selinux-policy-3.14.5-39.fc32
FEDORA-2020-886cc9af08 created by zpytela 2 years ago for Fedora 32
stable

New F32 selinux-policy build: https://koji.fedoraproject.org/koji/taskinfo?taskID=44726349

How to install

sudo dnf upgrade --advisory=FEDORA-2020-886cc9af08

This update has been submitted for testing by zpytela.

2 years ago

This update's test gating status has been changed to 'waiting'.

2 years ago

This update's test gating status has been changed to 'ignored'.

2 years ago
User Icon zpytela commented & provided feedback 2 years ago

Please note updating from the previous package version selinux-policy-3.14.5-38.fc32 will have all filesystems relabeling as a result which cannot be prevented. If relabeling takes a lot of time, consider unmounting some filesystems, updating manually, postponing the update to later.

Updating from older versions of the package should not trigger the relabeling.

User Icon imabug provided feedback 2 years ago
karma

This update has been pushed to testing.

2 years ago
User Icon bojan commented & provided feedback 2 years ago
karma

Works.

This update can be pushed to stable now if the maintainer wishes

2 years ago
User Icon amessina commented & provided feedback 2 years ago

Installed selinux-policy-targeted-3.14.5-39.fc32.noarch, relabeled entire system, rebooted...

time->Thu May 21 19:37:49 2020
type=AVC msg=audit(1590107869.700:161): avc:  denied  { read } for  pid=937 comm="systemd-resolve" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=15758 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
----
time->Thu May 21 19:37:49 2020
type=AVC msg=audit(1590107869.700:162): avc:  denied  { open } for  pid=937 comm="systemd-resolve" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=15758 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
----
time->Thu May 21 19:37:49 2020
type=AVC msg=audit(1590107869.700:163): avc:  denied  { getattr } for  pid=937 comm="systemd-resolve" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=15758 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1

After a full reboot...

~]# ll -Z /sys/firmware/
total 0
drwxr-xr-x.  6 root root system_u:object_r:sysfs_t:s0 0 May 21 19:57 acpi
drwxr-xr-x.  4 root root system_u:object_r:sysfs_t:s0 0 May 21 19:57 dmi
drwxr-xr-x.  5 root root system_u:object_r:sysfs_t:s0 0 May 21 19:57 efi
drwxr-xr-x. 23 root root system_u:object_r:sysfs_t:s0 0 May 21 19:58 memmap

~]# restorecon -RFv /sys/firmware/
Relabeled /sys/firmware/efi from system_u:object_r:sysfs_t:s0 to system_u:object_r:efivarfs_t:s0

grepping the selinux-policy.git source, I don't see that systemd_resolved_t has the fs_read_efivars_files applied.

selinux-policy.git]$ grep fs_read_efivarfs_files policy/modules/system/systemd.te 
fs_read_efivarfs_files(systemd_logind_t)
fs_read_efivarfs_files(systemd_machined_t)
fs_read_efivarfs_files(systemd_networkd_t)
fs_read_efivarfs_files(systemd_localed_t)
fs_read_efivarfs_files(systemd_hostnamed_t)
fs_read_efivarfs_files(systemd_rfkill_t)
fs_read_efivarfs_files(systemd_timedated_t)
fs_read_efivarfs_files(systemd_sysctl_t)
fs_read_efivarfs_files(systemd_hwdb_t)
fs_read_efivarfs_files(systemd_gpt_generator_t)
fs_read_efivarfs_files(systemd_userdbd_t)

Note, on another system the same issue occurs with systemd_modules_load_t

AVC avc:  denied  { read } for  pid=585 comm="systemd-modules" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=2253 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
AVC avc:  denied  { open } for  pid=585 comm="systemd-modules" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=2253 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
AVC avc:  denied  { getattr } for  pid=585 comm="systemd-modules" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=2253 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
BZ#1824196 SELinux is preventing /usr/lib/systemd/systemd-resolved from 'read' accesses on the file /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
User Icon jpbn commented & provided feedback 2 years ago
karma

update hangs

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

2 years ago
User Icon lhirlimann commented & provided feedback 2 years ago
karma

no issues yet

User Icon zpytela commented & provided feedback 2 years ago

@jpbn what do you mean by "hangs"? Note the update can take a long time, see c#1.

User Icon zpytela commented & provided feedback 2 years ago

@amessina, you are right the update addresses most of the issues reported, but not the one in the bz description, sorry for that.

User Icon jpbn commented & provided feedback 2 years ago

@zpytela the script did not end. had to close terminal.

User Icon renault commented & provided feedback 2 years ago
karma

No regressions found

User Icon cairo provided feedback 2 years ago
karma
User Icon danniel commented & provided feedback 2 years ago
karma

Works

User Icon thebiginfinity commented & provided feedback 2 years ago
karma

Works for me.

Two time this AVC is logged, but nothing breaks (note: I disable secure-boot in the UEFI).

AVC avc:  denied  { read } for  pid=1563 comm="systemd-modules" name="SecureBoot-***" dev="efivarfs" ino=397 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0
User Icon pwalter commented & provided feedback 2 years ago
karma

Works

User Icon cserpentis commented & provided feedback 2 years ago
karma

works for me

User Icon zpytela commented & provided feedback 2 years ago

Pushing to stable given the prevailing positive feedback. The remaining bugs (systemd-resolved, systemd-modules) will be resolved in the next build.

This update has been submitted for stable by zpytela.

2 years ago

This update has been pushed to stable.

2 years ago

Please login to add feedback.

Metadata
Type
bugfix
Severity
medium
Karma
8
Signed
Content Type
RPM
Test Gating
Builds
1
selinux-policy-3.14.5-39.fc32
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
2 years ago
in testing
2 years ago
in stable
2 years ago
BZ#1808736 the lttng-sessiond service triggers SELinux denials
0
0
BZ#1824196 SELinux is preventing /usr/lib/systemd/systemd-resolved from 'read' accesses on the file /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
-1
0
BZ#1832790 Upgrade of selinux-polixy takes very long time
0
0

Automated Test Results

Copyright © 2007-2019 Red Hat, Inc. and others.

Running bodhi-5.7.4 on bodhi-web-180-zmnpq.

bodhi is Free Software. Please file issues if you have any problems. Read the documentation.

Composes Legal Privacy policy