I am not sure why yet, but it definitely seems to be failing on this update repeatedly, but passing for other updates. I'll look into it more tomorrow (need logs from the master end which aren't currently saved, I think).
It is caused by following change mentioned in changelog.
- Remove rule allowing all processes to stream connect to unconfined domains
time->Tue Sep 17 04:27:23 2019
type=AVC msg=audit(1568708843.291:460): avc: denied { connectto } for pid=29591 comm="httpd" path="/run/httpd/ipa-custodia.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0
There was an attempt to write custom selinux-policy for custodia
But it seems nobody cares about enhancing security in freeIPA cause my MR is opened in upstream for 1.5 year.
https://github.com/latchset/ipa-custodia-selinux/pulls
I'll ping more FreeIPA folks on this, but also - don't we usually have a policy that no changes that make the SELinux policy more restrictive are introduced after Beta freeze?
This update has been submitted for testing by lvrabec.
This update's test gating status has been changed to 'waiting'.
This update has obsoleted selinux-policy-3.14.4-32.fc31, and has inherited its bugs and notes.
This update's test gating status has been changed to 'ignored'.
This update seems to be breaking FreeIPA replica deployment:
https://openqa.fedoraproject.org/tests/452181
I am not sure why yet, but it definitely seems to be failing on this update repeatedly, but passing for other updates. I'll look into it more tomorrow (need logs from the master end which aren't currently saved, I think).
@ab
This update has been pushed to testing.
Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.
It is caused by following change mentioned in changelog.
There was an attempt to write custom selinux-policy for custodia But it seems nobody cares about enhancing security in freeIPA cause my MR is opened in upstream for 1.5 year. https://github.com/latchset/ipa-custodia-selinux/pulls
@lvrabec how do you want to handle that?
This update has been obsoleted.
I'll ping more FreeIPA folks on this, but also - don't we usually have a policy that no changes that make the SELinux policy more restrictive are introduced after Beta freeze?
@adamwill, We have fixes ready in F31. Going to create new builds for Fedora 31.
@adamwill, We have fixes ready in F31. Going to create new builds for Fedora 31.
@adamwill, We have fixes ready in F31. Going to create new builds for Fedora 31.