New selinux-policy package F30 build

How to install

sudo dnf upgrade --advisory=FEDORA-2019-e9d8868185

This update has been submitted for testing by zpytela.

9 months ago

This update's test gating status has been changed to 'waiting'.

9 months ago

This update's test gating status has been changed to 'ignored'.

9 months ago
User Icon adamwill commented & provided feedback 9 months ago
karma

1748997 fix confirmed in openQA testing.

BZ#1748997 UPower does not start due to inability to create /var/lib/upower
User Icon adamwill commented & provided feedback 9 months ago
karma

Sorry, changing my feedback: this fixes 1748997, but introduces a new bug. It breaks GNOME Software by causing various denials for flatpak:

Dec 04 00:25:19 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[32060]: AVC avc:  denied  { mac_admin } for  pid=32060 comm="restorecon" capability=33  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
Dec 04 00:25:19 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[32060]: AVC avc:  denied  { mac_admin } for  pid=32060 comm="restorecon" capability=33  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
Dec 04 00:25:19 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[32060]: AVC avc:  denied  { mac_admin } for  pid=32060 comm="restorecon" capability=33  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
Dec 04 00:25:19 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[32060]: AVC avc:  denied  { mac_admin } for  pid=32060 comm="restorecon" capability=33  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
Dec 04 00:25:19 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[32060]: AVC avc:  denied  { mac_admin } for  pid=32060 comm="restorecon" capability=33  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
Dec 04 00:25:19 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[32060]: AVC avc:  denied  { mac_admin } for  pid=32060 comm="restorecon" capability=33  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
Dec 04 00:25:19 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)
Dec 04 00:25:19 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[731]: USER_AVC pid=731 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=2)
Dec 04 00:25:19 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { signull } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Dec 04 00:26:16 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { signull } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Dec 04 00:26:26 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { signal } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Dec 04 00:26:26 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Dec 04 00:26:26 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Dec 04 00:26:26 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Dec 04 00:26:26 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Dec 04 00:26:26 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { signal } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Dec 04 00:26:26 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Dec 04 00:26:26 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Dec 04 00:26:26 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Dec 04 00:26:26 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Dec 04 00:26:27 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[731]: USER_AVC pid=731 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:flatpak_helper_t:s0 tclass=dbus permissive=0
Dec 04 00:26:27 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[731]: USER_AVC pid=731 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:flatpak_helper_t:s0 tclass=dbus permissive=0
Dec 04 00:26:27 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[2515]: AVC avc:  denied  { read } for  pid=2515 comm="gdbus" scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=unix_stream_socket permissive=0 srawcon="system_u:system_r:flatpak_helper_t:s0" trawcon="system_u:system_r:flatpak_helper_t:s0"
Dec 04 00:26:27 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[2515]: AVC avc:  denied  { search } for  pid=2515 comm="gdbus" name="/" dev="dm-0" ino=2 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0 srawcon="system_u:system_r:flatpak_helper_t:s0"
Dec 04 00:26:27 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[731]: USER_AVC pid=731 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:flatpak_helper_t:s0 tclass=dbus permissive=0
Dec 04 00:26:27 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[731]: USER_AVC pid=731 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:flatpak_helper_t:s0 tclass=dbus permissive=0
Dec 04 00:26:27 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[731]: USER_AVC pid=731 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:flatpak_helper_t:s0 tclass=dbus permissive=0
Dec 04 00:26:27 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[731]: USER_AVC pid=731 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:flatpak_helper_t:s0 tclass=dbus permissive=0
Dec 04 00:30:07 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[2361]: AVC avc:  denied  { execute } for  pid=2361 comm="(m-helper)" name="flatpak-system-helper" dev="dm-0" ino=424676 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon="system_u:object_r:flatpak_helper_exec_t:s0"
User Icon adamwill commented & provided feedback 9 months ago

Ah, seems to be the same issue we ran into earlier with F31 - FEDORA-2019-fefda9dd5e . Apparently a newer container-selinux is needed. @dwalsh

User Icon adamwill commented & provided feedback 9 months ago

Ah, seems to be the same issue we ran into earlier with F31 - FEDORA-2019-fefda9dd5e . Apparently a newer container-selinux is needed. @dwalsh

User Icon nicosss commented & provided feedback 9 months ago
karma

Introduction of a regression.

BZ#1779824 selinux-policy-3.14.3-53.fc30 introduces regressions

BZ#1398907 postfix chroot-update has incorrect SELinux label
BZ#1774092 SELinux is preventing sa-update.cron from 'getattr' accesses on the file /usr/lib/systemd/system/amavisd.service.
User Icon nicosss commented & provided feedback 9 months ago
karma

Introduction of a regression.

BZ#1779824 selinux-policy-3.14.3-53.fc30 introduces regressions

BZ#1398907 postfix chroot-update has incorrect SELinux label
BZ#1774092 SELinux is preventing sa-update.cron from 'getattr' accesses on the file /usr/lib/systemd/system/amavisd.service.
User Icon nicosss commented & provided feedback 9 months ago
karma

Introduction of a regression.

BZ#1779824 selinux-policy-3.14.3-53.fc30 introduces regressions

BZ#1398907 postfix chroot-update has incorrect SELinux label
BZ#1774092 SELinux is preventing sa-update.cron from 'getattr' accesses on the file /usr/lib/systemd/system/amavisd.service.
User Icon nicosss commented & provided feedback 9 months ago
karma

Introduction of a regression.

BZ#1779824 selinux-policy-3.14.3-53.fc30 introduces regressions

Something wrong with Bodhi!!!

BZ#1774092 SELinux is preventing sa-update.cron from 'getattr' accesses on the file /usr/lib/systemd/system/amavisd.service.

This update has been pushed to testing.

9 months ago

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

9 months ago
User Icon zpytela commented & provided feedback 9 months ago

As Adam said, newer container-selinux package is required and we are connecting with its maintainer to create the update together. Until the update is ready, using the latest selinux-policy package version available in updates repo is recommended. Uninstalling container-selinux would also help, but the module needs to be removed manually then.

adamwill edited this update.

New build(s):

  • container-selinux-2.123.0-2.fc30

Karma has been reset.

9 months ago

This update has been submitted for testing by adamwill.

9 months ago
User Icon adamwill commented & provided feedback 9 months ago

Update now contains a newer container-selinux, and should work.

User Icon adamwill commented & provided feedback 9 months ago
karma

openQA updates all pass, indicating the upower bug is fixed and the gnome-software / flatpak thing is gone too.

BZ#1748997 UPower does not start due to inability to create /var/lib/upower
User Icon adamwill commented & provided feedback 9 months ago
karma

openQA updates all pass, indicating the upower bug is fixed and the gnome-software / flatpak thing is gone too.

BZ#1748997 UPower does not start due to inability to create /var/lib/upower

This update has been pushed to testing.

9 months ago
User Icon nicosss commented & provided feedback 9 months ago
karma

Seems to be fine now with it.

BZ#1774092 SELinux is preventing sa-update.cron from 'getattr' accesses on the file /usr/lib/systemd/system/amavisd.service.

This update can be pushed to stable now if the maintainer wishes

9 months ago

This update has been submitted for stable by adamwill.

9 months ago

This update has been pushed to stable.

9 months ago

Please login to add feedback.

Metadata
Type
bugfix
Severity
medium
Karma
2
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
9 months ago
in testing
9 months ago
in stable
9 months ago
modified
9 months ago
BZ#1398907 postfix chroot-update has incorrect SELinux label
0
0
BZ#1701703 SELinux is preventing systemctl from using the 'setrlimit' accesses on a process.
0
0
BZ#1713898 SELinux is preventing snmpd from 'sys_ptrace' accesses on the cap_userns Desconhecido.
0
0
BZ#1714316 SELinux is preventing mktemp from 'create' accesses on the dossier eGfQuRTi.
0
0
BZ#1717149 SELinux is preventing lsmd from 'getattr' accesses on the lnk_file /usr/bin/debuginfo-install.
0
0
BZ#1725509 SELinux is preventing pool-gsd-xsetti from 'map' accesses on the directory /var/lib/gdm/.cache/fontconfig.
0
0
BZ#1732185 SELinux is preventing nsupdate from 'getattr' accesses on the file /proc/sys/net/ipv4/ip_local_port_range.
0
0
BZ#1739357 SELinux is preventing mongod from 'open' accesses on the file /sys/fs/cgroup/memory/memory.limit_in_bytes.
0
0
BZ#1742895 dnsmasq fails to start when using IP sets due to SELinux
0
0
BZ#1748997 UPower does not start due to inability to create /var/lib/upower
0
1
BZ#1761072 SELinux is preventing sendmail from using the 'dac_override' capabilities.
0
0
BZ#1766148 Confined users get the timezone
0
0
BZ#1766799 SELinux prevents kexec from running during reboot
0
0
BZ#1773381 SELinux is preventing swanctl from 'search' accesses on the directory strongswan.
0
0
BZ#1774092 SELinux is preventing sa-update.cron from 'getattr' accesses on the file /usr/lib/systemd/system/amavisd.service.
0
1

Automated Test Results