stable

selinux-policy-3.14.5-38.fc32

FEDORA-2020-a6cd8de2ed created by zpytela 4 years ago for Fedora 32

New F32 selinux-policy build: https://koji.fedoraproject.org/koji/taskinfo?taskID=44115649

This update should address problems with the previous build that occasionally appeared on systems with custom selinux policy modules.

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2020-a6cd8de2ed

This update has been submitted for testing by zpytela.

4 years ago

This update's test gating status has been changed to 'waiting'.

4 years ago

This update's test gating status has been changed to 'ignored'.

4 years ago
User Icon egreshko commented & provided feedback 4 years ago
karma

I've only encountered BZ#1811407 and this is resolved with the update

BZ#1811407 SELinux is preventing accounts-daemon from 'sys_nice' accesses
User Icon alexpl commented & provided feedback 4 years ago
karma

Same as egreshko

BZ#1811407 SELinux is preventing accounts-daemon from 'sys_nice' accesses
User Icon imabug provided feedback 4 years ago
karma
BZ#1811407 SELinux is preventing accounts-daemon from 'sys_nice' accesses

This update has been submitted for stable by bodhi.

4 years ago

This update has been pushed to stable.

4 years ago
User Icon bojan commented & provided feedback 4 years ago
karma

All is well. No denials on two machines and relabelling worked on both too.

User Icon zpytela commented & provided feedback 4 years ago

Please note the selinux policy needs to be rebuilt as a part of the update process so this selinux-policy package update can take a few minutes to complete the rpm scriptlets.

User Icon dirkk commented & provided feedback 4 years ago
karma

Works for me. Confirmed by two reboots. Scriptlet with restorecon was running 7 minutes!

User Icon amessina commented & provided feedback 4 years ago

This update does not resolve #1824196 for me. Also, you can see #1827466 in there as well.

~]# ausearch -m avc -ts boot
----
time->Wed May  6 17:57:42 2020
type=AVC msg=audit(1588805862.874:118): avc:  denied  { read } for  pid=815 comm="sssd" name="systemd" dev="tmpfs" ino=256 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=1
----
time->Wed May  6 17:57:44 2020
type=AVC msg=audit(1588805864.772:163): avc:  denied  { read } for  pid=925 comm="systemd-resolve" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=239 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
----
time->Wed May  6 17:57:44 2020
type=AVC msg=audit(1588805864.772:164): avc:  denied  { open } for  pid=925 comm="systemd-resolve" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=239 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
----
time->Wed May  6 17:57:44 2020
type=AVC msg=audit(1588805864.772:165): avc:  denied  { getattr } for  pid=925 comm="systemd-resolve" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=239 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1

I've tried relabeling then rebooting -- no dice.

BZ#1824196 SELinux is preventing /usr/lib/systemd/systemd-resolved from 'read' accesses on the file /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
User Icon zpytela commented & provided feedback 4 years ago

@amessina, you are right: the first one missed the build, the second one has not been addressed yet.

User Icon amessina commented & provided feedback 4 years ago

@zpytela, thank you. My comment above was a reference that I am still seeing #1824196 even after the update to selinux-policy-3.14.5-38.fc32. It seems like after a reboot, the files are not relabeled in time. After I can login, I run a resstorecon -RFv on /sys/firmware/ and I see the files get relabeled, but that's too late as these errors are generated.

After initrd, I see

systemd[1]: Successfully loaded SELinux policy in 410.073ms. systemd[1]: Relabelled /dev, /dev/shm, /run, /sys/fs/cgroup in 20.904ms.

Should /sys/firmware/efi be listed there as well?

User Icon nicosss commented & provided feedback 4 years ago
karma

Works fine since 3.14.5-37.fc32. No AVC after reboot.

BZ#1811407 SELinux is preventing accounts-daemon from 'sys_nice' accesses
User Icon zpytela commented & provided feedback 4 years ago

@amessina, #1824196 dropped out of the latest build, will be a part of the next one.

User Icon zpytela commented & provided feedback 4 years ago

Please note update to this package version can lead to relabeling the complete filesystem.

The reason is that this update brings file context specification for "/s?bin/arping". Unfortunately, a quantifier so early in the path is replaced with the '' wildcard, i. e. in this case "/" is to be relabeled.


Please login to add feedback.

Metadata
Type
bugfix
Severity
medium
Karma
6
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
14 days
Dates
submitted
4 years ago
in stable
4 years ago
BZ#1811407 SELinux is preventing accounts-daemon from 'sys_nice' accesses
0
4
BZ#1824087 SELinux is preventing (sd-worker) from 'sendto' accesses on the unix_dgram_socket /run/systemd/journal/socket.
0
0
BZ#1824196 SELinux is preventing /usr/lib/systemd/systemd-resolved from 'read' accesses on the file /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
0
0

Automated Test Results