FEDORA-2020-2fad1f552d created by zpytela 9 months ago for Fedora 32
obsolete

This update has been submitted for testing by zpytela.

9 months ago

This update's test gating status has been changed to 'waiting'.

9 months ago

This update's test gating status has been changed to 'ignored'.

9 months ago
User Icon zpytela commented & provided feedback 9 months ago

Note these messages pop up:

Re-declaration of type ipa_custodia_t
Failed to create node
Bad type declaration at /var/lib/selinux/targeted/tmp/modules/100/ipa_custodia/cil:1
/usr/sbin/semodule:  Failed!

It is a result of merging 2 modules. Despite the error messages, reported in early phase before the policy rebuild, the update completes successfully. It can be verified with:

# semodule -lfull|grep ipa
100 ipa               pp        
# seinfo -xt ipa_custodia_t

Types: 1
   type ipa_custodia_t, corenet_unlabeled_type, domain, daemon, pcmcia_typeattr_1;

Will try to address the issue with another future update.

User Icon imabug provided feedback 9 months ago
karma
User Icon adamwill commented & provided feedback 9 months ago

So, just a note here: the openQA tests for this initially failed, the test of using GNOME Software to update the system failed as Software got stuck during startup. The journal (see /var/log tarball) showed quite a lot of AVCs.

The base disk image the update tests were using yesterday was quite old (nearly two weeks old, the cutoff for an automatic rebuild), so the update was going from selinux-policy -31.fc32 straight to -35.fc32 , it wasn't updating from -32 (which is currently in stable). This may have had something to do with it.

I regenerated the base disk image manually and ran the test again and it passed, so now the test shows a pass (well, a soft failure on a known bug not to do with this update). But I thought I'd mention the issue just in case anyone wants to take a look at the logs and see if they can see what happened.

User Icon zpytela commented & provided feedback 9 months ago

@adamwill, I checked nothing but the audit.log and there seems to be a problem with flatpak:

type=AVC msg=audit(8.4.2020 19:19:15.334:238) : avc:  denied  { execute } for  pid=1960 comm=(m-helper) name=flatpak-system-helper dev="dm-0" ino=678474 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon="system_u:object_r:flatpak_helper_exec_t:s0

Types defined in the flatpak selinux module were not existing, as a result, the files and processes got the unlabeled_t label. The timestamps in audit were 8.4.2020 19:06:02.185 till 8.4.2020 19:19:15.334 UTC.

This update has been pushed to testing.

9 months ago
User Icon adamwill commented & provided feedback 9 months ago

@zpytela yeah, I saw that too, the interesting question is why that happened I guess; I don't do anything particularly odd to these base images, their state should be a fairly "normal" one. Perhaps a missing dependency or ordering issue or something, somewhere?

This update has been obsoleted by selinux-policy-3.14.5-36.fc32.

9 months ago
User Icon itrymybest80 commented & provided feedback 9 months ago

Re-declaration of type ipa_custodia_t

Failed to create node

Bad type declaration at /var/lib/selinux/targeted/tmp/modules/100/ipa_custodia/cil:1

/usr/sbin/semodule: Failed!

fel: lsetfilecon: (/usr/bin/crun;5e900b48, system_u:object_r:container_runtime_exec_t:s0) Ogiltigt argument

fel: Plugin selinux: hook fsm_file_prepare failed

User Icon churchyard commented & provided feedback 9 months ago
karma

I'm getting hundreds of AVC denial popups during the scriptlet of selinux-policy-targeted-3.14.5-35.fc32. I know this is now obsoleted, but my dnf still picked it up.

User Icon sedrubal provided feedback 9 months ago
karma
User Icon zpytela commented & provided feedback 9 months ago

@churchyard, please provide the list of avc denials reported, or create a BZ for that. The new policy build just contains more rules to allow/dontaudit.

User Icon zpytela commented & provided feedback 9 months ago

@itrymybest80, the first set of messages is expected and harmless, the second one is different, but I cannot reproduce it.

Would you mind opening a bugzilla and including more details, like versions of crun and container-selinux packages?

User Icon churchyard commented & provided feedback 9 months ago

I'll followup on FEDORA-2020-090cee7608


Please login to add feedback.

Metadata
Type
bugfix
Severity
medium
Karma
-1
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
14 days
Dates
submitted
9 months ago
in testing
9 months ago
BZ#1808987 SELinux prevents the ninfod service from starting
0
0
BZ#1820191 arping location has changed - file context pattern is not applied
0
0

Automated Test Results