obsolete

FEDORA-2019-8169f4e6b7 created by lvrabec 3 years ago for Fedora 31

This update has been submitted for testing by lvrabec.

3 years ago

This update's test gating status has been changed to 'waiting'.

3 years ago

This update has obsoleted selinux-policy-3.14.4-32.fc31, and has inherited its bugs and notes.

3 years ago

This update's test gating status has been changed to 'ignored'.

3 years ago
User Icon adamwill commented & provided feedback 3 years ago
karma

This update seems to be breaking FreeIPA replica deployment:

https://openqa.fedoraproject.org/tests/452181

I am not sure why yet, but it definitely seems to be failing on this update repeatedly, but passing for other updates. I'll look into it more tomorrow (need logs from the master end which aren't currently saved, I think).

@ab

This update has been pushed to testing.

3 years ago

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

3 years ago
User Icon lslebodn commented & provided feedback 3 years ago
karma

It is caused by following change mentioned in changelog.

- Remove rule allowing all processes to stream connect to unconfined domains
time->Tue Sep 17 04:27:23 2019
type=AVC msg=audit(1568708843.291:460): avc:  denied  { connectto } for  pid=29591 comm="httpd" path="/run/httpd/ipa-custodia.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0

There was an attempt to write custom selinux-policy for custodia But it seems nobody cares about enhancing security in freeIPA cause my MR is opened in upstream for 1.5 year. https://github.com/latchset/ipa-custodia-selinux/pulls

@lvrabec how do you want to handle that?

This update has been obsoleted.

3 years ago
User Icon adamwill commented & provided feedback 3 years ago

I'll ping more FreeIPA folks on this, but also - don't we usually have a policy that no changes that make the SELinux policy more restrictive are introduced after Beta freeze?

User Icon lvrabec commented & provided feedback 3 years ago

@adamwill, We have fixes ready in F31. Going to create new builds for Fedora 31.

User Icon lvrabec commented & provided feedback 3 years ago

@adamwill, We have fixes ready in F31. Going to create new builds for Fedora 31.

User Icon lvrabec commented & provided feedback 3 years ago

@adamwill, We have fixes ready in F31. Going to create new builds for Fedora 31.


Please login to add feedback.

Metadata
Type
bugfix
Severity
medium
Karma
-2
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-2
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
3 years ago
in testing
3 years ago
BZ#1647493 bind: denied { map } for named
0
0
BZ#1683820 SELinux denied create sock for zabbix_server
0
0
BZ#1737190 SELinux is preventing timedatex from 'read' accesses on the file /etc/adjtime.
0
0
BZ#1737191 SELinux is preventing timedatex from 'open' accesses on the file /etc/adjtime.
0
0
BZ#1737192 SELinux is preventing timedatex from 'getattr' accesses on the file /etc/adjtime.
0
0
BZ#1737198 SELinux is preventing timedatex from 'ioctl' accesses on the chr_file /dev/rtc0.
0
0
BZ#1737199 SELinux is preventing timedatex from 'open' accesses on the chr_file /dev/rtc0.
0
0
BZ#1737200 SELinux is preventing timedatex from 'read' accesses on the chr_file rtc0.
0
0
BZ#1737239 SELinux is preventing timedatex from 'write' accesses on the sock_file system_bus_socket.
0
0

Automated Test Results