FEDORA-2019-3f20be4d52

bugfix update in Fedora 30 for selinux-policy

Status: obsolete

Comments 11

This update has been submitted for testing by lvrabec.

This update test gating status has been changed to 'waiting'.

This update test gating status has been changed to 'ignored'.

karma: +1 critpath: +1

This update has been pushed to testing.

Works here.

karma: +1 critpath: +1

There are no regressions in this version as far as I can tell.

It does, however not solve #1711799. It silences the alerts that were previously generated, but sa-update.cron does still not work; it fetches no new updates.

karma: +1 critpath: +1 #1711799: -1

I tried to install this on Silverblue, using the following command:

rpm-ostree override replace selinux-policy-3.14.3-38.fc30.noarch.rpm selinux-policy-targeted-3.14.3-38.fc30.noarch.rpm

and got the following error:

error: Checkout selinux-policy-targeted-3.14.3-38.fc30.noarch: Hardlinking a5/8b8b3f84fa2d588c41ae5fa6615dfe387b262737198f5b2a9c5f24b0b23045.file to commit_num: File exists

I'm not sure if this is a problem with rpm-ostree or with this package, so I won't give it a -1, but just thought it worth mentioning!

With this version, we now see regressions with mdadm and pcp:

audit: type=1400 audit(1560408406.661:341): avc:  denied  { read } for  pid=7637 comm="mdadm" path="/var/lib/pcp/pmdas/linux/help.dir" dev="dm-0" ino=27031698 scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=file permissive=0
audit: type=1400 audit(1560408406.661:341): avc:  denied  { read } for  pid=7637 comm="mdadm" path="/var/lib/pcp/pmdas/linux/help.pag" dev="dm-0" ino=27031699 scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=file permissive=0
audit: type=1400 audit(1560408406.702:342): avc:  denied  { read } for  pid=7639 comm="mdadm" path="/var/lib/pcp/pmdas/linux/help.dir" dev="dm-0" ino=27031698 scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=file permissive=0

Aside from this SELinux policy update, the only other package from updates-testing which sounds relevant is

 audit                       x86_64 3.0-0.9.20190507gitf58ec40.fc30
                                                          updates-testing 229 k
 audit-libs                  x86_64 3.0-0.9.20190507gitf58ec40.fc30
                                                          updates-testing 106 k

mdadm and pcp didn't get an update recently, and with selinux-policy from current stable (3.14.3-37.fc30) we don't see these.

So -1 due to this regression.

karma: -1

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

This update has been obsoleted by selinux-policy-3.14.3-39.fc30.

Add Comment & Feedback

Please login to add feedback.

Content Type
RPM
Status
obsolete
Test Gating
Submitted by
Update Type
bugfix
Update Severity
medium
Karma
+2
stable threshold: 4
unstable threshold: -2
Autopush (karma)
Disabled
Autopush (time)
Disabled
Dates
submitted 3 months ago
in testing 2 months ago

Related Bugs 6

00 #1711682 Allow systemd unit file flag ReadWritePaths=/var/lib/boinc
-10 #1711799 SELinux is preventing pgrep from 'getattr' accesses on various /proc/<pid> directories</pid>
00 #1713885 SELinux is preventing pgrep from 'getattr' accesses on the directory /proc/<pid>.</pid>
00 #1714406 SELinux is preventing pgrep from 'search' accesses on the directory 4571.
00 #1714800 SELinux is preventing pmdalinux from 'read' accesses on the file mdadm.
00 #1714823 cron job run daily that calls sa-update throws 100's of AVCs on pgrep

Automated Test Results