stable

selinux-policy-3.13.1-283.17.fc27

FEDORA-2017-d05b1a2ab9 created by lvrabec 6 years ago for Fedora 27

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2017-d05b1a2ab9

This update has been submitted for testing by lvrabec.

6 years ago
User Icon czanik commented & provided feedback 6 years ago
karma

Tested the syslog-ng part and it works now fine.

BZ#1513403 start of syslog-ng is blocked by SELinux
User Icon mstevens commented & provided feedback 6 years ago
karma

works fine

BZ#1514451 clamav-milter doesn't start
User Icon pblaho commented & provided feedback 6 years ago
karma

Tested with memcached part - works for me.

BZ#1514867 selinux prevents memcached from starting
User Icon g6avk commented & provided feedback 6 years ago
karma

Works for me, fixes the alerts when I use DNF updates including bug #1514677

BZ#1514903 SELinux is preventing mandb from 'read' accesses on the Datei /etc/passwd.
User Icon anonymous commented & provided feedback 6 years ago

What about this:

[    6.312960] SELinux:  Permission getrlimit in class process not defined in policy.
[    6.314149] SELinux:  Class sctp_socket not defined in policy.
[    6.315204] SELinux:  Class icmp_socket not defined in policy.
[    6.316258] SELinux:  Class ax25_socket not defined in policy.
[    6.317300] SELinux:  Class ipx_socket not defined in policy.
[    6.318333] SELinux:  Class netrom_socket not defined in policy.
[    6.319362] SELinux:  Class atmpvc_socket not defined in policy.
[    6.320370] SELinux:  Class x25_socket not defined in policy.
[    6.321362] SELinux:  Class rose_socket not defined in policy.
[    6.322358] SELinux:  Class decnet_socket not defined in policy.
[    6.323366] SELinux:  Class atmsvc_socket not defined in policy.
[    6.324344] SELinux:  Class rds_socket not defined in policy.
[    6.325305] SELinux:  Class irda_socket not defined in policy.
[    6.326250] SELinux:  Class pppox_socket not defined in policy.
[    6.327185] SELinux:  Class llc_socket not defined in policy.
[    6.328113] SELinux:  Class can_socket not defined in policy.
[    6.329026] SELinux:  Class tipc_socket not defined in policy.
[    6.329942] SELinux:  Class bluetooth_socket not defined in policy.
[    6.330853] SELinux:  Class iucv_socket not defined in policy.
[    6.331765] SELinux:  Class rxrpc_socket not defined in policy.
[    6.332673] SELinux:  Class isdn_socket not defined in policy.
[    6.333573] SELinux:  Class phonet_socket not defined in policy.
[    6.334474] SELinux:  Class ieee802154_socket not defined in policy.
[    6.335384] SELinux:  Class caif_socket not defined in policy.
[    6.336290] SELinux:  Class alg_socket not defined in policy.
[    6.337189] SELinux:  Class nfc_socket not defined in policy.
[    6.338077] SELinux:  Class vsock_socket not defined in policy.
[    6.338961] SELinux:  Class kcm_socket not defined in policy.
[    6.339845] SELinux:  Class qipcrtr_socket not defined in policy.
[    6.340734] SELinux:  Class smc_socket not defined in policy.
[    6.341630] SELinux: the above unknown classes and permissions will be allowed

This update has been pushed to testing.

6 years ago
User Icon mooninite commented & provided feedback 6 years ago

Does not fix BZ 1460244

User Icon sshambar commented & provided feedback 6 years ago
karma

Fixed a few bugs, but didn't fully fix the dovecot bug (BZ1513153)

BZ#1514868 selinux prevents newaliases from accessing postfix_etc_t directories
BZ#1513153 dovecot not allowed to use mmap
BZ#1514867 selinux prevents memcached from starting
BZ#1514866 selinux prevents php-fpm from mapping php files
User Icon besser82 commented & provided feedback 6 years ago
karma

Works great! LGTM! =)

This update has been submitted for batched by bodhi.

6 years ago
User Icon imabug provided feedback 6 years ago
karma
BZ#1514093 SELinux is preventing mandb from 'map' accesses on the archivo /var/cache/man/2883.
BZ#1514903 SELinux is preventing mandb from 'read' accesses on the Datei /etc/passwd.
User Icon bluepencil commented & provided feedback 6 years ago

SELinux is preventing setroubleshootd from read access on the file /var/lib/rpm/Packages.

Source Context                system_u:system_r:setroubleshootd_t:s0
Target Context                unconfined_u:object_r:var_lib_t:s0
Target Objects                /var/lib/rpm/Packages [ file ]
Source                        setroubleshootd
Source Path                   setroubleshootd
Target RPM Packages           rpm-4.14.0-2.fc27.x86_64
Policy RPM                    selinux-policy-3.13.1-283.17.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Platform                      Linux  4.14.2 #1 SMP Fri
                              Nov 24 16:50:57 EET 2017 x86_64 x86_64
Alert Count                   12
First Seen                    2017-10-21 20:07:47 EEST
Last Seen                     2017-11-17 08:29:09 EET

SELinux is preventing setroubleshootd from 'read, write' accesses on the file /var/lib/rpm/.dbenv.lock

Source Context                system_u:system_r:setroubleshootd_t:s0
Target Context                unconfined_u:object_r:var_lib_t:s0
Target Objects                /var/lib/rpm/.dbenv.lock [ file ]
Source                        setroubleshootd
Source Path                   setroubleshootd
Policy RPM                    selinux-policy-3.13.1-283.17.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Platform                      Linux  4.14.2 #1 SMP Fri
                              Nov 24 16:50:57 EET 2017 x86_64 x86_64
Alert Count                   9
First Seen                    2017-11-13 20:30:40 EET
Last Seen                     2017-11-17 08:29:09 EET

SELinux is preventing mandb from search access on the directory /var/lib/sss

Source Context                system_u:system_r:mandb_t:s0
Target Context                system_u:object_r:sssd_var_lib_t:s0
Target Objects                /var/lib/sss [ dir ]
Source Path                   mandb
Target RPM Packages           sssd-common-1.16.0-4.fc27.x86_64
Policy RPM                    selinux-policy-3.13.1-283.17.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Platform                      Linux  4.14.2 #1 SMP Fri
                              Nov 24 16:50:57 EET 2017 x86_64 x86_64
Alert Count                   66
First Seen                    2017-11-17 03:13:37 EET
Last Seen                     2017-11-22 07:41:30 EET
User Icon sjoerd commented & provided feedback 6 years ago

One part of bug 1513153 waw fixed, but the other not. There were two missing policies (see coomment 2) but only the first was fixed. Still missing is allow dovecot_deliver_t mail_home_rw_t:file map;

BZ#1513153 dovecot not allowed to use mmap

This update has been submitted for stable by bodhi.

6 years ago

This update has been pushed to stable.

6 years ago
User Icon bluepencil commented & provided feedback 6 years ago

SELinux is preventing abrt-action-gen from read access on the file libvtkFiltersHybrid-pv5.4.so.1

Source Context                system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:mnt_t:s0
Target Objects                libvtkFiltersHybrid-pv5.4.so.1 [ file ]
Source                            abrt-action-gen
Policy RPM                      selinux-policy-3.13.1-283.17.fc27.noarch
Selinux Enabled              True
Policy Type                     targeted
Enforcing Mode             Enforcing
Alert Count                      1952
First Seen                     2017-12-08 01:59:11 EET
Last Seen                     2017-12-08 01:59:19 EET
Raw Audit Messages
type=AVC msg=audit(1512691159.49:2601): avc:  denied  { read } for  pid=44648 comm="abrt-action-gen" name="libvtkFiltersHybrid-pv5.4.so.1" dev="sda5" ino=4036077 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mnt_t:s0 tclass=file permissive=0
User Icon bluepencil commented & provided feedback 6 years ago

SELinux is preventing abrt-action-gen from read access on the file libvtkFiltersHybrid-pv5.4.so.1

Source Context                system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:mnt_t:s0
Target Objects                libvtkFiltersHybrid-pv5.4.so.1 [ file ]
Source                            abrt-action-gen
Policy RPM                      selinux-policy-3.13.1-283.17.fc27.noarch
Selinux Enabled              True
Policy Type                     targeted
Enforcing Mode             Enforcing
Alert Count                      1952
First Seen                     2017-12-08 01:59:11 EET
Last Seen                     2017-12-08 01:59:19 EET
Raw Audit Messages
type=AVC msg=audit(1512691159.49:2601): avc:  denied  { read } for  pid=44648 comm="abrt-action-gen" name="libvtkFiltersHybrid-pv5.4.so.1" dev="sda5" ino=4036077 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mnt_t:s0 tclass=file permissive=0

Please login to add feedback.

Metadata
Type
bugfix
Severity
high
Karma
7
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
6
Stable by Time
disabled
Dates
submitted
6 years ago
in testing
6 years ago
in stable
6 years ago
BZ#1448877 iscsid is prevented by SELinux from loading modules
0
0
BZ#1460244 Some processes are denied send_msg to dbus by selinux
0
0
BZ#1483169 'map' denial for comm 'unix_chkpwd' path '/etc/ld.so.cache'
0
0
BZ#1498809 Squid fails to start: denied map on /dev/shm/squid-cf__metadata.shm
0
0
BZ#1502009 file_contexts.bin: line 1 error due to: Non-ASCII characters found
0
0
BZ#1513153 dovecot not allowed to use mmap
-2
0
BZ#1513403 start of syslog-ng is blocked by SELinux
0
1
BZ#1514093 SELinux is preventing mandb from 'map' accesses on the archivo /var/cache/man/2883.
0
1
BZ#1514251 selinux - strongswan fails to start
0
0
BZ#1514320 SELinux is preventing php-fpm from 'map' accesses on the file /etc/nextcloud/config.php.
0
0
BZ#1514372 SELinux is preventing gsf-office-thum from 'map' accesses on the file /tmp/gnome-desktop-file-to-thumbnail.xlsx.
0
0
BZ#1514451 clamav-milter doesn't start
0
1
BZ#1514592 php-fpm denied map for medawiki files
0
0
BZ#1514866 selinux prevents php-fpm from mapping php files
0
1
BZ#1514867 selinux prevents memcached from starting
0
2
BZ#1514868 selinux prevents newaliases from accessing postfix_etc_t directories
0
1
BZ#1514880 selinux preventing systemd-mount creating directory in /run/media/system/ folder
0
0
BZ#1514903 SELinux is preventing mandb from 'read' accesses on the Datei /etc/passwd.
0
2
BZ#1514975 SELinux is preventing journalctl from 'map' accesses on the file /run/log/journal/43f6f51c1f464cf8b7c74d48e50ecf74/system.journal.
0
0
BZ#1515169 SELinux is preventing abrt-action-gen from 'map' accesses on the fájl /tmp/.mount_StremiuMcFQM/lib/libQt5WebEngine.so.5.
0
0
BZ#1515304 Permission error mapping temporary file
0
0
BZ#1515373 SELinux prevents computer from rebooting or shutdown
0
0

Automated Test Results