obsolete

selinux-policy-3.14.5-36.fc32

FEDORA-2020-090cee7608 created by zpytela 4 years ago for Fedora 32

This update has been submitted for testing by zpytela.

4 years ago

This update's test gating status has been changed to 'waiting'.

4 years ago

This update has obsoleted selinux-policy-3.14.5-35.fc32, and has inherited its bugs and notes.

4 years ago

This update's test gating status has been changed to 'ignored'.

4 years ago
User Icon bluepencil commented & provided feedback 4 years ago

Update is holding over on running scriptlet selinux-policy-targeted-3.14.5-36.fc32.noarch

SELinux is preventing restorecon from using the mac_admin capability.

Additional Information:
Source Context                unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c102
                          3
Target Context                unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c102
                          3
Target Objects                Unknown [ capability2 ]
Source                        restorecon
Source Path                   restorecon
Port                          <Unknown>
Host                          localhost
Local Policy RPM              selinux-policy-targeted-3.14.5-34.fc32.noarch
                          selinux-policy-targeted-3.14.5-36.fc32.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost
Platform                      Linux 5.6.2 #1 SMP Thu
                          Apr 2 23:50:41 EEST 2020 x86_64 x86_64
Alert Count                   1
First Seen                    2020-04-09 23:41:01 EEST
Last Seen                     2020-04-09 23:41:01 EEST

Raw Audit Messages
type=AVC msg=audit(1586464861.926:256): avc:  denied  { mac_admin } for  pid=29605 comm="restorecon" capability=33  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2 permissive=0


Hash: restorecon,setfiles_t,setfiles_t,capability2,mac_admin
User Icon churchyard commented & provided feedback 4 years ago
karma

The same.

User Icon sedrubal commented & provided feedback 4 years ago
karma

Can't start any containers anymore.

❯ podman run --rm -it -v`pwd`:/srv/:Z ubuntu sh
Error: relabel failed "/home/user": SELinux relabeling of /home/user is not allowed
❯ podman run --rm -it ubuntu sh
❯ systemctl start docker
A dependency job for docker.service failed. See 'journalctl -xe' for details.
❯ journalctl -u docker.service -b
Dependency failed for Docker Application Container Engine.
docker.service: Job docker.service/start failed with result 'dependency'.

Downgrading to selinux-policy-3.14.5-32.fc32.noarch and relabelling the file system seems to solve the problem.

User Icon atim commented & provided feedback 4 years ago
karma

I tried downgrade to selinux-policy-3.14.5-32.fc32 but still. I can't install/update any Flatpak for almost two days. Not sure this, crun update or something else causing this, but please take a look into this.

This update has been obsoleted.

4 years ago
User Icon atim commented & provided feedback 4 years ago

Finally i workarounded at least this issue with Flatpak. What i did (if some one struggle with this too):

  1. Installed this update FEDORA-2020-1273245c66
  2. Downgraded to selinux-policy-3.14.5-32
  3. Relabled completely
    • sudo touch /.autorelabel
    • sudo systemctl reboot

Thanks @sedrubal for inspiration to try this again. :)

User Icon bluepencil commented & provided feedback 4 years ago
karma

I did something similar too, but without a rollback to the previous version.

It would be worth scriptletting update to execute touch /.autorelabel during the next reboot instead of starting restorecon.

User Icon bluepencil commented & provided feedback 4 years ago

@sedrubal

To avoid downgrading it can work out by executing touch /.autorelabel after manual cleanup undeleted previous versions of packages:)

User Icon zpytela commented & provided feedback 4 years ago

@bluepencil @churchyard @sedrubal

What version of container-selinux package do you have installed? If it is older than container-selinux-2.131.0-1.fc32, could you update it first and then continue with updating other packages?

User Icon churchyard commented & provided feedback 4 years ago

I've had container-selinux-2:2.130.0-1.fc32. Now I have container-selinux-2:2.131.0-1.fc32. I will try this update again.

User Icon churchyard commented & provided feedback 4 years ago

The selinux-policy-targeted scriptlet takes several minutes (at least 3 but no more than 15), but the update succeeds at the end. aureport gives plenty of:

71174. 14.4.2020 01:08:57 restorecon unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 0 capability2 mac_admin unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 denied 1758
User Icon churchyard commented & provided feedback 4 years ago

And podman once again doesn't strat.

71175. 14.4.2020 01:15:12 bash system_u:system_r:container_t:s0:c97,c349 0 chr_file read write system_u:object_r:container_file_t:s0:c97,c349 denied 1777
71176. 14.4.2020 01:15:12 bash system_u:system_r:container_t:s0:c97,c349 0 chr_file read write system_u:object_r:container_file_t:s0:c97,c349 denied 1778
71177. 14.4.2020 01:15:12 bash system_u:system_r:container_t:s0:c97,c349 0 chr_file read write system_u:object_r:container_file_t:s0:c97,c349 denied 1779
71178. 14.4.2020 01:15:12 bash system_u:system_r:container_t:s0:c97,c349 0 chr_file read write system_u:object_r:container_file_t:s0:c97,c349 denied 1780
71179. 14.4.2020 01:15:12 bash system_u:system_r:container_t:s0:c97,c349 0 file map system_u:object_r:fusefs_t:s0 denied 1781

User Icon bluepencil commented & provided feedback 4 years ago

I do not use containers much. Right now I launched HandBrake via bwrap and everything went OK.

As for me, I created semodule on the fly for restorecon, but waited for about an hour for selinux-policy-targeted scriptlet to finish and forcibly interrupted the process. Then I manually cleaned up undeleted versions of upgraded packages and performed touch /.autorelabel. So at the moment I have the latest versions of selinux-policy & container-selinux installed.

User Icon bluepencil commented & provided feedback 4 years ago
rpm -qa | grep container-selinux
container-selinux-2.131.0-1.fc32.noarch


rpm -qa | grep selinux-policy
selinux-policy-3.14.5-36.fc32.noarch
selinux-policy-minimum-3.14.5-36.fc32.noarch
selinux-policy-targeted-3.14.5-36.fc32.noarch
User Icon bluepencil commented & provided feedback 4 years ago
$ podman search fedora
INDEX               NAME                                            DESCRIPTION                                       STARS   OFFICIAL   AUTOMATED
fedoraproject.org   registry.fedoraproject.org/f29/fedora-toolbox                                                     0                  
fedoraproject.org   registry.fedoraproject.org/f30/fedora-toolbox                                                     0                  
fedoraproject.org   registry.fedoraproject.org/f31/fedora-toolbox                                                     0                  
fedoraproject.org   registry.fedoraproject.org/f32/fedora-toolbox                                                     0                  
fedoraproject.org   registry.fedoraproject.org/f33/fedora-toolbox                                                     0                  
fedoraproject.org   registry.fedoraproject.org/fedora                                                                 0                  
fedoraproject.org   registry.fedoraproject.org/fedora-minimal                                                         0                  
docker.io           docker.io/library/fedora                        Official Docker builds of Fedora                  866     [OK]       
docker.io           docker.io/mattsch/fedora-nzbhydra               Fedora NZBHydra                                   5                  [OK]
docker.io           docker.io/smartentry/fedora                     fedora with smartentry                            0                  [OK]
docker.io           docker.io/mattsch/fedora-sonarr                 Fedora Sonarr                                     0                  [OK]
docker.io           docker.io/ovirtguestagent/fedora-atomic         The oVirt Guest Agent for Fedora Atomic Host...   0                  
docker.io           docker.io/darksheer/fedora23                    Hourly updated Fedora 23                          1                  [OK]
docker.io           docker.io/fedora/apache                                                                           36                 [OK]
docker.io           docker.io/darksheer/fedora22                    Base Fedora 22 Image -- Updated hourly            3                  [OK]
docker.io           docker.io/darksheer/fedora                      Hourly update latest Fedora Image                 1                  [OK]
docker.io           docker.io/darksheer/fedora24                    Hourly update Fedora 24                           1                  [OK]
docker.io           docker.io/vbatts/fedora-varnish                 https://github.com/vbatts/laughing-octo/tree...   2                  [OK]
docker.io           docker.io/darksheer/fedora25                    Hourly updated Fedora 24 Docker Hub Image         1                  [OK]
docker.io           docker.io/vergissberlin/fedora-development      Docker fedora image to use for development, ...   2                  [OK]
docker.io           docker.io/mattsch/fedora-nzbhydra2              Fedora NZBHydra2 (Java based)                     0                  [OK]
docker.io           docker.io/amd64/fedora                          Official Docker builds of Fedora                  0                  
docker.io           docker.io/rhub/fedora-gcc-devel                 R-devel on Fedora latest                          0                  
docker.io           docker.io/dokken/fedora-latest                  fedora-latest image for kitchen-dokken            0                  
docker.io           docker.io/arm64v8/fedora                        Official Docker builds of Fedora                  1                  
docker.io           docker.io/ppc64le/fedora                        Official Docker builds of Fedora                  1                  
docker.io           docker.io/rhub/fedora-clang-devel               R-devel on Fedora latest, with clang and gfo...   0                  
docker.io           docker.io/langdon/fedora-mssqlserver            Microsoft SQL Server running on Fedora. You ...   0                  [OK]
docker.io           docker.io/embreedocker/fedora                   Automated build of Fedora Docker images for ...   0                  [OK]
docker.io           docker.io/vcatechnology/fedora                  A Fedora image that is updated daily              0                  [OK]
docker.io           docker.io/arm32v7/fedora                        Official Docker builds of Fedora                  3                  
docker.io           docker.io/fedora/nginx                                                                            20                 [OK]
User Icon bluepencil commented & provided feedback 4 years ago
# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      32

Please login to add feedback.

Metadata
Type
bugfix
Severity
medium
Karma
-4
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
14 days
Dates
submitted
4 years ago
BZ#1808987 SELinux prevents the ninfod service from starting
0
0
BZ#1820191 arping location has changed - file context pattern is not applied
0
0

Automated Test Results