No need to log out or reboot.
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --refresh --advisory=FEDORA-2019-1fb1547321
Please login to add feedback.
0 | 1 | Test Case Services start |
0 | 0 | Test Case base service manipulation |
0 | 0 | Test Case base services start |
0 | 0 | Test Case base shutdown/reboot |
0 | 0 | Test Case User:Tablepc/Draft testcase reboot |
This update has been submitted for testing by zbyszek.
SELinux is preventing /usr/lib/systemd/systemd-journald from using the signull access on a process labeled iptables_t
...as well as systemd_machined_t, abrt_dump_oops_t...
I upgraded to this update from koji. The next time I booted I saw many denials of systemd-journald sending signull on processes with 14 different labels which I described at https://bugzilla.redhat.com/show_bug.cgi?id=1673847 The system seems to be running normally otherwise.
Dear Maintainer, could you please explain to us, why this Update is tagged 'security'. The major bug resolved reads as if it doesn't need to / could be triggered by an attacker. Thanks in advance. lauter
openQA saw the same thing as @mattf - new SELinux denials introduced by this update. They can be seen in this test log for instance. @lvrabec
zbyszek edited this update.
New build(s):
Removed build(s):
Karma has been reset.
Yikes. I reverted the one patch that I think was causing the selinux issues. Journald will use more memory, but not as much as before. What the patch did was to periodically drop the entries for all dead processes from the cache. This now is disabled, so the cache will always stay at the maximum.
What is slightly surprising, is that patch is present in rawhide for a few days, and nobody reported the issue. So maybe nobody has selinux enabled ;)
@zbyszek
It may be so everyone has already drived their nuts with this unendly repeating process :)
I have deleted previously created semodule & everything seems to be O.K with _239-__11___ now. For at least, setroubleshoot shows no more warnings :)
I haven't seen any systemd-journald signull denials during a few boots using 239-11. Thanks for the update and explanation.
This update has been pushed to testing.
Works here.
This update has been submitted for batched by bodhi.
Works great! LGTM! =)
This update has been submitted for stable by bodhi.
This update has been pushed to stable.
Against all expectations, here is one more problem with SELinux floated up:
@bluepencil: please open a normal bug (https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=selinux-policy-targeted) with all the details. It doesn't look like something related to this update.
... and please put me in cc.
@zbyszek
O.K, I will try to create an account after their server goes through maintenance. ... On occasion I've run
ClipGrab
and it turned out that SELinux alerts repeat every time you start the program.