stable

FEDORA-2020-d0986e01cd created by ipedrosa 2 years ago for Fedora 32

pam_selinux: check unknown object classes or permissions in current policy

How to install

sudo dnf upgrade --refresh --advisory=FEDORA-2020-d0986e01cd

This update has been submitted for testing by ipedrosa.

2 years ago

This update's test gating status has been changed to 'waiting'.

2 years ago

This update's test gating status has been changed to 'ignored'.

2 years ago
User Icon adamwill commented & provided feedback 2 years ago
karma

This seems to break Cockpit. The Cockpit login screen just shows "Internal error in login process". System journal shows several AVCs, these seem most likely related:

Mar 11 13:45:41 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1044]: AVC avc:  denied  { setsched } for  pid=1044 comm="cockpit-ws" scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=process permissive=0
Mar 11 13:46:23 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1170]: AVC avc:  denied  { create } for  pid=1170 comm="cockpit-session" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=netlink_selinux_socket permissive=0
Mar 11 13:46:23 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com cockpit-ws[1170]: avc:  can't open netlink socket: 13 (Permission denied)
Mar 11 13:46:23 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com cockpit-ws[1170]: cockpit-session: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running' failed.

I don't think it's related to this update. Is it the only package you updated when this problem appeared? There were issues related to { setsched } based on some glib2 update, and creating a socket seems to be completely unrelated.

@adamwill setsched issue should be covered by https://bugzilla.redhat.com/show_bug.cgi?id=1795524#c75 - FEDORA-2020-fe9ad43e72

The second AVC needs to reported on selinux-policy

I already filled a bug for selinux-policy: https://bugzilla.redhat.com/show_bug.cgi?id=1812901

This update has been pushed to testing.

2 years ago

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

2 years ago

tmraz edited this update.

New build(s):

  • selinux-policy-3.14.5-30.fc32

Karma has been reset.

2 years ago

This update has been submitted for testing by tmraz.

2 years ago

tmraz edited this update.

2 years ago

This update has been pushed to testing.

2 years ago

This update has obsoleted selinux-policy-3.14.5-29.fc32, and has inherited its bugs and notes.

2 years ago
User Icon adamwill commented & provided feedback 2 years ago

@plautrba for the record, yes, it is definitely this update. The openQA tests isolate the packages from a specific update, they do not test all of updates-testing. And the same test is passing on other 32 updates, it only failed on this update. Those facts combined mean this update definitely causes the failure.

User Icon adamwill commented & provided feedback 2 years ago

BTW, the tests when the update was edited because of this bodhi bug :(. I will re-trigger manually.

User Icon adamwill commented & provided feedback 2 years ago
karma

openQA tests look good now.

This update can be pushed to stable now if the maintainer wishes

2 years ago
User Icon kparal commented & provided feedback 2 years ago
karma
BZ#1795524 SELinux denials for 'setsched' force glib down a fallback path with performance implications
User Icon frantisekz commented & provided feedback 2 years ago
karma

All seems good

User Icon pwalter commented & provided feedback 2 years ago
karma

Works

User Icon cairo provided feedback 2 years ago
karma
User Icon smithp commented & provided feedback 2 years ago
karma

+1

pwalter edited this update.

Removed build(s):

  • selinux-policy-3.14.5-30.fc32

Karma has been reset.

2 years ago

This update has been submitted for testing by pwalter.

2 years ago
User Icon pwalter commented & provided feedback 2 years ago
karma

I've edited the update to remove selinux-policy as a newer selinux-policy build already got pushed to stable.

User Icon tmraz provided feedback 2 years ago
karma
BZ#1680961 pam_selinux - check whether undefined object classes or permissions are allowed or denied in the current policy
BZ#1813023 selinux-policy-3.14.6-7 with pam-1.3.1-24 blocks SSH logins
User Icon plautrba provided feedback 2 years ago
karma
BZ#1680961 pam_selinux - check whether undefined object classes or permissions are allowed or denied in the current policy
BZ#1813023 selinux-policy-3.14.6-7 with pam-1.3.1-24 blocks SSH logins

This update has been submitted for stable by bodhi.

2 years ago

This update has been pushed to stable.

2 years ago

Please login to add feedback.

Metadata
Type
bugfix
Severity
low
Karma
3
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
14 days
Dates
submitted
2 years ago
in testing
2 years ago
in stable
2 years ago
modified
2 years ago
BZ#1680961 pam_selinux - check whether undefined object classes or permissions are allowed or denied in the current policy
0
2
BZ#1813023 selinux-policy-3.14.6-7 with pam-1.3.1-24 blocks SSH logins
0
2

Automated Test Results