FEDORA-2020-886cc9af08 created by zpytela a year ago for Fedora 32
stable

How to install

sudo dnf upgrade --advisory=FEDORA-2020-886cc9af08

This update has been submitted for testing by zpytela.

a year ago

This update's test gating status has been changed to 'waiting'.

a year ago

This update's test gating status has been changed to 'ignored'.

a year ago
User Icon zpytela commented & provided feedback a year ago

Please note updating from the previous package version selinux-policy-3.14.5-38.fc32 will have all filesystems relabeling as a result which cannot be prevented. If relabeling takes a lot of time, consider unmounting some filesystems, updating manually, postponing the update to later.

Updating from older versions of the package should not trigger the relabeling.

User Icon imabug provided feedback a year ago
karma

This update has been pushed to testing.

a year ago
User Icon bojan commented & provided feedback a year ago
karma

Works.

This update can be pushed to stable now if the maintainer wishes

a year ago
User Icon amessina commented & provided feedback a year ago

Installed selinux-policy-targeted-3.14.5-39.fc32.noarch, relabeled entire system, rebooted...

time->Thu May 21 19:37:49 2020
type=AVC msg=audit(1590107869.700:161): avc:  denied  { read } for  pid=937 comm="systemd-resolve" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=15758 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
----
time->Thu May 21 19:37:49 2020
type=AVC msg=audit(1590107869.700:162): avc:  denied  { open } for  pid=937 comm="systemd-resolve" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=15758 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
----
time->Thu May 21 19:37:49 2020
type=AVC msg=audit(1590107869.700:163): avc:  denied  { getattr } for  pid=937 comm="systemd-resolve" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=15758 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1

After a full reboot...

~]# ll -Z /sys/firmware/
total 0
drwxr-xr-x.  6 root root system_u:object_r:sysfs_t:s0 0 May 21 19:57 acpi
drwxr-xr-x.  4 root root system_u:object_r:sysfs_t:s0 0 May 21 19:57 dmi
drwxr-xr-x.  5 root root system_u:object_r:sysfs_t:s0 0 May 21 19:57 efi
drwxr-xr-x. 23 root root system_u:object_r:sysfs_t:s0 0 May 21 19:58 memmap
~]# restorecon -RFv /sys/firmware/
Relabeled /sys/firmware/efi from system_u:object_r:sysfs_t:s0 to system_u:object_r:efivarfs_t:s0

grepping the selinux-policy.git source, I don't see that systemd_resolved_t has the fs_read_efivars_files applied.

selinux-policy.git]$ grep fs_read_efivarfs_files policy/modules/system/systemd.te 
fs_read_efivarfs_files(systemd_logind_t)
fs_read_efivarfs_files(systemd_machined_t)
fs_read_efivarfs_files(systemd_networkd_t)
fs_read_efivarfs_files(systemd_localed_t)
fs_read_efivarfs_files(systemd_hostnamed_t)
fs_read_efivarfs_files(systemd_rfkill_t)
fs_read_efivarfs_files(systemd_timedated_t)
fs_read_efivarfs_files(systemd_sysctl_t)
fs_read_efivarfs_files(systemd_hwdb_t)
fs_read_efivarfs_files(systemd_gpt_generator_t)
fs_read_efivarfs_files(systemd_userdbd_t)

Note, on another system the same issue occurs with systemd_modules_load_t

AVC avc:  denied  { read } for  pid=585 comm="systemd-modules" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=2253 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
AVC avc:  denied  { open } for  pid=585 comm="systemd-modules" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=2253 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
AVC avc:  denied  { getattr } for  pid=585 comm="systemd-modules" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=2253 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
BZ#1824196 SELinux is preventing /usr/lib/systemd/systemd-resolved from 'read' accesses on the file /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
User Icon jpbn commented & provided feedback a year ago
karma

update hangs

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

a year ago
User Icon lhirlimann commented & provided feedback a year ago
karma

no issues yet

User Icon zpytela commented & provided feedback a year ago

@jpbn what do you mean by "hangs"? Note the update can take a long time, see c#1.

User Icon zpytela commented & provided feedback a year ago

@amessina, you are right the update addresses most of the issues reported, but not the one in the bz description, sorry for that.

User Icon jpbn commented & provided feedback a year ago

@zpytela the script did not end. had to close terminal.

User Icon renault commented & provided feedback a year ago
karma

No regressions found

User Icon cairo provided feedback a year ago
karma
User Icon danniel commented & provided feedback a year ago
karma

Works

User Icon thebiginfinity commented & provided feedback a year ago
karma

Works for me.

Two time this AVC is logged, but nothing breaks (note: I disable secure-boot in the UEFI).

AVC avc:  denied  { read } for  pid=1563 comm="systemd-modules" name="SecureBoot-***" dev="efivarfs" ino=397 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0
User Icon pwalter commented & provided feedback a year ago
karma

Works

User Icon cserpentis commented & provided feedback a year ago
karma

works for me

User Icon zpytela commented & provided feedback a year ago

Pushing to stable given the prevailing positive feedback. The remaining bugs (systemd-resolved, systemd-modules) will be resolved in the next build.

This update has been submitted for stable by zpytela.

a year ago

This update has been pushed to stable.

a year ago

Please login to add feedback.

Metadata
Type
bugfix
Severity
medium
Karma
8
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
a year ago
in testing
a year ago
in stable
a year ago
BZ#1808736 the lttng-sessiond service triggers SELinux denials
0
0
BZ#1824196 SELinux is preventing /usr/lib/systemd/systemd-resolved from 'read' accesses on the file /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
-1
0
BZ#1832790 Upgrade of selinux-polixy takes very long time
0
0

Automated Test Results