FEDORA-2017-31d4ea5eb1

bugfix update in Fedora 25 for selinux-policy

Status: stable 2 years ago

Comments 33

This update has been submitted for testing by lvrabec.

WFM

karma: +1 critpath: +1

jwrdegoede edited this update.

MariaDB Cracklib plugin works well with this update.

karma: +1 critpath: +1

NVIDIA proprietary driver's kernel module blocking:

SELinux is preventing modprobe from module_load access on the system /usr/lib/modules/4.10.0/kernel/drivers/video/nvidia.ko

Source Context                system_u:system_r:insmod_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:modules_object_t:s0
Target Objects                /usr/lib/modules/4.10.0/kernel/drivers/vid
                          eo/nvidia.ko [ system ]
Policy RPM                    selinux-policy-3.13.1-225.9.fc25.noarch
Policy Type                   targeted
Enforcing Mode                Enforcing
Platform                      Linux  4.10.0 #1 SMP Mon
                          Feb 20 23:37:16 EET 2017 x86_64 x86_64
Alert Count                   22
First Seen                    2017-02-21 07:54:29 EET
Last Seen                     2017-02-21 07:55:48 EET

Raw Audit Messages                                                                                                            
type=AVC msg=audit(1487656548.807:163): avc:  denied  { module_load } for  pid=1013 comm="modprobe" path="/usr/lib/modules/4.10.0/kernel/drivers/video/nvidia.ko" dev="sda2" ino=2894558 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:modules_object_t:s0 tclass=system permissive=0


Hash: modprobe,insmod_t,modules_object_t,system,module_load

An alert message during relabeling filesystem shows:

filespec_add: conflicting specifications for /usr/sbin/sln and /usr/sbin/ldconfig, using system_u:object_r:ldconfig_exec_t:s0

And then a sequnce of similar messages refering to files from Qt -debug packages.

NVIDIA not working

karma: -1
SELinux is preventing abrt-action-not from write access on the directory /usr/lib64/python3.5/site-packages/problem/__pycache__.

SELinux is preventing abrt-action-not from write access on the directory /usr/lib64/python3.5/site-packages/report/__pycache__.

SELinux is preventing abrt-action-not from write access on the directory /usr/lib64/python3.5/site-packages/reportclient/__pycache__.

SELinux is preventing abrt-action-not from write access on the directory /usr/lib64/python3.5/site-packages/report/io/__pycache__.

WFM

karma: +1 critpath: +1

Seems, it somehow begins to resemble a vote of choosing between WFM and NWFM ((:))

+1 it also fixes BZ1411437

karma: +1 critpath: +1

Pity, that it cannot fix yet Munich's city council ((:))

No regressions noted. (The python cache error noted by an anonymous reporter may be an issue with a python update, if he/she has the 3.5.3 version that was in testing earlier this month, and then was un-pushed. I was seeing the same errors due to it.)

karma: +1 critpath: +1

@dhgutteridge

Thank you for clue about python. Yes, it's indeed as you wrote.

But all Nvidia proprietary driver users should be very upset after receiving this update.

lvrabec edited this update.

New build(s):

  • selinux-policy-3.13.1-225.10.fc25

Removed build(s):

  • selinux-policy-3.13.1-225.9.fc25

@dhgutteridge

I've catched the ball before the bound somehow about Python. Even with 3.5.2-4, it turned out that it's not indeed as you wrote, except that with 225.10 modprobe will still load Nvidia only after creating own policy... 🎪

This update has been pushed to testing.

Works for me

karma: +1 critpath: +1 #1419944: +1

No regressions noted.

karma: +1 critpath: +1

This fixes #1419944 for me, +1

karma: +1 critpath: +1 #1419944: +1

WFM

karma: +1 critpath: +1

😏 Policy RPM selinux-policy-3.13.1-225.10.fc25.noarch

Last Seen 2017-02-23 05:06:47 EET:

SELinux is preventing abrt-action-not from write access on the directory /usr/lib64/python3.5/site-packages/dbus/__pycache__.

Last Seen 2017-02-23 06:49:47 EET:

SELinux is preventing ksmtuned from write access on the directory ksm.

Last Seen 2017-02-23 23:10:27 EET:

SELinux is preventing accounts-daemon from read access on the lnk_file .cache.

Last Seen 2017-02-23 23:10:33 EET:

SELinux is preventing sddm-greeter from read access on the file core_pattern.

Last Seen 2017-02-23 23:10:33 EET:

SELinux is preventing kdm_greet from read access on the lnk_file default.png.

Last Seen 2017-02-23 23:10:43 EET:

SELinux is preventing sddm-helper from create access on the file xsession-errors.

& my-modprobe for Nvidia ))

Looks OK here on x86_64.

karma: +1

works for me so far, no regressions noted

karma: +1

no new alerts noticed. seems to work for me.

karma: +1

This update has been submitted for stable by bodhi.

This update has been pushed to stable.

I do not know whether there was any reason to implement in policy Nvidia proprietary drivers blockings when other errors peacefully wander there from update to upgrade.

But if there were something like codenames, this issue could be called:

'We're so up to speed on f***ing!'

So, do you know why I'm here?

Let me to infor you: AFTER the last update my screen looks like a 950x600 on a fullhd monitor.

1) I though about an nvidia driver issue, then tried to launch the previous kernel 4.10 (instead of the last one, 4.11)

2) same results. Then in the terminal i tried "glxinfo -B" and discovered that instead of the nvidia driver I was on Gallium

3) Then I googled for a solution and found this: https://devtalk.nvidia.com/default/topic/996408/quadro-k620-on-fedora-25-unable-to-load-the-nvidia-drm-/?offset=10 At some point someone posted that a workaround is to put selinux in permissive mode

4) I tried and it works

5) From the same post I jump here just to discover that the issue with the nvidia driver was WELL KNOWN and beautifully ignored.

What was the purpose? Do you want so much a giant middle finger in your face?

"This update has been pushed to stable".... yes, from a bunch of idiots.

@valeriodean, I tell you a secret. I know it's too late but you should report a bug to fedora with SELinux Troublesooter or even better contribute a fix to fedora selinux-policy https://github.com/fedora-selinux/selinux-policy.git

And the most important that nobody gave negative karma because anonymous voices do not count.

You hear that @kuosmanen? You're an anonymous voice who doesn't count.

I missed @kuosmanen in history. Disclaimer: I am not selinux-policy maintainer

Add Comment & Feedback

Please login to add feedback.

Content Type
RPM
Status
stable
Test Gating
Submitted by
Update Type
bugfix
Update Severity
medium
Karma
+7
stable threshold: 7
unstable threshold: -3
Autopush (karma)
Enabled
Autopush (time)
Disabled
Dates
submitted 2 years ago
in testing 2 years ago
in stable 2 years ago
modified 2 years ago

Related Bugs 9

00 #1010884
00 #1102119
00 #1250312
00 #1261989
00 #1309429
00 #1361683
00 #1361732
00 #1363657
0+2 #1419944 SELinux issues with libGLdispatch.so.0.0.0 with move to libglvnd

Automated Test Results