stable

FEDORA-2022-148223ef3b created by zpytela 3 months ago for Fedora 36

New F36 selinux-policy build

How to install

sudo dnf upgrade --refresh --advisory=FEDORA-2022-148223ef3b

This update has been submitted for testing by zpytela.

3 months ago

This update's test gating status has been changed to 'waiting'.

3 months ago

This update's test gating status has been changed to 'passed'.

3 months ago

This update has been pushed to testing.

3 months ago
User Icon roshanshariff commented & provided feedback 3 months ago
karma

Works for me and fixes problem with systemd-run.

BZ#1980241 systemd-run --shell denied by selinux
User Icon nixuser commented & provided feedback 3 months ago
karma

Seems to be working and it has fixed BZ#2063483 that happened on every login to cinnamon.

BZ#2063483 SELinux is preventing blueman-mechani from 'write' accesses on the file /memfd:libffi (deleted).

This update can be pushed to stable now if the maintainer wishes

3 months ago
User Icon gtwilliams commented & provided feedback 3 months ago
karma

SELinux is preventing systemctl from read access on the file labeled init_t. at boot time after upgrade. Journal has dozens of AVCs on systemctl. type=AVC msg=audit(1653078042.660:584): avc: denied { read } for pid=2859 comm="systemctl" scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

3 months ago
karma
User Icon mhayden commented & provided feedback 3 months ago
karma

Working fine.

User Icon filiperosset commented & provided feedback 3 months ago
karma

no regressions noted

User Icon zpytela commented & provided feedback 3 months ago

@gtwilliams do you know which plugin triggers this denial?

I assume there are only the AVCs audited and no functional problem since there is "permissive=1" which does not prevent from any action to continue.

User Icon zpytela commented & provided feedback 3 months ago

This update makes the custom nm-dispatcher plugins run in a permissive domain which means denials are logged, but allowed. I believe there is no regression in the plugins functionality.

User Icon gtwilliams commented & provided feedback 3 months ago

I don't know what plugin is causing the AVCs, but I see the same ones that Kamil reported. I never saw the AVCs reported before the F36 update, so I would agree there is a regression.

User Icon bojan commented & provided feedback 3 months ago
karma

Works.

User Icon zpytela commented & provided feedback 3 months ago

This update has improvements for known nm-dispatcher plugins and it makes custom plugins run in permissive domain, i. e. all actions are allowed, but at the same time audited. I can't see any regression here, at least in functionality. I agree the audited denials and sealert messages may be annoying, but it helps to catch the required permissions which will be fixed in the next build.

User Icon zpytela commented & provided feedback 3 months ago

Pushing to stable due to prevailing positive feedback.

This update has been submitted for stable by zpytela.

3 months ago

This update has been pushed to stable.

3 months ago

Please login to add feedback.

Metadata
Type
bugfix
Severity
medium
Karma
5
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-2
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
3 months ago
in testing
3 months ago
in stable
3 months ago
BZ#1980241 systemd-run --shell denied by selinux
0
1
BZ#2063483 SELinux is preventing blueman-mechani from 'write' accesses on the file /memfd:libffi (deleted).
0
1
BZ#2082547 selinux-policy-targeted post install script fails when NetworkManager is not installed
0
0

Automated Test Results