FEDORA-2019-8169f4e6b7 created by lvrabec 7 months ago for Fedora 31
obsolete

This update has been submitted for testing by lvrabec.

7 months ago

This update's test gating status has been changed to 'waiting'.

7 months ago

This update has obsoleted selinux-policy-3.14.4-32.fc31, and has inherited its bugs and notes.

7 months ago

This update's test gating status has been changed to 'ignored'.

7 months ago
User Icon adamwill commented & provided feedback 7 months ago
karma

This update seems to be breaking FreeIPA replica deployment:

https://openqa.fedoraproject.org/tests/452181

I am not sure why yet, but it definitely seems to be failing on this update repeatedly, but passing for other updates. I'll look into it more tomorrow (need logs from the master end which aren't currently saved, I think).

@ab

This update has been pushed to testing.

7 months ago

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

7 months ago
User Icon lslebodn commented & provided feedback 7 months ago
karma

It is caused by following change mentioned in changelog.

- Remove rule allowing all processes to stream connect to unconfined domains
time->Tue Sep 17 04:27:23 2019
type=AVC msg=audit(1568708843.291:460): avc:  denied  { connectto } for  pid=29591 comm="httpd" path="/run/httpd/ipa-custodia.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0

There was an attempt to write custom selinux-policy for custodia But it seems nobody cares about enhancing security in freeIPA cause my MR is opened in upstream for 1.5 year. https://github.com/latchset/ipa-custodia-selinux/pulls

@lvrabec how do you want to handle that?

This update has been obsoleted.

7 months ago
User Icon adamwill commented & provided feedback 7 months ago

I'll ping more FreeIPA folks on this, but also - don't we usually have a policy that no changes that make the SELinux policy more restrictive are introduced after Beta freeze?

User Icon lvrabec commented & provided feedback 7 months ago

@adamwill, We have fixes ready in F31. Going to create new builds for Fedora 31.

User Icon lvrabec commented & provided feedback 7 months ago

@adamwill, We have fixes ready in F31. Going to create new builds for Fedora 31.

User Icon lvrabec commented & provided feedback 7 months ago

@adamwill, We have fixes ready in F31. Going to create new builds for Fedora 31.


Please login to add feedback.

Metadata
Type
bugfix
Severity
medium
Karma
-2
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-2
Dates
submitted
7 months ago
in testing
7 months ago
BZ#1647493 bind: denied { map } for named
0
0
BZ#1683820 SELinux denied create sock for zabbix_server
0
0
BZ#1737190 SELinux is preventing timedatex from 'read' accesses on the file /etc/adjtime.
0
0
BZ#1737191 SELinux is preventing timedatex from 'open' accesses on the file /etc/adjtime.
0
0
BZ#1737192 SELinux is preventing timedatex from 'getattr' accesses on the file /etc/adjtime.
0
0
BZ#1737198 SELinux is preventing timedatex from 'ioctl' accesses on the chr_file /dev/rtc0.
0
0
BZ#1737199 SELinux is preventing timedatex from 'open' accesses on the chr_file /dev/rtc0.
0
0
BZ#1737200 SELinux is preventing timedatex from 'read' accesses on the chr_file rtc0.
0
0
BZ#1737239 SELinux is preventing timedatex from 'write' accesses on the sock_file system_bus_socket.
0
0

Automated Test Results