FEDORA-2020-a6cd8de2ed created by zpytela 5 months ago for Fedora 32
stable

New F32 selinux-policy build: https://koji.fedoraproject.org/koji/taskinfo?taskID=44115649

This update should address problems with the previous build that occasionally appeared on systems with custom selinux policy modules.

How to install

sudo dnf upgrade --advisory=FEDORA-2020-a6cd8de2ed

This update has been submitted for testing by zpytela.

5 months ago

This update's test gating status has been changed to 'waiting'.

5 months ago

This update's test gating status has been changed to 'ignored'.

5 months ago
User Icon egreshko commented & provided feedback 5 months ago
karma

I've only encountered BZ#1811407 and this is resolved with the update

BZ#1811407 SELinux is preventing accounts-daemon from 'sys_nice' accesses
User Icon alexpl commented & provided feedback 5 months ago
karma

Same as egreshko

BZ#1811407 SELinux is preventing accounts-daemon from 'sys_nice' accesses
User Icon imabug provided feedback 5 months ago
karma
BZ#1811407 SELinux is preventing accounts-daemon from 'sys_nice' accesses

This update has been submitted for stable by bodhi.

5 months ago

This update has been pushed to stable.

5 months ago
User Icon bojan commented & provided feedback 5 months ago
karma

All is well. No denials on two machines and relabelling worked on both too.

User Icon zpytela commented & provided feedback 5 months ago

Please note the selinux policy needs to be rebuilt as a part of the update process so this selinux-policy package update can take a few minutes to complete the rpm scriptlets.

User Icon dirkk commented & provided feedback 5 months ago
karma

Works for me. Confirmed by two reboots. Scriptlet with restorecon was running 7 minutes!

User Icon amessina commented & provided feedback 5 months ago

This update does not resolve #1824196 for me. Also, you can see #1827466 in there as well.

~]# ausearch -m avc -ts boot
----
time->Wed May  6 17:57:42 2020
type=AVC msg=audit(1588805862.874:118): avc:  denied  { read } for  pid=815 comm="sssd" name="systemd" dev="tmpfs" ino=256 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=1
----
time->Wed May  6 17:57:44 2020
type=AVC msg=audit(1588805864.772:163): avc:  denied  { read } for  pid=925 comm="systemd-resolve" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=239 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
----
time->Wed May  6 17:57:44 2020
type=AVC msg=audit(1588805864.772:164): avc:  denied  { open } for  pid=925 comm="systemd-resolve" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=239 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
----
time->Wed May  6 17:57:44 2020
type=AVC msg=audit(1588805864.772:165): avc:  denied  { getattr } for  pid=925 comm="systemd-resolve" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=239 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1

I've tried relabeling then rebooting -- no dice.

BZ#1824196 SELinux is preventing /usr/lib/systemd/systemd-resolved from 'read' accesses on the file /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
User Icon zpytela commented & provided feedback 5 months ago

@amessina, you are right: the first one missed the build, the second one has not been addressed yet.

User Icon amessina commented & provided feedback 5 months ago

@zpytela, thank you. My comment above was a reference that I am still seeing #1824196 even after the update to selinux-policy-3.14.5-38.fc32. It seems like after a reboot, the files are not relabeled in time. After I can login, I run a resstorecon -RFv on /sys/firmware/ and I see the files get relabeled, but that's too late as these errors are generated.

After initrd, I see

systemd[1]: Successfully loaded SELinux policy in 410.073ms. systemd[1]: Relabelled /dev, /dev/shm, /run, /sys/fs/cgroup in 20.904ms.

Should /sys/firmware/efi be listed there as well?

User Icon nicosss commented & provided feedback 5 months ago
karma

Works fine since 3.14.5-37.fc32. No AVC after reboot.

BZ#1811407 SELinux is preventing accounts-daemon from 'sys_nice' accesses
User Icon zpytela commented & provided feedback 5 months ago

@amessina, #1824196 dropped out of the latest build, will be a part of the next one.

User Icon zpytela commented & provided feedback 5 months ago

Please note update to this package version can lead to relabeling the complete filesystem.

The reason is that this update brings file context specification for "/s?bin/arping". Unfortunately, a quantifier so early in the path is replaced with the '' wildcard, i. e. in this case "/" is to be relabeled.


Please login to add feedback.

Metadata
Type
bugfix
Severity
medium
Karma
6
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
14 days
Dates
submitted
5 months ago
in stable
5 months ago
BZ#1811407 SELinux is preventing accounts-daemon from 'sys_nice' accesses
0
4
BZ#1824087 SELinux is preventing (sd-worker) from 'sendto' accesses on the unix_dgram_socket /run/systemd/journal/socket.
0
0
BZ#1824196 SELinux is preventing /usr/lib/systemd/systemd-resolved from 'read' accesses on the file /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
0
0

Automated Test Results