FEDORA-2018-46564d0139 created by lvrabec 2 years ago for Fedora 28
stable

How to install

sudo dnf upgrade --advisory=FEDORA-2018-46564d0139

This update has been submitted for testing by lvrabec.

2 years ago

This update has obsoleted selinux-policy-3.14.1-39.fc28, and has inherited its bugs and notes.

2 years ago

Getting a lot of pmdalinux denials after installing 3.14.1-40 version.

If you believe that pmdalinux should be allowed unix_read access on the Unknown shm by default.

Source Context system_u:system_r:pcp_pmcd_t:s0 Target Context system_u:system_r:unconfined_service_t:s0 Target Objects Unknown [ shm ] Source pmdalinux Source Path pmdalinux Port <Unknown> Raw Audit Messages type=AVC msg=audit(1533927306.312:377): avc: denied { unix_read } for pid=1758 comm="pmdalinux" key=0 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=shm permissive=0

If you believe that pmdalinux should be allowed getattr associate access on the Unknown shm by default.

Source Context system_u:system_r:pcp_pmcd_t:s0 Target Context system_u:system_r:unconfined_service_t:s0 Target Objects Unknown [ shm ] Source pmdalinux Source Path pmdalinux Port <Unknown> Raw Audit Messages type=AVC msg=audit(1533927606.311:554): avc: denied { getattr associate } for pid=1758 comm="pmdalinux" key=0 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=shm permissive=0

hmm, that didn't format the way I thought it would...

User Icon proski commented & provided feedback 2 years ago
karma

1614333 appears to be fixed.

I haven't seen other issues mentioned here before or after the update. But #1594585 is back, it looks like a regression. (SELinux is preventing (upowerd) from 'mounton' accesses on the directory /var/lib/upower)

User Icon bluepencil commented & provided feedback 2 years ago
karma

No regressions and preventing mounting /var/lib/upower noticed

Altough I have a module my-upowerd dated June 20th of the following content:

module my-upowerd 1.0;

require {
    type usb_device_t;
    type devicekit_var_lib_t;
    type init_t;
    type devicekit_power_t;
    class dir mounton;
    class process2 nnp_transition;
    class chr_file read;
}

#============= init_t ==============

#!!!! This avc is allowed in the current policy
allow init_t devicekit_power_t:process2 nnp_transition;

#!!!! This avc is allowed in the current policy
allow init_t devicekit_var_lib_t:dir mounton;
allow init_t usb_device_t:chr_file read;

@proski: do you have upower-0.99.8-1 installed from updates-testing?

@dhgutteridge: Yes, I have upower-0.99.8-1 installed. I'm up to date with updates-testing. Yet I'm getting the issue referenced in #1594585 on every reboot.

@proski: If you revert upower to the version before what you'd pulled from updates-testing (in other words, what's in the updates repository: 0.99.7-3), that should fix your problem. There are unresolved interaction issues between the newest version of upower and selinux-policy. E.g. another issue filed is #1598649, where someone's noted a related upstream bug report for upower from a month ago which seems to have had no traction to date. (My workaround was to revert upower on F27 and F28, and block upower-0.99.8-1 with the dnf versionlock plugin, so I wouldn't keep getting it included in every updates-testing pull for F27.)

(Of course, if you revert upower on F28, you probably won't be able to move back to 0.99.8-1 if you want to re-test later, since it's been obsoleted by negative karma in Bodhi, and subsequently deleted from Koji.)

User Icon proski commented & provided feedback 2 years ago
karma

@dhgutteridge: The issue is gone with the downgrade of upower. Thank you! I'm going to give positive karma to this update, I hope that will cancel the negative karma I left before.

This update has been pushed to testing.

2 years ago
User Icon bojan commented & provided feedback 2 years ago
karma

Works here.

User Icon cserpentis commented & provided feedback 2 years ago
karma

no regression noted

User Icon mhayden commented & provided feedback 2 years ago
karma

Working fine.

This update has been submitted for batched by bodhi.

2 years ago

I'm still getting the denials of send_msg between boltd, polkit, and gdm on dbus and of acquire_svc between boltd and dbus shortly after gdm and boltd start. I described those denials in more detail on the page for 3.14.1-39. My system is functioning normally otherwise.

karma: +1

User Icon dhgutteridge commented & provided feedback 2 years ago
karma

No regressions noted.

This update has been submitted for stable by bodhi.

2 years ago

This update has been pushed to stable.

2 years ago

Please login to add feedback.

Metadata
Type
bugfix
Severity
high
Karma
6
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
5
Stable by Time
disabled
Dates
submitted
2 years ago
in testing
2 years ago
in stable
2 years ago
BZ#1613969 SELinux is preventing colord from 'map' accesses on the file /home/myuser/.local/share/icc/edid-e6a5375115240064bcc0d7209d55eed8.icc.
0
0
BZ#1614333 SELinux is preventing boltd from 'write' accesses on the sock_file socket.
0
0
BZ#1614763 please fix /var/lib/pgsql/data/log label to postgresql_log_t
0
0

Automated Test Results