New F32 selinux-policy build: https://koji.fedoraproject.org/koji/taskinfo?taskID=44115649
This update should address problems with the previous build that occasionally appeared on systems with custom selinux policy modules.
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --refresh --advisory=FEDORA-2020-a6cd8de2ed
Please login to add feedback.
This update has been submitted for testing by zpytela.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'ignored'.
I've only encountered BZ#1811407 and this is resolved with the update
Same as egreshko
This update has been submitted for stable by bodhi.
This update has been pushed to stable.
All is well. No denials on two machines and relabelling worked on both too.
Please note the selinux policy needs to be rebuilt as a part of the update process so this selinux-policy package update can take a few minutes to complete the rpm scriptlets.
Works for me. Confirmed by two reboots. Scriptlet with restorecon was running 7 minutes!
This update does not resolve #1824196 for me. Also, you can see #1827466 in there as well.
I've tried relabeling then rebooting -- no dice.
@amessina, you are right: the first one missed the build, the second one has not been addressed yet.
@zpytela, thank you. My comment above was a reference that I am still seeing #1824196 even after the update to selinux-policy-3.14.5-38.fc32. It seems like after a reboot, the files are not relabeled in time. After I can login, I run a resstorecon -RFv on /sys/firmware/ and I see the files get relabeled, but that's too late as these errors are generated.
After initrd, I see
systemd[1]: Successfully loaded SELinux policy in 410.073ms. systemd[1]: Relabelled /dev, /dev/shm, /run, /sys/fs/cgroup in 20.904ms.
Should /sys/firmware/efi be listed there as well?
Works fine since 3.14.5-37.fc32. No AVC after reboot.
@amessina, #1824196 dropped out of the latest build, will be a part of the next one.
Please note update to this package version can lead to relabeling the complete filesystem.
The reason is that this update brings file context specification for "/s?bin/arping". Unfortunately, a quantifier so early in the path is replaced with the '' wildcard, i. e. in this case "/" is to be relabeled.