stable

selinux-policy-3.14.5-41.fc32

FEDORA-2020-5c374f680a created by zpytela 4 years ago for Fedora 32

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2020-5c374f680a

This update has been submitted for testing by zpytela.

4 years ago

This update's test gating status has been changed to 'ignored'.

4 years ago

This update's test gating status has been changed to 'waiting'.

4 years ago

This update's test gating status has been changed to 'ignored'.

4 years ago
User Icon klaas commented & provided feedback 4 years ago
karma

Additional Information: Source Context system_u:system_r:vpnc_t:s0 Target Context system_u:system_r:vpnc_t:s0 Target Objects Unknown [ process ] Source nm-vpnc-service Source Path nm-vpnc-service Port <Unknown> Host notebook Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.5-41.fc32.noarch Local Policy RPM selinux-policy-targeted-3.14.5-41.fc32.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name notebook Platform Linux notebook 5.6.19-300.fc32.x86_64 #1 SMP Wed Jun 17 16:10:48 UTC 2020 x86_64 x86_64 Alert Count 10 First Seen 2020-05-25 17:28:41 CEST Last Seen 2020-06-24 19:46:32 CEST Local ID 027f28f6-4e8d-4486-aa34-8d946eb37349

Raw Audit Messages type=AVC msg=audit(1593020792.685:292): avc: denied { setsched } for pid=2907 comm="nm-vpnc-service" scontext=system_u:system_r:vpnc_t:s0 tcontext=system_u:system_r:vpnc_t:s0 tclass=process permissive=0

BZ#1817528 SELinux is preventing nm-vpnc-service from using the 'setsched' accesses on a process.

This update has been pushed to testing.

4 years ago
User Icon jch commented & provided feedback 4 years ago
karma

SELinux is preventing nm-openconnect- from using the setsched access on a process.

* Plugin catchall (100. confidence) suggests ******

If you believe that nm-openconnect- should be allowed setsched access on processes labeled vpnc_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing:

ausearch -c 'nm-openconnect-' --raw | audit2allow -M my-nmopenconnect

semodule -X 300 -i my-nmopenconnect.pp

Additional Information: Source Context system_u:system_r:vpnc_t:s0 Target Context system_u:system_r:vpnc_t:s0 Target Objects Unknown [ process ] Source nm-openconnect- Source Path nm-openconnect- Port <Unknown> Host control-surface.example.com Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.5-41.fc32.noarch Local Policy RPM selinux-policy-targeted-3.14.5-41.fc32.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name control-surface.example.com Platform Linux control-surface.example.com 5.6.19-300.fc32.x86_64 #1 SMP Wed Jun 17 16:10:48 UTC 2020 x86_64 x86_64 Alert Count 1 First Seen 2020-06-25 09:53:15 BST Last Seen 2020-06-25 09:53:15 BST Local ID c9915144-22af-471b-b6ce-0b384239d503

Raw Audit Messages type=AVC msg=audit(1593075195.292:234): avc: denied { setsched } for pid=2372 comm="nm-openconnect-" scontext=system_u:system_r:vpnc_t:s0 tcontext=system_u:system_r:vpnc_t:s0 tclass=process permissive=0

Hash: nm-openconnect-,vpnc_t,vpnc_t,process,setsched

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

4 years ago
User Icon zpytela commented & provided feedback 4 years ago

The vpnc fix has unintentionally been skipped in backporting to F32. It will be a part of the next package update.

User Icon bojan commented & provided feedback 4 years ago
karma

Works.

User Icon mandree commented & provided feedback 4 years ago
karma

Looks good to me WRT the tlp "execute_no_trans" issue, which is gone after this upgrade (with my local my-tlp.pp removed first, confirming the bug is back, and then updating, confirming the bug is gone).

BZ#1844755 SELinux is preventing tlp from 'execute_no_trans' accesses on the Datei /usr/sbin/tlp.

This update can be pushed to stable now if the maintainer wishes

4 years ago
User Icon renault commented & provided feedback 4 years ago
karma

No regressions found

This update has been submitted for stable by zpytela.

4 years ago
User Icon zpytela commented & provided feedback 4 years ago

Pushing to stable for prevailing positive karma.

This update has been pushed to stable.

4 years ago

Please login to add feedback.

Metadata
Type
bugfix
Severity
medium
Karma
3
Signed
Content Type
RPM
Test Gating
Autopush Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
4 years ago
in testing
4 years ago
in stable
4 years ago
BZ#1817528 SELinux is preventing nm-vpnc-service from using the 'setsched' accesses on a process.
-1
0
BZ#1830255 SELinux is preventing systemd-tty-ask from 'read' accesses on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
0
0
BZ#1838018 sshd cannot write into reply cache (/var/tmp/krb5_0.rcache2) due to security context
0
0
BZ#1844755 SELinux is preventing tlp from 'execute_no_trans' accesses on the Datei /usr/sbin/tlp.
0
1

Automated Test Results