Re-declaration of type ipa_custodia_t
Failed to create node
Bad type declaration at /var/lib/selinux/targeted/tmp/modules/100/ipa_custodia/cil:1
/usr/sbin/semodule: Failed!
It is a result of merging 2 modules. Despite the error messages, reported in early phase before the policy rebuild, the update completes successfully. It can be verified with:
So, just a note here: the openQA tests for this initially failed, the test of using GNOME Software to update the system failed as Software got stuck during startup. The journal (see /var/log tarball) showed quite a lot of AVCs.
The base disk image the update tests were using yesterday was quite old (nearly two weeks old, the cutoff for an automatic rebuild), so the update was going from selinux-policy -31.fc32 straight to -35.fc32 , it wasn't updating from -32 (which is currently in stable). This may have had something to do with it.
I regenerated the base disk image manually and ran the test again and it passed, so now the test shows a pass (well, a soft failure on a known bug not to do with this update). But I thought I'd mention the issue just in case anyone wants to take a look at the logs and see if they can see what happened.
Types defined in the flatpak selinux module were not existing, as a result, the files and processes got the unlabeled_t label. The timestamps in audit were 8.4.2020 19:06:02.185 till 8.4.2020 19:19:15.334 UTC.
@zpytela yeah, I saw that too, the interesting question is why that happened I guess; I don't do anything particularly odd to these base images, their state should be a fairly "normal" one. Perhaps a missing dependency or ordering issue or something, somewhere?
I'm getting hundreds of AVC denial popups during the scriptlet of selinux-policy-targeted-3.14.5-35.fc32. I know this is now obsoleted, but my dnf still picked it up.
@churchyard, please provide the list of avc denials reported, or create a BZ for that. The new policy build just contains more rules to allow/dontaudit.
This update has been submitted for testing by zpytela.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'ignored'.
Note these messages pop up:
It is a result of merging 2 modules. Despite the error messages, reported in early phase before the policy rebuild, the update completes successfully. It can be verified with:
Will try to address the issue with another future update.
So, just a note here: the openQA tests for this initially failed, the test of using GNOME Software to update the system failed as Software got stuck during startup. The journal (see /var/log tarball) showed quite a lot of AVCs.
The base disk image the update tests were using yesterday was quite old (nearly two weeks old, the cutoff for an automatic rebuild), so the update was going from selinux-policy -31.fc32 straight to -35.fc32 , it wasn't updating from -32 (which is currently in stable). This may have had something to do with it.
I regenerated the base disk image manually and ran the test again and it passed, so now the test shows a pass (well, a soft failure on a known bug not to do with this update). But I thought I'd mention the issue just in case anyone wants to take a look at the logs and see if they can see what happened.
@adamwill, I checked nothing but the audit.log and there seems to be a problem with flatpak:
Types defined in the flatpak selinux module were not existing, as a result, the files and processes got the unlabeled_t label. The timestamps in audit were 8.4.2020 19:06:02.185 till 8.4.2020 19:19:15.334 UTC.
This update has been pushed to testing.
@zpytela yeah, I saw that too, the interesting question is why that happened I guess; I don't do anything particularly odd to these base images, their state should be a fairly "normal" one. Perhaps a missing dependency or ordering issue or something, somewhere?
This update has been obsoleted by selinux-policy-3.14.5-36.fc32.
Re-declaration of type ipa_custodia_t
Failed to create node
Bad type declaration at /var/lib/selinux/targeted/tmp/modules/100/ipa_custodia/cil:1
/usr/sbin/semodule: Failed!
fel: lsetfilecon: (/usr/bin/crun;5e900b48, system_u:object_r:container_runtime_exec_t:s0) Ogiltigt argument
fel: Plugin selinux: hook fsm_file_prepare failed
I'm getting hundreds of AVC denial popups during the scriptlet of selinux-policy-targeted-3.14.5-35.fc32. I know this is now obsoleted, but my dnf still picked it up.
@churchyard, please provide the list of avc denials reported, or create a BZ for that. The new policy build just contains more rules to allow/dontaudit.
@itrymybest80, the first set of messages is expected and harmless, the second one is different, but I cannot reproduce it.
Would you mind opening a bugzilla and including more details, like versions of crun and container-selinux packages?
I'll followup on FEDORA-2020-090cee7608