obsolete

FEDORA-2022-320775eb9a created by zpytela 3 months ago for Fedora 36

New F36 selinux-policy build


New F36 selinux-policy build

This update has been submitted for testing by zpytela.

3 months ago

This update's test gating status has been changed to 'waiting'.

3 months ago

This update has obsoleted selinux-policy-36.11-1.fc36, and has inherited its bugs and notes.

3 months ago

This update's test gating status has been changed to 'failed'.

3 months ago

This update's test gating status has been changed to 'passed'.

3 months ago

This update has been pushed to testing.

3 months ago
User Icon bojan commented & provided feedback 3 months ago
karma

Works.

User Icon andilinux commented & provided feedback 3 months ago
karma

works

This update can be pushed to stable now if the maintainer wishes

3 months ago
User Icon andilinux commented & provided feedback 3 months ago
karma

works

User Icon andilinux commented & provided feedback 3 months ago
karma

works

User Icon drepetto commented & provided feedback 3 months ago

Works for me.

User Icon drepetto provided feedback 3 months ago
karma
User Icon martinpitt commented & provided feedback 3 months ago
karma

See here: https://github.com/cockpit-project/bots/pull/3627 Lots of tests fail with

audit: type=1400 audit(2114380829.764:191): avc:  denied  { search } for  pid=813 comm="mv" name="contexts" dev="vda5" ino=16829 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir permissive=0
audit: type=1400 audit(2114380829.770:192): avc:  denied  { sys_admin } for  pid=813 comm="mv" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0
audit: type=1400 audit(2114380829.770:193): avc:  denied  { sys_admin } for  pid=813 comm="mv" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0

NetworkManager did not change in this image, just

  • selinux-policy (36.11-1.fc36 -> 36.12-1.fc36)
  • kernel-core (5.18.10-200.fc36 -> 5.18.11-200.fc36)

and some others which sound less relevant.

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

3 months ago
User Icon geraldosimiao commented & provided feedback 3 months ago
karma

no problems here

User Icon dustymabe commented & provided feedback 3 months ago

This does appear to fix BZ#2080043. I do see some other denials, though (as @martinpitt mentioned):

$ sudo journalctl | grep -i avc 
Jul 19 19:28:40 cosa-devsh audit[1556]: AVC avc:  denied  { sys_admin } for  pid=1556 comm="mv" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0
Jul 19 19:28:40 cosa-devsh audit[1556]: AVC avc:  denied  { sys_admin } for  pid=1556 comm="mv" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0

They don't seem to be harming my system.

BZ#2080043 NetworkManager dispatcher script unable to write /etc issue due to SELinux
User Icon kparal commented & provided feedback 3 months ago

I see:

systemd[1655]: selinux: avc:  denied  { status } for auid=1000 uid=1000 gid=1000 path="/proc/self/mountinfo" cmdline="/usr/bin/gnome-shell" function="mac_selinux_filter" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=service permissive=0

repeated in journal over and over again. Quite interestingly, it's not shown in "selinux alert browser".

User Icon rakuco commented & provided feedback 3 months ago
karma

BZ#2092808 seems to have been fixed. The first connection to the VPN causes winbind to go offline for some reason, but I don't think it's related to SELinux.

BZ#2092808 selinux-policy prevents 30-winbind from invoking smbcontrol and testparam

no issues

User Icon filiperosset commented & provided feedback 3 months ago
karma

no regressions noted

User Icon mhayden commented & provided feedback 3 months ago
karma

No issues noted here on server/desktop

User Icon zpytela commented & provided feedback 3 months ago

@dustymabe I think it is needed to backport https://github.com/coreos/console-login-helper-messages/pull/110 to F36, will it be? @martinpitt did you notice any actual failure apart from the avcs? @kparal do you happen to know how this denial is triggered? This one definitely is new, but likely a result of updating other packages. I don't think this build brings any regression.

User Icon martinpitt commented & provided feedback 3 months ago

@zpytela: No, the tests themselves were okay. Just the many avcs.

User Icon kparal commented & provided feedback 3 months ago

This update has been obsoleted by selinux-policy-36.13-3.fc36.

2 months ago

Please login to add feedback.

Metadata
Type
bugfix
Severity
medium
Karma
6
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-2
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
3 months ago
in testing
3 months ago
BZ#2080043 NetworkManager dispatcher script unable to write /etc issue due to SELinux
0
1
BZ#2082547 selinux-policy-targeted post install script fails when NetworkManager is not installed
0
0
BZ#2083511 samba-dcerpcd and samba rpcd programs need selinux-policy permissions
0
0
BZ#2091417 SELinux is preventing ksmctl from 'add_name' accesses on the cartella run.
0
0
BZ#2092808 selinux-policy prevents 30-winbind from invoking smbcontrol and testparam
0
1
BZ#2093155 SELinux is preventing logger from 'create' accesses on the unix_dgram_socket labeled NetworkManager_dispatcher_custom_t.
0
0
BZ#2093285 SELinux is preventing /usr/bin/bash from 'getattr' accesses on the file /run/ddclient/ddclient.pid.
0
0
BZ#2101062 firewalld was denied reading /sys/devices/system/cpu/possible when booting or restarting firewalld
0
0
BZ#2106006 selinux-policy AVC during ipa trust-add
0
0

Automated Test Results