No need to log out or reboot.
sudo dnf upgrade --advisory=FEDORA-2019-1fb1547321
This update has been submitted for testing by zbyszek.
SELinux is preventing /usr/lib/systemd/systemd-journald from using the signull access on a process labeled iptables_t
...as well as systemd_machined_t, abrt_dump_oops_t...
I upgraded to this update from koji. The next time I booted I saw many denials of systemd-journald sending signull on processes with 14 different labels which I described at https://bugzilla.redhat.com/show_bug.cgi?id=1673847 The system seems to be running normally otherwise.
Dear Maintainer, could you please explain to us, why this Update is tagged 'security'. The major bug resolved reads as if it doesn't need to / could be triggered by an attacker. Thanks in advance. lauter
openQA saw the same thing as @mattf - new SELinux denials introduced by this update. They can be seen in this test log for instance. @lvrabec
zbyszek edited this update.
Karma has been reset.
Yikes. I reverted the one patch that I think was causing the selinux issues. Journald will use more memory, but not as much as before. What the patch did was to periodically drop the entries for all dead processes from the cache. This now is disabled, so the cache will always stay at the maximum.
What is slightly surprising, is that patch is present in rawhide for a few days, and nobody reported the issue. So maybe nobody has selinux enabled ;)
It may be so everyone has already drived their nuts with this unendly repeating process :)
I have deleted previously created semodule & everything seems to be O.K with 239-11 now. For at least, setroubleshoot shows no more warnings :)
I haven't seen any systemd-journald signull denials during a few boots using 239-11. Thanks for the update and explanation.
This update has been pushed to testing.
This update has been submitted for batched by bodhi.
Works great! LGTM! =)
This update has been submitted for stable by bodhi.
This update has been pushed to stable.
Against all expectations, here is one more problem with SELinux floated up:
SELinux is preventing /usr/lib/systemd/systemd-journald from map access on the file D656D66643A73......................................................................
@bluepencil: please open a normal bug (https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=selinux-policy-targeted) with all the details. It doesn't look like something related to this update.
... and please put me in cc.
O.K, I will try to create an account after their server goes through maintenance. ... On occasion I've run ClipGrab and it turned out that SELinux alerts repeat every time you start the program.
Please login to add feedback.
Copyright © 2007-2019 Red Hat, Inc. and
bodhi is Free Software.
if you have any problems. Read the documentation.