FEDORA-2016-cbdde50ec4

bugfix update in Fedora 25 for selinux-policy

Status: stable 3 years ago

More info: http://koji.fedoraproject.org/koji/buildinfo?buildID=794433


Build fixes starting VM in enforcing mode and using confined users in F25

How to install

sudo dnf upgrade --advisory=FEDORA-2016-cbdde50ec4

Comments 20

This update has been submitted for testing by lvrabec.

This update has obsoleted selinux-policy-3.13.1-210.fc25, and has inherited its bugs and notes.

This update has been pushed to testing.

This update does not fix bug 1367280.

karma: +1 critpath: +1 #1342732: +1 #1367280: -1 #1340611: +1

Is it expected to see such messages in upgrade?

Upgrading : selinux-policy-targeted-3.13.1-211.fc25.noarch 5/24

/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /var/lib/kubelet(/.*)? (system_u:object_r:svirt_sandbox_file_t:s0 and system_u:object_r:docker_var_lib_t:s0).

/etc/selinux/targeted/contexts/files/file_contexts: Invalid argument

libsemanage.semanage_install_final_tmp: setfiles returned error code 1. (No such file or directory).

/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /var/lib/kubelet(/.*)? (system_u:object_r:svirt_sandbox_file_t:s0 and system_u:object_r:docker_var_lib_t:s0).

/etc/selinux/targeted/contexts/files/file_contexts: Invalid argument

libsemanage.semanage_install_final_tmp: setfiles returned error code 1. (No such file or directory).

/usr/sbin/semodule: Failed!

Upgrading : docker-selinux-2:1.12.1-7.git49151a1.fc25.x86_64 6/24

/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /var/lib/kubelet(/.*)? (system_u:object_r:svirt_sandbox_file_t:s0 and system_u:object_r:docker_var_lib_t:s0).

/etc/selinux/targeted/contexts/files/file_contexts: Invalid argument

libsemanage.semanage_install_final_tmp: setfiles returned error code 1. (No such file or directory).

/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /var/lib/kubelet(/.*)? (system_u:object_r:svirt_sandbox_file_t:s0 and system_u:object_r:docker_var_lib_t:s0).

/etc/selinux/targeted/contexts/files/file_contexts: Invalid argument

libsemanage.semanage_install_final_tmp: setfiles returned error code 1. (No such file or directory).

/usr/sbin/semodule: Failed!

[root@omiday selinux]# last -n1 reboot reboot system boot 4.8.0-0.rc4.git0 Sat Sep 3 23:09 still running

wtmp begins Mon Jul 25 17:00:39 2016 [root@omiday selinux]# ausearch -m avc -ts 23:09 | grep "{ getattr }" type=AVC msg=audit(1472965784.408:145): avc: denied { getattr } for pid=1 comm="systemd" path="/run/systemd/inaccessible/blk" dev="tmpfs" ino=11093 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0

(Possible) Related boot logs:

Sep 03 23:09:42 omiday.can.local kernel: SELinux: 32768 avtab hash slots, 105642 rules. Sep 03 23:09:42 omiday.can.local kernel: SELinux: 32768 avtab hash slots, 105642 rules. Sep 03 23:09:42 omiday.can.local kernel: SELinux: 8 users, 14 roles, 5046 types, 305 bools, 1 sens, 1024 cats Sep 03 23:09:42 omiday.can.local kernel: SELinux: 94 classes, 105642 rules Sep 03 23:09:42 omiday.can.local kernel: SELinux: Permission validate_trans in class security not defined in policy. Sep 03 23:09:42 omiday.can.local kernel: SELinux: Permission module_load in class system not defined in policy. Sep 03 23:09:42 omiday.can.local kernel: SELinux: the above unknown classes and permissions will be allowed Sep 03 23:09:42 omiday.can.local kernel: SELinux: Completing initialization. Sep 03 23:09:42 omiday.can.local kernel: SELinux: Setting up existing superblocks. Sep 03 23:09:42 omiday.can.local systemd[1]: Successfully loaded SELinux policy in 90.371ms. Sep 03 23:09:42 omiday.can.local systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/fifo: Permission denied Sep 03 23:09:42 omiday.can.local systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/blk: Permission denied Sep 03 23:09:42 omiday.can.local systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/chr: Permission denied Sep 03 23:09:42 omiday.can.local systemd[1]: Relabelled /dev and /run in 20.204ms. Sep 03 23:09:42 omiday.can.local systemd-journald[1080]: Journal started Sep 03 23:09:41 omiday.can.local audit: MAC_STATUS enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 Sep 03 23:09:42 omiday.can.local audit: MAC_POLICY_LOAD policy loaded auid=4294967295 ses=4294967295 Sep 03 23:09:42 omiday.can.local audit[1]: AVC avc: denied { relabelto } for pid=1 comm="systemd" name="fifo" dev="tmpfs" ino=11094 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=fifo_file permissive=0 Sep 03 23:09:42 omiday.can.local audit[1]: AVC avc: denied { getattr } for pid=1 comm="systemd" path="/run/systemd/inaccessible/blk" dev="tmpfs" ino=11093 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0 Sep 03 23:09:42 omiday.can.local audit[1]: AVC avc: denied { getattr } for pid=1 comm="systemd" path="/run/systemd/inaccessible/blk" dev="tmpfs" ino=11093 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0 Sep 03 23:09:42 omiday.can.local audit[1]: AVC avc: denied { relabelfrom } for pid=1 comm="systemd" name="chr" dev="tmpfs" ino=11092 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file permissive=0

#1367280: -1

Sorry about the previous messed up report and empty submissions, here's a formatted one:

[root@omiday ~]# last -n1 reboot
reboot   system boot  4.8.0-0.rc4.git0 Sat Sep  3 23:48   still running

wtmp begins Mon Jul 25 17:00:39 2016
[root@omiday ~]# ausearch -m avc -ts 23:48 | grep "{ getattr }"
type=AVC msg=audit(1472968121.957:143): avc:  denied  { getattr } for  pid=1 comm="systemd" path="/run/systemd/inaccessible/blk" dev="tmpfs" ino=1172 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0

Related boot logs:

Sep 03 23:48:39 omiday.can.local kernel: SELinux: 32768 avtab hash slots, 105642 rules.
Sep 03 23:48:39 omiday.can.local kernel: SELinux: 32768 avtab hash slots, 105642 rules.
Sep 03 23:48:39 omiday.can.local kernel: SELinux:  8 users, 14 roles, 5046 types, 305 bools, 1 sens, 1024 cats
Sep 03 23:48:39 omiday.can.local kernel: SELinux:  94 classes, 105642 rules
Sep 03 23:48:39 omiday.can.local kernel: SELinux:  Permission validate_trans in class security not defined in policy.
Sep 03 23:48:39 omiday.can.local kernel: SELinux:  Permission module_load in class system not defined in policy.
Sep 03 23:48:39 omiday.can.local kernel: SELinux: the above unknown classes and permissions will be allowed
Sep 03 23:48:39 omiday.can.local kernel: SELinux:  Completing initialization.
Sep 03 23:48:39 omiday.can.local kernel: SELinux:  Setting up existing superblocks.
Sep 03 23:48:39 omiday.can.local systemd[1]: Successfully loaded SELinux policy in 76.855ms.
Sep 03 23:48:39 omiday.can.local systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/fifo: Permission denied
Sep 03 23:48:39 omiday.can.local systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/blk: Permission denied
Sep 03 23:48:39 omiday.can.local systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/chr: Permission denied
Sep 03 23:48:39 omiday.can.local systemd[1]: Relabelled /dev and /run in 20.613ms.
Sep 03 23:48:39 omiday.can.local systemd-journald[1093]: Journal started
Sep 03 23:48:39 omiday.can.local audit: MAC_STATUS enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
Sep 03 23:48:39 omiday.can.local audit: MAC_POLICY_LOAD policy loaded auid=4294967295 ses=4294967295
Sep 03 23:48:39 omiday.can.local audit[1]: AVC avc:  denied  { relabelto } for  pid=1 comm="systemd" name="fifo" dev="tmpfs" ino=1173 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=fifo_file permissive=0
Sep 03 23:48:39 omiday.can.local audit[1]: AVC avc:  denied  { getattr } for  pid=1 comm="systemd" path="/run/systemd/inaccessible/blk" dev="tmpfs" ino=1172 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0
Sep 03 23:48:39 omiday.can.local audit[1]: AVC avc:  denied  { getattr } for  pid=1 comm="systemd" path="/run/systemd/inaccessible/blk" dev="tmpfs" ino=1172 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0
Sep 03 23:48:39 omiday.can.local audit[1]: AVC avc:  denied  { relabelfrom } for  pid=1 comm="systemd" name="chr" dev="tmpfs" ino=1171 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file permissive=0

WFM:

[root@omiday ~]# last -n1 reboot
reboot   system boot  4.8.0-0.rc4.git0 Sat Sep  3 23:48   still running

wtmp begins Mon Jul 25 17:00:39 2016

[root@omiday ~]# ausearch -m avc -ts 23:48 | grep "firewalld" 
<no matches>
#1340611: +1
karma: +1 critpath: +1

In reply to https://bodhi.fedoraproject.org/updates/selinux-policy-3.13.1-211.fc25#comment-481907:

I've just reviewed my prior feedbacks and realized that I should have submitted the comments in Bugzilla. It's done, and please don't hate me, I'll make sure to review the docs next time...

This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes

No trouble here

karma: +1

This update has been submitted for stable by bodhi.

works for me

karma: +1

This update has been pushed to stable.

Add Comment & Feedback

Please login to add feedback.

Content Type
RPM
Status
stable
Test Gating
Submitted by
Update Type
bugfix
Update Severity
unspecified
Karma
+6
stable threshold: 6
unstable threshold: -3
Autopush (karma)
Enabled
Autopush (time)
Disabled
Dates
submitted 3 years ago
in testing 3 years ago
in stable 3 years ago

Related Bugs 4

00 #1315354
0+1 #1340611
0+1 #1342732
-10 #1367280

Automated Test Results