sep 03 23:09:42 omiday.can.local audit[1]: AVC avc: denied { getattr } for pid=1 comm="systemd" path="/run/systemd/inaccessible/blk" dev="tmpfs" ino=11093 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0 Sep 03 23:09:42 omiday.can.local audit[1]: AVC avc: denied { getattr } for pid=1 comm="systemd" path="/run/systemd/inaccessible/blk" dev="tmpfs" ino=11093 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0 Sep 03 23:09:42 omiday.can.local audit[1]: AVC avc: denied { relabelfrom } for pid=1 comm="systemd" name="chr" dev="tmpfs" ino=11092 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file permissive=0

User Icon viorel provided feedback 3 years ago
User Icon viorel provided feedback 3 years ago
User Icon viorel provided feedback 3 years ago
User Icon viorel commented & provided feedback 3 years ago

Sorry about the previous messed up report and empty submissions, here's a formatted one:

[root@omiday ~]# last -n1 reboot
reboot   system boot  4.8.0-0.rc4.git0 Sat Sep  3 23:48   still running

wtmp begins Mon Jul 25 17:00:39 2016
[root@omiday ~]# ausearch -m avc -ts 23:48 | grep "{ getattr }"
type=AVC msg=audit(1472968121.957:143): avc:  denied  { getattr } for  pid=1 comm="systemd" path="/run/systemd/inaccessible/blk" dev="tmpfs" ino=1172 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0

Related boot logs:

Sep 03 23:48:39 omiday.can.local kernel: SELinux: 32768 avtab hash slots, 105642 rules.
Sep 03 23:48:39 omiday.can.local kernel: SELinux: 32768 avtab hash slots, 105642 rules.
Sep 03 23:48:39 omiday.can.local kernel: SELinux:  8 users, 14 roles, 5046 types, 305 bools, 1 sens, 1024 cats
Sep 03 23:48:39 omiday.can.local kernel: SELinux:  94 classes, 105642 rules
Sep 03 23:48:39 omiday.can.local kernel: SELinux:  Permission validate_trans in class security not defined in policy.
Sep 03 23:48:39 omiday.can.local kernel: SELinux:  Permission module_load in class system not defined in policy.
Sep 03 23:48:39 omiday.can.local kernel: SELinux: the above unknown classes and permissions will be allowed
Sep 03 23:48:39 omiday.can.local kernel: SELinux:  Completing initialization.
Sep 03 23:48:39 omiday.can.local kernel: SELinux:  Setting up existing superblocks.
Sep 03 23:48:39 omiday.can.local systemd[1]: Successfully loaded SELinux policy in 76.855ms.
Sep 03 23:48:39 omiday.can.local systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/fifo: Permission denied
Sep 03 23:48:39 omiday.can.local systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/blk: Permission denied
Sep 03 23:48:39 omiday.can.local systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/chr: Permission denied
Sep 03 23:48:39 omiday.can.local systemd[1]: Relabelled /dev and /run in 20.613ms.
Sep 03 23:48:39 omiday.can.local systemd-journald[1093]: Journal started
Sep 03 23:48:39 omiday.can.local audit: MAC_STATUS enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
Sep 03 23:48:39 omiday.can.local audit: MAC_POLICY_LOAD policy loaded auid=4294967295 ses=4294967295
Sep 03 23:48:39 omiday.can.local audit[1]: AVC avc:  denied  { relabelto } for  pid=1 comm="systemd" name="fifo" dev="tmpfs" ino=1173 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=fifo_file permissive=0
Sep 03 23:48:39 omiday.can.local audit[1]: AVC avc:  denied  { getattr } for  pid=1 comm="systemd" path="/run/systemd/inaccessible/blk" dev="tmpfs" ino=1172 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0
Sep 03 23:48:39 omiday.can.local audit[1]: AVC avc:  denied  { getattr } for  pid=1 comm="systemd" path="/run/systemd/inaccessible/blk" dev="tmpfs" ino=1172 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0
Sep 03 23:48:39 omiday.can.local audit[1]: AVC avc:  denied  { relabelfrom } for  pid=1 comm="systemd" name="chr" dev="tmpfs" ino=1171 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file permissive=0
User Icon viorel commented & provided feedback 3 years ago

WFM:

[root@omiday ~]# last -n1 reboot
reboot   system boot  4.8.0-0.rc4.git0 Sat Sep  3 23:48   still running

wtmp begins Mon Jul 25 17:00:39 2016

[root@omiday ~]# ausearch -m avc -ts 23:48 | grep "firewalld" 
<no matches>
User Icon viorel provided feedback 3 years ago
karma
User Icon viorel commented & provided feedback 3 years ago

In reply to https://bodhi.fedoraproject.org/updates/selinux-policy-3.13.1-211.fc25#comment-481907:

I've just reviewed my prior feedbacks and realized that I should have submitted the comments in Bugzilla. It's done, and please don't hate me, I'll make sure to review the docs next time...

This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes

3 years ago
User Icon renault commented & provided feedback 3 years ago
karma

No trouble here

User Icon cairo provided feedback 3 years ago
karma

This update has been submitted for stable by bodhi.

3 years ago
User Icon em3rson commented & provided feedback 3 years ago
karma

works for me

This update has been pushed to stable.

3 years ago

Please login to add feedback.

Metadata
Type
bugfix
Karma
6
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
6
Dates
submitted
3 years ago
in testing
3 years ago
in stable
3 years ago

Automated Test Results