FEDORA-2020-9896f80cf0 created by zpytela a year ago for Fedora 32
stable

How to install

sudo dnf upgrade --advisory=FEDORA-2020-9896f80cf0

This update has been submitted for testing by zpytela.

a year ago

This update's test gating status has been changed to 'ignored'.

a year ago

This update's test gating status has been changed to 'waiting'.

a year ago

This update's test gating status has been changed to 'ignored'.

a year ago
User Icon imabug provided feedback a year ago
karma

This update has been pushed to testing.

a year ago
User Icon bojan provided feedback a year ago
karma

This update can be pushed to stable now if the maintainer wishes

a year ago
User Icon device commented & provided feedback a year ago
karma

I get some errors after this update that do not occur in selinux-policy-3.14.5-43:

Oct 03 13:30:21 HOSTNAME setroubleshoot[767]: SELinux is preventing php-fpm from using the execmem access on a process. For complete SELinux messages run: sealert -l b63a1fe7-d9ef-481e-be52-3a9892cc77c7 Oct 03 13:30:22 HOSTNAME setroubleshoot[767]: SELinux is preventing php-fpm from using the execmem access on a process. For complete SELinux messages run: sealert -l b63a1fe7-d9ef-481e-be52-3a9892cc77c7

If you look at the sealart message it says this:

type=AVC msg=audit(1601724605.267:147): avc: denied { execmem } for pid=576 comm="php-fpm" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

a year ago
User Icon ersen provided feedback a year ago
karma
User Icon filiperosset commented & provided feedback a year ago
karma

no regressions noted

User Icon cserpentis commented & provided feedback a year ago
karma

works for me

User Icon zpytela commented & provided feedback a year ago

@device, there was no change in the policy which would lead to an error like yours.

The execmem permission is required for mapping a memory region as executable which is not common and is possibly insecure so it is disabled by default. It can be turned on using the httpd_execmem boolean.

semanage boolean -l | grep httpd_execmem

httpd_execmem (off , off) Allow httpd scripts and modules execmem/execstack

However, before doing that you should look for documentation of the php modules used or check with the scripts vendor as this permission should not be required. Having said that, it could have been done by design as well as a result of a bug in the code.

This update has been submitted for stable by zpytela.

a year ago

This update has been pushed to stable.

a year ago

Please login to add feedback.

Metadata
Type
bugfix
Severity
medium
Karma
4
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
a year ago
in testing
a year ago
in stable
a year ago
BZ#1767721 Confined users cannot query systemd journal when logged on console
0
0
BZ#1809000 the rkt-metadata service triggers SELinux denials
0
0
BZ#1874338 kernel 5.8.x breaks autofs
0
0
BZ#1874836 SELinux is preventing (-localed) from remount access on the filesystem while exfat drive is mounted
0
0
BZ#1875138 php-fpm can't write into redis' socket (Fedora)
0
0

Automated Test Results