FEDORA-2020-d0986e01cd — bugfix update for pam

stable

pam-1.3.1-24.fc32

FEDORA-2020-d0986e01cd created by ipedrosa 5 years ago for Fedora 32

pam_selinux: check unknown object classes or permissions in current policy

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2020-d0986e01cd

This update has been submitted for testing by ipedrosa.

5 years ago

This update's test gating status has been changed to 'waiting'.

5 years ago

This update's test gating status has been changed to 'ignored'.

5 years ago

adamwill commented & provided feedback 5 years ago

karma

This seems to break Cockpit. The Cockpit login screen just shows "Internal error in login process". System journal shows several AVCs, these seem most likely related:

Mar 11 13:45:41 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1044]: AVC avc:  denied  { setsched } for  pid=1044 comm="cockpit-ws" scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=process permissive=0
Mar 11 13:46:23 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1170]: AVC avc:  denied  { create } for  pid=1170 comm="cockpit-session" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=netlink_selinux_socket permissive=0
Mar 11 13:46:23 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com cockpit-ws[1170]: avc:  can't open netlink socket: 13 (Permission denied)
Mar 11 13:46:23 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com cockpit-ws[1170]: cockpit-session: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running' failed.

plautrba commented 5 years ago

I don't think it's related to this update. Is it the only package you updated when this problem appeared? There were issues related to { setsched } based on some glib2 update, and creating a socket seems to be completely unrelated.

plautrba commented 5 years ago

@adamwill setsched issue should be covered by https://bugzilla.redhat.com/show_bug.cgi?id=1795524#c75 - FEDORA-2020-fe9ad43e72

The second AVC needs to reported on selinux-policy

ipedrosa commented 5 years ago

I already filled a bug for selinux-policy: https://bugzilla.redhat.com/show_bug.cgi?id=1812901

This update has been pushed to testing.

5 years ago

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

5 years ago

tmraz edited this update.

New build(s):

selinux-policy-3.14.5-30.fc32

Karma has been reset.

5 years ago

This update has been submitted for testing by tmraz.

5 years ago

tmraz edited this update.

5 years ago

This update has been pushed to testing.

5 years ago

This update has obsoleted selinux-policy-3.14.5-29.fc32, and has inherited its bugs and notes.

5 years ago

adamwill commented & provided feedback 5 years ago

@plautrba for the record, yes, it is definitely this update. The openQA tests isolate the packages from a specific update, they do not test all of updates-testing. And the same test is passing on other 32 updates, it only failed on this update. Those facts combined mean this update definitely causes the failure.