New F32 selinux-policy build: https://koji.fedoraproject.org/koji/taskinfo?taskID=46084202
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --refresh --advisory=FEDORA-2020-5c374f680a
Please login to add feedback.
This update has been submitted for testing by zpytela.
This update's test gating status has been changed to 'ignored'.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'ignored'.
Additional Information: Source Context system_u:system_r:vpnc_t:s0 Target Context system_u:system_r:vpnc_t:s0 Target Objects Unknown [ process ] Source nm-vpnc-service Source Path nm-vpnc-service Port <Unknown> Host notebook Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.5-41.fc32.noarch Local Policy RPM selinux-policy-targeted-3.14.5-41.fc32.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name notebook Platform Linux notebook 5.6.19-300.fc32.x86_64 #1 SMP Wed Jun 17 16:10:48 UTC 2020 x86_64 x86_64 Alert Count 10 First Seen 2020-05-25 17:28:41 CEST Last Seen 2020-06-24 19:46:32 CEST Local ID 027f28f6-4e8d-4486-aa34-8d946eb37349
Raw Audit Messages type=AVC msg=audit(1593020792.685:292): avc: denied { setsched } for pid=2907 comm="nm-vpnc-service" scontext=system_u:system_r:vpnc_t:s0 tcontext=system_u:system_r:vpnc_t:s0 tclass=process permissive=0
This update has been pushed to testing.
SELinux is preventing nm-openconnect- from using the setsched access on a process.
* Plugin catchall (100. confidence) suggests ******
If you believe that nm-openconnect- should be allowed setsched access on processes labeled vpnc_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing:
ausearch -c 'nm-openconnect-' --raw | audit2allow -M my-nmopenconnect
semodule -X 300 -i my-nmopenconnect.pp
Additional Information: Source Context system_u:system_r:vpnc_t:s0 Target Context system_u:system_r:vpnc_t:s0 Target Objects Unknown [ process ] Source nm-openconnect- Source Path nm-openconnect- Port <Unknown> Host control-surface.example.com Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.5-41.fc32.noarch Local Policy RPM selinux-policy-targeted-3.14.5-41.fc32.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name control-surface.example.com Platform Linux control-surface.example.com 5.6.19-300.fc32.x86_64 #1 SMP Wed Jun 17 16:10:48 UTC 2020 x86_64 x86_64 Alert Count 1 First Seen 2020-06-25 09:53:15 BST Last Seen 2020-06-25 09:53:15 BST Local ID c9915144-22af-471b-b6ce-0b384239d503
Raw Audit Messages type=AVC msg=audit(1593075195.292:234): avc: denied { setsched } for pid=2372 comm="nm-openconnect-" scontext=system_u:system_r:vpnc_t:s0 tcontext=system_u:system_r:vpnc_t:s0 tclass=process permissive=0
Hash: nm-openconnect-,vpnc_t,vpnc_t,process,setsched
Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.
The vpnc fix has unintentionally been skipped in backporting to F32. It will be a part of the next package update.
Works.
Looks good to me WRT the tlp "execute_no_trans" issue, which is gone after this upgrade (with my local my-tlp.pp removed first, confirming the bug is back, and then updating, confirming the bug is gone).
This update can be pushed to stable now if the maintainer wishes
No regressions found
This update has been submitted for stable by zpytela.
Pushing to stable for prevailing positive karma.
This update has been pushed to stable.