obsolete

selinux-policy-3.14.5-35.fc32

FEDORA-2020-2fad1f552d created by zpytela 4 years ago for Fedora 32

This update has been submitted for testing by zpytela.

4 years ago

This update's test gating status has been changed to 'waiting'.

4 years ago

This update's test gating status has been changed to 'ignored'.

4 years ago
User Icon zpytela commented & provided feedback 4 years ago

Note these messages pop up:

Re-declaration of type ipa_custodia_t
Failed to create node
Bad type declaration at /var/lib/selinux/targeted/tmp/modules/100/ipa_custodia/cil:1
/usr/sbin/semodule:  Failed!

It is a result of merging 2 modules. Despite the error messages, reported in early phase before the policy rebuild, the update completes successfully. It can be verified with:

# semodule -lfull|grep ipa
100 ipa               pp        
# seinfo -xt ipa_custodia_t

Types: 1
   type ipa_custodia_t, corenet_unlabeled_type, domain, daemon, pcmcia_typeattr_1;

Will try to address the issue with another future update.

User Icon imabug provided feedback 4 years ago
karma
User Icon adamwill commented & provided feedback 4 years ago

So, just a note here: the openQA tests for this initially failed, the test of using GNOME Software to update the system failed as Software got stuck during startup. The journal (see /var/log tarball) showed quite a lot of AVCs.

The base disk image the update tests were using yesterday was quite old (nearly two weeks old, the cutoff for an automatic rebuild), so the update was going from selinux-policy -31.fc32 straight to -35.fc32 , it wasn't updating from -32 (which is currently in stable). This may have had something to do with it.

I regenerated the base disk image manually and ran the test again and it passed, so now the test shows a pass (well, a soft failure on a known bug not to do with this update). But I thought I'd mention the issue just in case anyone wants to take a look at the logs and see if they can see what happened.

User Icon zpytela commented & provided feedback 4 years ago

@adamwill, I checked nothing but the audit.log and there seems to be a problem with flatpak:

type=AVC msg=audit(8.4.2020 19:19:15.334:238) : avc:  denied  { execute } for  pid=1960 comm=(m-helper) name=flatpak-system-helper dev="dm-0" ino=678474 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon="system_u:object_r:flatpak_helper_exec_t:s0

Types defined in the flatpak selinux module were not existing, as a result, the files and processes got the unlabeled_t label. The timestamps in audit were 8.4.2020 19:06:02.185 till 8.4.2020 19:19:15.334 UTC.

This update has been pushed to testing.

4 years ago
User Icon adamwill commented & provided feedback 4 years ago

@zpytela yeah, I saw that too, the interesting question is why that happened I guess; I don't do anything particularly odd to these base images, their state should be a fairly "normal" one. Perhaps a missing dependency or ordering issue or something, somewhere?

This update has been obsoleted by selinux-policy-3.14.5-36.fc32.

4 years ago
User Icon itrymybest80 commented & provided feedback 4 years ago

Re-declaration of type ipa_custodia_t

Failed to create node

Bad type declaration at /var/lib/selinux/targeted/tmp/modules/100/ipa_custodia/cil:1

/usr/sbin/semodule: Failed!

fel: lsetfilecon: (/usr/bin/crun;5e900b48, system_u:object_r:container_runtime_exec_t:s0) Ogiltigt argument

fel: Plugin selinux: hook fsm_file_prepare failed

User Icon churchyard commented & provided feedback 4 years ago
karma

I'm getting hundreds of AVC denial popups during the scriptlet of selinux-policy-targeted-3.14.5-35.fc32. I know this is now obsoleted, but my dnf still picked it up.

User Icon sedrubal provided feedback 4 years ago
karma
User Icon zpytela commented & provided feedback 4 years ago

@churchyard, please provide the list of avc denials reported, or create a BZ for that. The new policy build just contains more rules to allow/dontaudit.

User Icon zpytela commented & provided feedback 4 years ago

@itrymybest80, the first set of messages is expected and harmless, the second one is different, but I cannot reproduce it.

Would you mind opening a bugzilla and including more details, like versions of crun and container-selinux packages?

User Icon churchyard commented & provided feedback 4 years ago

I'll followup on FEDORA-2020-090cee7608


Please login to add feedback.

Metadata
Type
bugfix
Severity
medium
Karma
-1
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
14 days
Dates
submitted
4 years ago
in testing
4 years ago
BZ#1808987 SELinux prevents the ninfod service from starting
0
0
BZ#1820191 arping location has changed - file context pattern is not applied
0
0

Automated Test Results