stable

selinux-policy-34.4-1.fc34

FEDORA-2021-8d26207af7 created by zpytela a year ago for Fedora 34

New F34 selinux-policy build

How to install

sudo dnf upgrade --refresh --advisory=FEDORA-2021-8d26207af7

This update has been submitted for testing by zpytela.

a year ago

This update's test gating status has been changed to 'ignored'.

a year ago

This update's test gating status has been changed to 'waiting'.

a year ago

This update's test gating status has been changed to 'ignored'.

a year ago

This update has been pushed to testing.

a year ago
User Icon generalprobe commented & provided feedback a year ago
karma

Failed to execute /usr/lib/systemd/system-sleep/tlp: Permission denied CODE_FILE src/shared/exec-util.c CODE_FUNC do_spawn CODE_LINE 74 ERRNO 13 PRIORITY 3 SYSLOG_FACILITY 3 SYSLOG_IDENTIFIER
TID 6462 _BOOT_ID 35e8a3109c8c4550a0fdf5ce8809dbe8 _GID 0 _HOSTNAME t420.localdoman _MACHINE_ID 891946253ca14952a39406988024dc43 _PID 6462 _SELINUX_CONTEXT system_u:system_r:systemd_sleep_t:s0 _SOURCE_REALTIME_TIMESTAMP 1619574000980278 _TRANSPORT journal _UID 0 __CURSOR s=a539bec668ca4ae5a2423aa144b2bc9a;i=353f73;b=35e8a3109c8c4550a0fdf5ce8809dbe8;m=f2553a7;t=5c0fe75044f4e;x=5f09d3da16f8134a __MONOTONIC_TIMESTAMP 254104487 __REALTIME_TIMESTAMP 1619574000996174

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

a year ago
User Icon zpytela commented & provided feedback a year ago

@generalprobe, can you show the avc denials?

# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today

User Icon generalprobe commented & provided feedback a year ago

type=AVC msg=audit(28.04.2021 01:31:31.922:2378) : avc: denied { getattr } for pid=42354 comm=(sd-executor) path=/usr/lib/systemd/system-sleep/tlp dev="dm-1" ino=19049 scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:tlp_exec_t:s0 tclass=file permissive=0

type=AVC msg=audit(28.04.2021 02:48:58.151:2686) : avc: denied { getattr } for pid=49052 comm=(sd-executor) path=/usr/lib/systemd/system-sleep/tlp dev="dm-1" ino=19049 scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:tlp_exec_t:s0 tclass=file permissive=0

type=AVC msg=audit(28.04.2021 02:56:57.874:2687) : avc: denied { getattr } for pid=49164 comm=(sd-executor) path=/usr/lib/systemd/system-sleep/tlp dev="dm-1" ino=19049 scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:tlp_exec_t:s0 tclass=file permissive=0

type=AVC msg=audit(28.04.2021 03:06:28.360:760) : avc: denied { write } for pid=3243 comm=gnome-shell name=dbus-iuuXtAlsQC dev="tmpfs" ino=55 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0

type=AVC msg=audit(28.04.2021 03:06:30.843:778) : avc: denied { write } for pid=3453 comm=gsd-keyboard name=dbus-iuuXtAlsQC dev="tmpfs" ino=55 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0

type=AVC msg=audit(28.04.2021 03:06:30.847:779) : avc: denied { write } for pid=3474 comm=gsd-power name=dbus-iuuXtAlsQC dev="tmpfs" ino=55 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0

type=AVC msg=audit(28.04.2021 03:06:30.849:780) : avc: denied { write } for pid=3448 comm=gsd-color name=dbus-iuuXtAlsQC dev="tmpfs" ino=55 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0

type=AVC msg=audit(28.04.2021 03:06:30.852:781) : avc: denied { write } for pid=3445 comm=gsd-wacom name=dbus-iuuXtAlsQC dev="tmpfs" ino=55 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0

type=AVC msg=audit(28.04.2021 03:06:30.857:782) : avc: denied { write } for pid=3464 comm=gsd-media-keys name=dbus-iuuXtAlsQC dev="tmpfs" ino=55 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0

type=AVC msg=audit(28.04.2021 03:06:31.587:784) : avc: denied { write } for pid=3683 comm=ibus-x11 name=dbus-iuuXtAlsQC dev="tmpfs" ino=55 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0

type=AVC msg=audit(28.04.2021 03:06:31.698:785) : avc: denied { read write } for pid=3243 comm=gnome-shell path=/memfd:wayland-cursor (deleted) dev="tmpfs" ino=3085 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0

type=AVC msg=audit(28.04.2021 03:10:07.587:919) : avc: denied { execute } for pid=6357 comm=(direxec) name=bash dev="dm-1" ino=2910128 scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0

type=AVC msg=audit(28.04.2021 03:40:00.978:920) : avc: denied { execute } for pid=6462 comm=(direxec) name=bash dev="dm-1" ino=2910128 scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0

type=AVC msg=audit(28.04.2021 04:12:34.007:1015) : avc: denied { execute } for pid=8544 comm=(direxec) name=bash dev="dm-1" ino=2910128 scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0

type=AVC msg=audit(28.04.2021 09:01:36.835:1016) : avc: denied { execute } for pid=8630 comm=(direxec) name=bash dev="dm-1" ino=2910128 scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0

type=AVC msg=audit(28.04.2021 09:06:37.704:1061) : avc: denied { execute } for pid=9353 comm=(direxec) name=bash dev="dm-1" ino=2910128 scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0

type=AVC msg=audit(28.04.2021 09:17:46.877:1062) : avc: denied { execute } for pid=9458 comm=(direxec) name=bash dev="dm-1" ino=2910128 scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0

User Icon generalprobe commented & provided feedback a year ago

I think you can ignore the first about TLP because I installed the new selinux-policy afterwards.

also I created a new bug report about a newly occuring incident: https://bugzilla.redhat.com/show_bug.cgi?id=1954358

maybe they are connected?

User Icon generalprobe commented & provided feedback a year ago

I updated selinux-policy according to dnf history at 2:59 local time so please ignore the pre 3pm warnings 1430 | install https://kojipkgs.fedoraproject.org//packages/selinux-policy/34.4/1.fc34/noarch/selinux-policy-34.4-1.fc34.noarch.rpm h | 2021-04-28 02:59 | Upgrade | 2

User Icon generalprobe commented & provided feedback a year ago

am not pm sorry

User Icon bojan commented & provided feedback a year ago
karma

Still some gnome-shell related denials, but no worse than before.

User Icon zpytela commented & provided feedback a year ago

@bojan: I am aware there are still some outstanding bugs related to gnome and ibus. @generalprobe: it is accidental result of fixes for sleep and tlp, will be resolved in the bz you created.

User Icon generalprobe commented & provided feedback a year ago
karma

@zpytela thank you for the info, then I will change to thumbs up

This update can be pushed to stable now if the maintainer wishes

a year ago
karma
User Icon ersen provided feedback a year ago
karma
User Icon oturpe provided feedback a year ago
karma
BZ#1952163 SELinux is preventing systemd-coredum from 'getattr' accesses on the file file.
User Icon mharpau provided feedback a year ago
karma
User Icon renault commented & provided feedback a year ago
karma

No regressions found

User Icon pwalter commented & provided feedback a year ago
karma

Works

User Icon lruzicka commented & provided feedback a year ago
karma

No problems experienced so far.

User Icon zpytela commented & provided feedback a year ago

Pushing to stable based on prevailing positive feedback, thanks everybody for testing.

This update has been submitted for stable by zpytela.

a year ago

This update has been pushed to stable.

a year ago

Please login to add feedback.

Metadata
Type
bugfix
Severity
medium
Karma
9
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
a year ago
in testing
a year ago
in stable
a year ago
BZ#1767745 Confined users trigger AVC denial when screen accesses wtmp
0
0
BZ#1948222 SELinux is preventing /opt/google/chrome-unstable/chrome from 'watch' accesses on the directory /proc/<pid>.
0
0
BZ#1949315 SELinux is preventing systemd-timesyn from watch access on the directory /.
0
0
BZ#1949785 SELinux is preventing dbus-daemon from 'read' accesses on the lnk_file /var/lib/flatpak/exports/share/dbus-1/services/org.gnome.GTG.service.
0
0
BZ#1952163 SELinux is preventing systemd-coredum from 'getattr' accesses on the file file.
0
1

Automated Test Results