{"update": {"autokarma": false, "autotime": false, "stable_karma": 5, "stable_days": 14, "unstable_karma": -2, "require_bugs": true, "require_testcases": true, "display_name": "", "notes": "New F36 selinux-policy build\n\n----\n\nNew F36 selinux-policy build", "type": "bugfix", "status": "obsolete", "request": null, "severity": "medium", "suggest": "unspecified", "locked": false, "pushed": false, "critpath": true, "critpath_groups": null, "close_bugs": true, "date_submitted": "2022-07-15 14:42:06", "date_modified": null, "date_approved": null, "date_testing": "2022-07-16 01:11:53", "date_stable": null, "alias": "FEDORA-2022-320775eb9a", "test_gating_status": "passed", "from_tag": null, "date_pushed": "2022-07-16 01:11:53", "meets_testing_requirements": true, "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2022-320775eb9a", "title": "selinux-policy-36.12-1.fc36", "version_hash": "90eb395ba0269ee3fc257f1f9d56903f26fd1209", "release": {"name": "F36", "long_name": "Fedora 36", "version": "36", "id_prefix": "FEDORA", "branch": "f36", "dist_tag": "f36", "stable_tag": "f36-updates", "testing_tag": "f36-updates-testing", "candidate_tag": "f36-updates-candidate", "pending_signing_tag": "f36-signing-pending", "pending_testing_tag": "f36-updates-testing-pending", "pending_stable_tag": "f36-updates-pending", "override_tag": "f36-override", "mail_template": "fedora_errata_template", "state": "archived", "composed_by_bodhi": true, "create_automatic_updates": false, "package_manager": "dnf", "testing_repository": "updates-testing", "released_on": null, "eol": "2023-05-16", "critpath_mandatory_days_in_testing": 14, "mandatory_days_in_testing": 7, "critpath_min_karma": 2, "min_karma": 1, "setting_status": null}, "user": {"name": "zpytela", "email": "zpytela@redhat.com", "id": 5290, "avatar": "https://seccdn.libravatar.org/avatar/f5f39686c696f412e8ed564241807306fff38278b276da30a2d3c41583d69f2a?s=24&d=retro", "openid": "zpytela.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}, "comments": [{"karma": 0, "karma_critpath": 0, "text": "This update has been submitted for testing by zpytela. ", "timestamp": "2022-07-15 14:42:07", "update_id": 426909, "user_id": 91, "id": 2618900, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update's test gating status has been changed to 'waiting'.", "timestamp": "2022-07-15 14:42:08", "update_id": 426909, "user_id": 91, "id": 2618901, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has obsoleted [selinux-policy-36.11-1.fc36](https://bodhi.fedoraproject.org/updates/FEDORA-2022-fd22b79a84), and has inherited its bugs and notes.", "timestamp": "2022-07-15 14:42:10", "update_id": 426909, "user_id": 91, "id": 2618903, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update's test gating status has been changed to 'failed'.", "timestamp": "2022-07-15 16:58:08", "update_id": 426909, "user_id": 91, "id": 2618991, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update's test gating status has been changed to 'passed'.", "timestamp": "2022-07-15 17:59:45", "update_id": 426909, "user_id": 91, "id": 2619033, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been pushed to testing.", "timestamp": "2022-07-16 01:13:10", "update_id": 426909, "user_id": 91, "id": 2619230, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 1, "karma_critpath": 0, "text": "Works.", "timestamp": "2022-07-16 04:12:20", "update_id": 426909, "user_id": 198, "id": 2619442, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bojan", "email": "bojan@rexursive.com", "id": 198, "avatar": "https://seccdn.libravatar.org/avatar/adb4c3f28bd6969871988f992b1bf71e404f03e3570fbfa0fc9bd7d0bf0003f8?s=24&d=retro", "openid": "bojan.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}, {"karma": 1, "karma_critpath": 0, "text": "works", "timestamp": "2022-07-16 09:34:48", "update_id": 426909, "user_id": 4598, "id": 2619716, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "andilinux", "email": "Kartz@gmx.net", "id": 4598, "avatar": "https://seccdn.libravatar.org/avatar/b820090b49856dc08f6ed6f3cd43f9d1920be6ee51f83ebb0b4f9904a7306f1a?s=24&d=retro", "openid": "andilinux.id.fedoraproject.org", "groups": [{"name": "qa"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "fedora-join"}, {"name": "ask-fedora"}]}}, {"karma": 0, "karma_critpath": 0, "text": "This update can be pushed to stable now if the maintainer wishes", "timestamp": "2022-07-16 09:37:03", "update_id": 426909, "user_id": 91, "id": 2619739, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 1, "karma_critpath": 0, "text": "works", "timestamp": "2022-07-16 09:41:59", "update_id": 426909, "user_id": 4598, "id": 2619761, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "andilinux", "email": "Kartz@gmx.net", "id": 4598, "avatar": "https://seccdn.libravatar.org/avatar/b820090b49856dc08f6ed6f3cd43f9d1920be6ee51f83ebb0b4f9904a7306f1a?s=24&d=retro", "openid": "andilinux.id.fedoraproject.org", "groups": [{"name": "qa"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "fedora-join"}, {"name": "ask-fedora"}]}}, {"karma": 1, "karma_critpath": 0, "text": "works", "timestamp": "2022-07-16 09:45:34", "update_id": 426909, "user_id": 4598, "id": 2619786, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "andilinux", "email": "Kartz@gmx.net", "id": 4598, "avatar": "https://seccdn.libravatar.org/avatar/b820090b49856dc08f6ed6f3cd43f9d1920be6ee51f83ebb0b4f9904a7306f1a?s=24&d=retro", "openid": "andilinux.id.fedoraproject.org", "groups": [{"name": "qa"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "fedora-join"}, {"name": "ask-fedora"}]}}, {"karma": 0, "karma_critpath": 0, "text": "Works for me.", "timestamp": "2022-07-17 14:26:20", "update_id": 426909, "user_id": 1582, "id": 2621102, "bug_feedback": [{"karma": 0, "comment_id": 2621102, "bug_id": 2080043, "bug": {"bug_id": 2080043, "title": "NetworkManager dispatcher script unable to write /etc issue due to SELinux", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2621102, "bug_id": 2082547, "bug": {"bug_id": 2082547, "title": "selinux-policy-targeted post install script fails when NetworkManager is not installed", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2621102, "bug_id": 2083511, "bug": {"bug_id": 2083511, "title": "samba-dcerpcd and samba rpcd programs need selinux-policy permissions", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2621102, "bug_id": 2091417, "bug": {"bug_id": 2091417, "title": "SELinux is preventing ksmctl from 'add_name' accesses on the cartella run.", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2621102, "bug_id": 2092808, "bug": {"bug_id": 2092808, "title": "selinux-policy prevents 30-winbind from invoking smbcontrol and testparam", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2621102, "bug_id": 2093155, "bug": {"bug_id": 2093155, "title": "SELinux is preventing logger from 'create' accesses on the unix_dgram_socket labeled NetworkManager_dispatcher_custom_t.", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2621102, "bug_id": 2093285, "bug": {"bug_id": 2093285, "title": "SELinux is preventing /usr/bin/bash from 'getattr' accesses on the file /run/ddclient/ddclient.pid.", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2621102, "bug_id": 2101062, "bug": {"bug_id": 2101062, "title": "firewalld was denied reading /sys/devices/system/cpu/possible when booting or restarting firewalld", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2621102, "bug_id": 2106006, "bug": {"bug_id": 2106006, "title": "selinux-policy AVC during ipa trust-add", "security": false, "parent": false}}], "testcase_feedback": [], "user": {"name": "drepetto", "email": "drepetto@fedoraproject.org", "id": 1582, "avatar": "https://seccdn.libravatar.org/avatar/2684d7c401ddf615a3d154e0ee3662e8611df4825c112a7e264fcddde7b6f93a?s=24&d=retro", "openid": "drepetto.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}, {"karma": 1, "karma_critpath": 0, "text": "", "timestamp": "2022-07-17 14:26:59", "update_id": 426909, "user_id": 1582, "id": 2621103, "bug_feedback": [{"karma": 0, "comment_id": 2621103, "bug_id": 2080043, "bug": {"bug_id": 2080043, "title": "NetworkManager dispatcher script unable to write /etc issue due to SELinux", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2621103, "bug_id": 2082547, "bug": {"bug_id": 2082547, "title": "selinux-policy-targeted post install script fails when NetworkManager is not installed", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2621103, "bug_id": 2083511, "bug": {"bug_id": 2083511, "title": "samba-dcerpcd and samba rpcd programs need selinux-policy permissions", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2621103, "bug_id": 2091417, "bug": {"bug_id": 2091417, "title": "SELinux is preventing ksmctl from 'add_name' accesses on the cartella run.", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2621103, "bug_id": 2092808, "bug": {"bug_id": 2092808, "title": "selinux-policy prevents 30-winbind from invoking smbcontrol and testparam", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2621103, "bug_id": 2093155, "bug": {"bug_id": 2093155, "title": "SELinux is preventing logger from 'create' accesses on the unix_dgram_socket labeled NetworkManager_dispatcher_custom_t.", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2621103, "bug_id": 2093285, "bug": {"bug_id": 2093285, "title": "SELinux is preventing /usr/bin/bash from 'getattr' accesses on the file /run/ddclient/ddclient.pid.", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2621103, "bug_id": 2101062, "bug": {"bug_id": 2101062, "title": "firewalld was denied reading /sys/devices/system/cpu/possible when booting or restarting firewalld", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2621103, "bug_id": 2106006, "bug": {"bug_id": 2106006, "title": "selinux-policy AVC during ipa trust-add", "security": false, "parent": false}}], "testcase_feedback": [], "user": {"name": "drepetto", "email": "drepetto@fedoraproject.org", "id": 1582, "avatar": "https://seccdn.libravatar.org/avatar/2684d7c401ddf615a3d154e0ee3662e8611df4825c112a7e264fcddde7b6f93a?s=24&d=retro", "openid": "drepetto.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}, {"karma": -1, "karma_critpath": 0, "text": "See here: https://github.com/cockpit-project/bots/pull/3627 Lots of tests fail with\n```\naudit: type=1400 audit(2114380829.764:191): avc:  denied  { search } for  pid=813 comm=\"mv\" name=\"contexts\" dev=\"vda5\" ino=16829 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir permissive=0\naudit: type=1400 audit(2114380829.770:192): avc:  denied  { sys_admin } for  pid=813 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\naudit: type=1400 audit(2114380829.770:193): avc:  denied  { sys_admin } for  pid=813 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\n```\n\nNetworkManager did *not* change in this image, just\n\n- selinux-policy (36.11-1.fc36 -> 36.12-1.fc36)\n- kernel-core (5.18.10-200.fc36 -> 5.18.11-200.fc36)\n\nand [some others](https://logs.cockpit-project.org/logs/image-refresh-3627-20220716-224141/log) which sound less relevant.\n", "timestamp": "2022-07-17 18:47:16", "update_id": 426909, "user_id": 3506, "id": 2621218, "bug_feedback": [{"karma": 0, "comment_id": 2621218, "bug_id": 2080043, "bug": {"bug_id": 2080043, "title": "NetworkManager dispatcher script unable to write /etc issue due to SELinux", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2621218, "bug_id": 2082547, "bug": {"bug_id": 2082547, "title": "selinux-policy-targeted post install script fails when NetworkManager is not installed", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2621218, "bug_id": 2083511, "bug": {"bug_id": 2083511, "title": "samba-dcerpcd and samba rpcd programs need selinux-policy permissions", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2621218, "bug_id": 2091417, "bug": {"bug_id": 2091417, "title": "SELinux is preventing ksmctl from 'add_name' accesses on the cartella run.", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2621218, "bug_id": 2092808, "bug": {"bug_id": 2092808, "title": "selinux-policy prevents 30-winbind from invoking smbcontrol and testparam", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2621218, "bug_id": 2093155, "bug": {"bug_id": 2093155, "title": "SELinux is preventing logger from 'create' accesses on the unix_dgram_socket labeled NetworkManager_dispatcher_custom_t.", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2621218, "bug_id": 2093285, "bug": {"bug_id": 2093285, "title": "SELinux is preventing /usr/bin/bash from 'getattr' accesses on the file /run/ddclient/ddclient.pid.", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2621218, "bug_id": 2101062, "bug": {"bug_id": 2101062, "title": "firewalld was denied reading /sys/devices/system/cpu/possible when booting or restarting firewalld", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2621218, "bug_id": 2106006, "bug": {"bug_id": 2106006, "title": "selinux-policy AVC during ipa trust-add", "security": false, "parent": false}}], "testcase_feedback": [], "user": {"name": "martinpitt", "email": "mpitt@redhat.com", "id": 3506, "avatar": "https://seccdn.libravatar.org/avatar/a6a00790fadaca10623f4464437e482d4ec110fe331397506ea9fe2664bec740?s=24&d=retro", "openid": "martinpitt.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "cockpitteam"}, {"name": "ocp-cico-cockpit"}]}}, {"karma": 0, "karma_critpath": 0, "text": "Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.", "timestamp": "2022-07-17 18:47:16", "update_id": 426909, "user_id": 91, "id": 2621219, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 1, "karma_critpath": 0, "text": "no problems here", "timestamp": "2022-07-19 05:16:49", "update_id": 426909, "user_id": 5881, "id": 2623810, "bug_feedback": [{"karma": 0, "comment_id": 2623810, "bug_id": 2080043, "bug": {"bug_id": 2080043, "title": "NetworkManager dispatcher script unable to write /etc issue due to SELinux", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2623810, "bug_id": 2082547, "bug": {"bug_id": 2082547, "title": "selinux-policy-targeted post install script fails when NetworkManager is not installed", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2623810, "bug_id": 2083511, "bug": {"bug_id": 2083511, "title": "samba-dcerpcd and samba rpcd programs need selinux-policy permissions", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2623810, "bug_id": 2091417, "bug": {"bug_id": 2091417, "title": "SELinux is preventing ksmctl from 'add_name' accesses on the cartella run.", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2623810, "bug_id": 2092808, "bug": {"bug_id": 2092808, "title": "selinux-policy prevents 30-winbind from invoking smbcontrol and testparam", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2623810, "bug_id": 2093155, "bug": {"bug_id": 2093155, "title": "SELinux is preventing logger from 'create' accesses on the unix_dgram_socket labeled NetworkManager_dispatcher_custom_t.", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2623810, "bug_id": 2093285, "bug": {"bug_id": 2093285, "title": "SELinux is preventing /usr/bin/bash from 'getattr' accesses on the file /run/ddclient/ddclient.pid.", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2623810, "bug_id": 2101062, "bug": {"bug_id": 2101062, "title": "firewalld was denied reading /sys/devices/system/cpu/possible when booting or restarting firewalld", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2623810, "bug_id": 2106006, "bug": {"bug_id": 2106006, "title": "selinux-policy AVC during ipa trust-add", "security": false, "parent": false}}], "testcase_feedback": [], "user": {"name": "geraldosimiao", "email": "geraldo.simiao.kutz@gmail.com", "id": 5881, "avatar": "https://seccdn.libravatar.org/avatar/03fa5b58e8ac78544bf41ad8ecf9ee1920f2ebedb86542c2f4cdf7ef15813168?s=24&d=retro", "openid": "geraldosimiao.id.fedoraproject.org", "groups": [{"name": "qa"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "ambassadors"}, {"name": "fedora-br"}, {"name": "advocates"}, {"name": "respins-sig"}]}}, {"karma": 0, "karma_critpath": 0, "text": "This does appear to fix BZ#2080043. I do see some other denials, though (as @martinpitt mentioned): \n\n```\n$ sudo journalctl | grep -i avc \nJul 19 19:28:40 cosa-devsh audit[1556]: AVC avc:  denied  { sys_admin } for  pid=1556 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\nJul 19 19:28:40 cosa-devsh audit[1556]: AVC avc:  denied  { sys_admin } for  pid=1556 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\n```\n\nThey don't seem to be harming my system. ", "timestamp": "2022-07-19 19:33:30", "update_id": 426909, "user_id": 659, "id": 2625365, "bug_feedback": [{"karma": 1, "comment_id": 2625365, "bug_id": 2080043, "bug": {"bug_id": 2080043, "title": "NetworkManager dispatcher script unable to write /etc issue due to SELinux", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2625365, "bug_id": 2082547, "bug": {"bug_id": 2082547, "title": "selinux-policy-targeted post install script fails when NetworkManager is not installed", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2625365, "bug_id": 2083511, "bug": {"bug_id": 2083511, "title": "samba-dcerpcd and samba rpcd programs need selinux-policy permissions", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2625365, "bug_id": 2091417, "bug": {"bug_id": 2091417, "title": "SELinux is preventing ksmctl from 'add_name' accesses on the cartella run.", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2625365, "bug_id": 2092808, "bug": {"bug_id": 2092808, "title": "selinux-policy prevents 30-winbind from invoking smbcontrol and testparam", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2625365, "bug_id": 2093155, "bug": {"bug_id": 2093155, "title": "SELinux is preventing logger from 'create' accesses on the unix_dgram_socket labeled NetworkManager_dispatcher_custom_t.", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2625365, "bug_id": 2093285, "bug": {"bug_id": 2093285, "title": "SELinux is preventing /usr/bin/bash from 'getattr' accesses on the file /run/ddclient/ddclient.pid.", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2625365, "bug_id": 2101062, "bug": {"bug_id": 2101062, "title": "firewalld was denied reading /sys/devices/system/cpu/possible when booting or restarting firewalld", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2625365, "bug_id": 2106006, "bug": {"bug_id": 2106006, "title": "selinux-policy AVC during ipa trust-add", "security": false, "parent": false}}], "testcase_feedback": [], "user": {"name": "dustymabe", "email": "dusty@dustymabe.com", "id": 659, "avatar": "https://seccdn.libravatar.org/avatar/9ec855a28fe61a7fe3d6788882c87ee4c95b38da423234fbb70673a977552c4c?s=24&d=retro", "openid": "dustymabe.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "sysadmin-badges"}, {"name": "aws"}, {"name": "qa-beaker-user"}, {"name": "gitfedora-web"}, {"name": "centosproject-email-aliases"}, {"name": "fi-apprentice"}, {"name": "sysadmin-veteran"}, {"name": "web"}, {"name": "sig-paas"}, {"name": "atomic-wg"}, {"name": "qa"}, {"name": "fedorabugs"}, {"name": "msftazure"}, {"name": "pungi-devel"}, {"name": "qa-automation-shell"}, {"name": "sysadmin-fedimg"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "coreos"}, {"name": "sysadmin"}, {"name": "communishift"}, {"name": "aws-fcos-mgmt"}, {"name": "sysadmin-bodhi"}, {"name": "sysadmin-releng"}, {"name": "sysadmin-coreos"}, {"name": "ipausers"}, {"name": "ibmcloud"}, {"name": "discussion-mods-project"}, {"name": "discussion-mods-ask"}, {"name": "hetznercloud"}, {"name": "trust admins"}, {"name": "coreos-sig"}]}}, {"karma": 0, "karma_critpath": 0, "text": "I see:\n```\nsystemd[1655]: selinux: avc:  denied  { status } for auid=1000 uid=1000 gid=1000 path=\"/proc/self/mountinfo\" cmdline=\"/usr/bin/gnome-shell\" function=\"mac_selinux_filter\" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=service permissive=0\n```\nrepeated in journal over and over again. Quite interestingly, it's not shown in \"selinux alert browser\".", "timestamp": "2022-07-20 07:30:55", "update_id": 426909, "user_id": 411, "id": 2626048, "bug_feedback": [{"karma": 0, "comment_id": 2626048, "bug_id": 2080043, "bug": {"bug_id": 2080043, "title": "NetworkManager dispatcher script unable to write /etc issue due to SELinux", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2626048, "bug_id": 2082547, "bug": {"bug_id": 2082547, "title": "selinux-policy-targeted post install script fails when NetworkManager is not installed", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2626048, "bug_id": 2083511, "bug": {"bug_id": 2083511, "title": "samba-dcerpcd and samba rpcd programs need selinux-policy permissions", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2626048, "bug_id": 2091417, "bug": {"bug_id": 2091417, "title": "SELinux is preventing ksmctl from 'add_name' accesses on the cartella run.", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2626048, "bug_id": 2092808, "bug": {"bug_id": 2092808, "title": "selinux-policy prevents 30-winbind from invoking smbcontrol and testparam", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2626048, "bug_id": 2093155, "bug": {"bug_id": 2093155, "title": "SELinux is preventing logger from 'create' accesses on the unix_dgram_socket labeled NetworkManager_dispatcher_custom_t.", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2626048, "bug_id": 2093285, "bug": {"bug_id": 2093285, "title": "SELinux is preventing /usr/bin/bash from 'getattr' accesses on the file /run/ddclient/ddclient.pid.", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2626048, "bug_id": 2101062, "bug": {"bug_id": 2101062, "title": "firewalld was denied reading /sys/devices/system/cpu/possible when booting or restarting firewalld", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2626048, "bug_id": 2106006, "bug": {"bug_id": 2106006, "title": "selinux-policy AVC during ipa trust-add", "security": false, "parent": false}}], "testcase_feedback": [], "user": {"name": "kparal", "email": "kparal@redhat.com", "id": 411, "avatar": "https://seccdn.libravatar.org/avatar/5da027c64997c654044c3d0fdefea4cde1b5cea73f8ecfca77af48e2ba5ed772?s=24&d=retro", "openid": "kparal.id.fedoraproject.org", "groups": [{"name": "qa-tools-sig"}, {"name": "proventesters"}, {"name": "qa"}, {"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "qa-admin"}]}}, {"karma": 1, "karma_critpath": 0, "text": "BZ#2092808 seems to have been fixed. The first connection to the VPN causes winbind to go offline for some reason, but I don't think it's related to SELinux.", "timestamp": "2022-07-21 12:58:44", "update_id": 426909, "user_id": 6865, "id": 2627353, "bug_feedback": [{"karma": 0, "comment_id": 2627353, "bug_id": 2080043, "bug": {"bug_id": 2080043, "title": "NetworkManager dispatcher script unable to write /etc issue due to SELinux", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2627353, "bug_id": 2082547, "bug": {"bug_id": 2082547, "title": "selinux-policy-targeted post install script fails when NetworkManager is not installed", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2627353, "bug_id": 2083511, "bug": {"bug_id": 2083511, "title": "samba-dcerpcd and samba rpcd programs need selinux-policy permissions", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2627353, "bug_id": 2091417, "bug": {"bug_id": 2091417, "title": "SELinux is preventing ksmctl from 'add_name' accesses on the cartella run.", "security": false, "parent": false}}, {"karma": 1, "comment_id": 2627353, "bug_id": 2092808, "bug": {"bug_id": 2092808, "title": "selinux-policy prevents 30-winbind from invoking smbcontrol and testparam", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2627353, "bug_id": 2093155, "bug": {"bug_id": 2093155, "title": "SELinux is preventing logger from 'create' accesses on the unix_dgram_socket labeled NetworkManager_dispatcher_custom_t.", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2627353, "bug_id": 2093285, "bug": {"bug_id": 2093285, "title": "SELinux is preventing /usr/bin/bash from 'getattr' accesses on the file /run/ddclient/ddclient.pid.", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2627353, "bug_id": 2101062, "bug": {"bug_id": 2101062, "title": "firewalld was denied reading /sys/devices/system/cpu/possible when booting or restarting firewalld", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2627353, "bug_id": 2106006, "bug": {"bug_id": 2106006, "title": "selinux-policy AVC during ipa trust-add", "security": false, "parent": false}}], "testcase_feedback": [], "user": {"name": "rakuco", "email": "raphael.kubo.da.costa@intel.com", "id": 6865, "avatar": "https://seccdn.libravatar.org/avatar/ef8a1b6db40d4057d6789aac352e9795b3951e5bc5a3aa895b2214cc05dcd579?s=24&d=retro", "openid": "rakuco.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}, {"karma": 0, "karma_critpath": 0, "text": "no issues", "timestamp": "2022-07-22 17:19:59", "update_id": 426909, "user_id": 3466, "id": 2628678, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "ciupicri", "email": "cristian.ciupitu@yahoo.com", "id": 3466, "avatar": "https://seccdn.libravatar.org/avatar/e758f9b2de796104e0bb56dcbf5ce785401039115f02139475c62f1a17e5cd7f?s=24&d=retro", "openid": "ciupicri.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "trust admins"}]}}, {"karma": 1, "karma_critpath": 0, "text": "no regressions noted", "timestamp": "2022-07-25 00:51:34", "update_id": 426909, "user_id": 124, "id": 2630547, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "filiperosset", "email": "rosset.filipe@gmail.com", "id": 124, "avatar": "https://seccdn.libravatar.org/avatar/f4394b8fb4c9a99c4b534dc724912fe75a5b87fe15048985ece8388c2441d0ca?s=24&d=retro", "openid": "filiperosset.id.fedoraproject.org", "groups": [{"name": "proventesters"}, {"name": "packager"}, {"name": "provenpackager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "ambassadors"}, {"name": "l10n"}, {"name": "cvsl10n"}, {"name": "fedora-br"}, {"name": "trust admins"}]}}, {"karma": 1, "karma_critpath": 0, "text": "No issues noted here on server/desktop", "timestamp": "2022-07-26 13:20:21", "update_id": 426909, "user_id": 536, "id": 2653353, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "mhayden", "email": "mhayden@redhat.com", "id": 536, "avatar": "https://seccdn.libravatar.org/avatar/9f9c7ca41ea68469600931af4193d0dc1dcb47d3cdbd481fa39fbaae417f4f2f?s=24&d=retro", "openid": "mhayden.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "ambassadors"}, {"name": "gitfedora-security-team"}, {"name": "aws-fedora-ci"}, {"name": "cloud-sig"}, {"name": "rhel-lightspeed"}]}}, {"karma": 0, "karma_critpath": 0, "text": "@dustymabe I think it is needed to backport https://github.com/coreos/console-login-helper-messages/pull/110 to F36, will it be?\n@martinpitt did you notice any actual failure apart from the avcs?\n@kparal do you happen to know how this denial is triggered? This one definitely is new, but likely a result of updating other packages.\nI don't think this build brings any regression.", "timestamp": "2022-07-28 09:10:49", "update_id": 426909, "user_id": 5290, "id": 2657330, "bug_feedback": [{"karma": 0, "comment_id": 2657330, "bug_id": 2080043, "bug": {"bug_id": 2080043, "title": "NetworkManager dispatcher script unable to write /etc issue due to SELinux", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2657330, "bug_id": 2082547, "bug": {"bug_id": 2082547, "title": "selinux-policy-targeted post install script fails when NetworkManager is not installed", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2657330, "bug_id": 2083511, "bug": {"bug_id": 2083511, "title": "samba-dcerpcd and samba rpcd programs need selinux-policy permissions", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2657330, "bug_id": 2091417, "bug": {"bug_id": 2091417, "title": "SELinux is preventing ksmctl from 'add_name' accesses on the cartella run.", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2657330, "bug_id": 2092808, "bug": {"bug_id": 2092808, "title": "selinux-policy prevents 30-winbind from invoking smbcontrol and testparam", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2657330, "bug_id": 2093155, "bug": {"bug_id": 2093155, "title": "SELinux is preventing logger from 'create' accesses on the unix_dgram_socket labeled NetworkManager_dispatcher_custom_t.", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2657330, "bug_id": 2093285, "bug": {"bug_id": 2093285, "title": "SELinux is preventing /usr/bin/bash from 'getattr' accesses on the file /run/ddclient/ddclient.pid.", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2657330, "bug_id": 2101062, "bug": {"bug_id": 2101062, "title": "firewalld was denied reading /sys/devices/system/cpu/possible when booting or restarting firewalld", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2657330, "bug_id": 2106006, "bug": {"bug_id": 2106006, "title": "selinux-policy AVC during ipa trust-add", "security": false, "parent": false}}], "testcase_feedback": [], "user": {"name": "zpytela", "email": "zpytela@redhat.com", "id": 5290, "avatar": "https://seccdn.libravatar.org/avatar/f5f39686c696f412e8ed564241807306fff38278b276da30a2d3c41583d69f2a?s=24&d=retro", "openid": "zpytela.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}, {"karma": 0, "karma_critpath": 0, "text": "@zpytela: No, the tests themselves were okay. Just the many avcs.", "timestamp": "2022-07-28 09:21:00", "update_id": 426909, "user_id": 3506, "id": 2657331, "bug_feedback": [{"karma": 0, "comment_id": 2657331, "bug_id": 2080043, "bug": {"bug_id": 2080043, "title": "NetworkManager dispatcher script unable to write /etc issue due to SELinux", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2657331, "bug_id": 2082547, "bug": {"bug_id": 2082547, "title": "selinux-policy-targeted post install script fails when NetworkManager is not installed", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2657331, "bug_id": 2083511, "bug": {"bug_id": 2083511, "title": "samba-dcerpcd and samba rpcd programs need selinux-policy permissions", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2657331, "bug_id": 2091417, "bug": {"bug_id": 2091417, "title": "SELinux is preventing ksmctl from 'add_name' accesses on the cartella run.", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2657331, "bug_id": 2092808, "bug": {"bug_id": 2092808, "title": "selinux-policy prevents 30-winbind from invoking smbcontrol and testparam", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2657331, "bug_id": 2093155, "bug": {"bug_id": 2093155, "title": "SELinux is preventing logger from 'create' accesses on the unix_dgram_socket labeled NetworkManager_dispatcher_custom_t.", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2657331, "bug_id": 2093285, "bug": {"bug_id": 2093285, "title": "SELinux is preventing /usr/bin/bash from 'getattr' accesses on the file /run/ddclient/ddclient.pid.", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2657331, "bug_id": 2101062, "bug": {"bug_id": 2101062, "title": "firewalld was denied reading /sys/devices/system/cpu/possible when booting or restarting firewalld", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2657331, "bug_id": 2106006, "bug": {"bug_id": 2106006, "title": "selinux-policy AVC during ipa trust-add", "security": false, "parent": false}}], "testcase_feedback": [], "user": {"name": "martinpitt", "email": "mpitt@redhat.com", "id": 3506, "avatar": "https://seccdn.libravatar.org/avatar/a6a00790fadaca10623f4464437e482d4ec110fe331397506ea9fe2664bec740?s=24&d=retro", "openid": "martinpitt.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "cockpitteam"}, {"name": "ocp-cico-cockpit"}]}}, {"karma": 0, "karma_critpath": 0, "text": "@zpytela: I created https://bugzilla.redhat.com/show_bug.cgi?id=2111834 so we can discuss there.", "timestamp": "2022-07-28 09:33:05", "update_id": 426909, "user_id": 411, "id": 2657341, "bug_feedback": [{"karma": 0, "comment_id": 2657341, "bug_id": 2080043, "bug": {"bug_id": 2080043, "title": "NetworkManager dispatcher script unable to write /etc issue due to SELinux", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2657341, "bug_id": 2082547, "bug": {"bug_id": 2082547, "title": "selinux-policy-targeted post install script fails when NetworkManager is not installed", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2657341, "bug_id": 2083511, "bug": {"bug_id": 2083511, "title": "samba-dcerpcd and samba rpcd programs need selinux-policy permissions", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2657341, "bug_id": 2091417, "bug": {"bug_id": 2091417, "title": "SELinux is preventing ksmctl from 'add_name' accesses on the cartella run.", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2657341, "bug_id": 2092808, "bug": {"bug_id": 2092808, "title": "selinux-policy prevents 30-winbind from invoking smbcontrol and testparam", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2657341, "bug_id": 2093155, "bug": {"bug_id": 2093155, "title": "SELinux is preventing logger from 'create' accesses on the unix_dgram_socket labeled NetworkManager_dispatcher_custom_t.", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2657341, "bug_id": 2093285, "bug": {"bug_id": 2093285, "title": "SELinux is preventing /usr/bin/bash from 'getattr' accesses on the file /run/ddclient/ddclient.pid.", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2657341, "bug_id": 2101062, "bug": {"bug_id": 2101062, "title": "firewalld was denied reading /sys/devices/system/cpu/possible when booting or restarting firewalld", "security": false, "parent": false}}, {"karma": 0, "comment_id": 2657341, "bug_id": 2106006, "bug": {"bug_id": 2106006, "title": "selinux-policy AVC during ipa trust-add", "security": false, "parent": false}}], "testcase_feedback": [], "user": {"name": "kparal", "email": "kparal@redhat.com", "id": 411, "avatar": "https://seccdn.libravatar.org/avatar/5da027c64997c654044c3d0fdefea4cde1b5cea73f8ecfca77af48e2ba5ed772?s=24&d=retro", "openid": "kparal.id.fedoraproject.org", "groups": [{"name": "qa-tools-sig"}, {"name": "proventesters"}, {"name": "qa"}, {"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "qa-admin"}]}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been obsoleted by [selinux-policy-36.13-3.fc36](https://bodhi.fedoraproject.org/updates/FEDORA-2022-139ec288ca).", "timestamp": "2022-08-03 07:59:52", "update_id": 426909, "user_id": 91, "id": 2665828, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}], "builds": [{"nvr": "selinux-policy-36.12-1.fc36", "signed": true, "release_id": 56, "type": "rpm", "epoch": 0}], "bugs": [{"bug_id": 2080043, "title": "NetworkManager dispatcher script unable to write /etc issue due to SELinux", "security": false, "parent": false, "feedback": [{"karma": 0, "comment_id": 2621102, "bug_id": 2080043, "comment": {"karma": 0, "karma_critpath": 0, "text": "Works for me.", "timestamp": "2022-07-17 14:26:20", "update_id": 426909, "user_id": 1582, "id": 2621102, "testcase_feedback": [], "user": {"name": "drepetto", "email": "drepetto@fedoraproject.org", "id": 1582, "avatar": "https://seccdn.libravatar.org/avatar/2684d7c401ddf615a3d154e0ee3662e8611df4825c112a7e264fcddde7b6f93a?s=24&d=retro", "openid": "drepetto.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}}, {"karma": 0, "comment_id": 2621103, "bug_id": 2080043, "comment": {"karma": 1, "karma_critpath": 0, "text": "", "timestamp": "2022-07-17 14:26:59", "update_id": 426909, "user_id": 1582, "id": 2621103, "testcase_feedback": [], "user": {"name": "drepetto", "email": "drepetto@fedoraproject.org", "id": 1582, "avatar": "https://seccdn.libravatar.org/avatar/2684d7c401ddf615a3d154e0ee3662e8611df4825c112a7e264fcddde7b6f93a?s=24&d=retro", "openid": "drepetto.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}}, {"karma": 0, "comment_id": 2621218, "bug_id": 2080043, "comment": {"karma": -1, "karma_critpath": 0, "text": "See here: https://github.com/cockpit-project/bots/pull/3627 Lots of tests fail with\n```\naudit: type=1400 audit(2114380829.764:191): avc:  denied  { search } for  pid=813 comm=\"mv\" name=\"contexts\" dev=\"vda5\" ino=16829 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir permissive=0\naudit: type=1400 audit(2114380829.770:192): avc:  denied  { sys_admin } for  pid=813 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\naudit: type=1400 audit(2114380829.770:193): avc:  denied  { sys_admin } for  pid=813 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\n```\n\nNetworkManager did *not* change in this image, just\n\n- selinux-policy (36.11-1.fc36 -> 36.12-1.fc36)\n- kernel-core (5.18.10-200.fc36 -> 5.18.11-200.fc36)\n\nand [some others](https://logs.cockpit-project.org/logs/image-refresh-3627-20220716-224141/log) which sound less relevant.\n", "timestamp": "2022-07-17 18:47:16", "update_id": 426909, "user_id": 3506, "id": 2621218, "testcase_feedback": [], "user": {"name": "martinpitt", "email": "mpitt@redhat.com", "id": 3506, "avatar": "https://seccdn.libravatar.org/avatar/a6a00790fadaca10623f4464437e482d4ec110fe331397506ea9fe2664bec740?s=24&d=retro", "openid": "martinpitt.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "cockpitteam"}, {"name": "ocp-cico-cockpit"}]}}}, {"karma": 0, "comment_id": 2623810, "bug_id": 2080043, "comment": {"karma": 1, "karma_critpath": 0, "text": "no problems here", "timestamp": "2022-07-19 05:16:49", "update_id": 426909, "user_id": 5881, "id": 2623810, "testcase_feedback": [], "user": {"name": "geraldosimiao", "email": "geraldo.simiao.kutz@gmail.com", "id": 5881, "avatar": "https://seccdn.libravatar.org/avatar/03fa5b58e8ac78544bf41ad8ecf9ee1920f2ebedb86542c2f4cdf7ef15813168?s=24&d=retro", "openid": "geraldosimiao.id.fedoraproject.org", "groups": [{"name": "qa"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "ambassadors"}, {"name": "fedora-br"}, {"name": "advocates"}, {"name": "respins-sig"}]}}}, {"karma": 1, "comment_id": 2625365, "bug_id": 2080043, "comment": {"karma": 0, "karma_critpath": 0, "text": "This does appear to fix BZ#2080043. I do see some other denials, though (as @martinpitt mentioned): \n\n```\n$ sudo journalctl | grep -i avc \nJul 19 19:28:40 cosa-devsh audit[1556]: AVC avc:  denied  { sys_admin } for  pid=1556 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\nJul 19 19:28:40 cosa-devsh audit[1556]: AVC avc:  denied  { sys_admin } for  pid=1556 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\n```\n\nThey don't seem to be harming my system. ", "timestamp": "2022-07-19 19:33:30", "update_id": 426909, "user_id": 659, "id": 2625365, "testcase_feedback": [], "user": {"name": "dustymabe", "email": "dusty@dustymabe.com", "id": 659, "avatar": "https://seccdn.libravatar.org/avatar/9ec855a28fe61a7fe3d6788882c87ee4c95b38da423234fbb70673a977552c4c?s=24&d=retro", "openid": "dustymabe.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "sysadmin-badges"}, {"name": "aws"}, {"name": "qa-beaker-user"}, {"name": "gitfedora-web"}, {"name": "centosproject-email-aliases"}, {"name": "fi-apprentice"}, {"name": "sysadmin-veteran"}, {"name": "web"}, {"name": "sig-paas"}, {"name": "atomic-wg"}, {"name": "qa"}, {"name": "fedorabugs"}, {"name": "msftazure"}, {"name": "pungi-devel"}, {"name": "qa-automation-shell"}, {"name": "sysadmin-fedimg"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "coreos"}, {"name": "sysadmin"}, {"name": "communishift"}, {"name": "aws-fcos-mgmt"}, {"name": "sysadmin-bodhi"}, {"name": "sysadmin-releng"}, {"name": "sysadmin-coreos"}, {"name": "ipausers"}, {"name": "ibmcloud"}, {"name": "discussion-mods-project"}, {"name": "discussion-mods-ask"}, {"name": "hetznercloud"}, {"name": "trust admins"}, {"name": "coreos-sig"}]}}}, {"karma": 0, "comment_id": 2626048, "bug_id": 2080043, "comment": {"karma": 0, "karma_critpath": 0, "text": "I see:\n```\nsystemd[1655]: selinux: avc:  denied  { status } for auid=1000 uid=1000 gid=1000 path=\"/proc/self/mountinfo\" cmdline=\"/usr/bin/gnome-shell\" function=\"mac_selinux_filter\" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=service permissive=0\n```\nrepeated in journal over and over again. Quite interestingly, it's not shown in \"selinux alert browser\".", "timestamp": "2022-07-20 07:30:55", "update_id": 426909, "user_id": 411, "id": 2626048, "testcase_feedback": [], "user": {"name": "kparal", "email": "kparal@redhat.com", "id": 411, "avatar": "https://seccdn.libravatar.org/avatar/5da027c64997c654044c3d0fdefea4cde1b5cea73f8ecfca77af48e2ba5ed772?s=24&d=retro", "openid": "kparal.id.fedoraproject.org", "groups": [{"name": "qa-tools-sig"}, {"name": "proventesters"}, {"name": "qa"}, {"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "qa-admin"}]}}}, {"karma": 0, "comment_id": 2627353, "bug_id": 2080043, "comment": {"karma": 1, "karma_critpath": 0, "text": "BZ#2092808 seems to have been fixed. The first connection to the VPN causes winbind to go offline for some reason, but I don't think it's related to SELinux.", "timestamp": "2022-07-21 12:58:44", "update_id": 426909, "user_id": 6865, "id": 2627353, "testcase_feedback": [], "user": {"name": "rakuco", "email": "raphael.kubo.da.costa@intel.com", "id": 6865, "avatar": "https://seccdn.libravatar.org/avatar/ef8a1b6db40d4057d6789aac352e9795b3951e5bc5a3aa895b2214cc05dcd579?s=24&d=retro", "openid": "rakuco.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 2657330, "bug_id": 2080043, "comment": {"karma": 0, "karma_critpath": 0, "text": "@dustymabe I think it is needed to backport https://github.com/coreos/console-login-helper-messages/pull/110 to F36, will it be?\n@martinpitt did you notice any actual failure apart from the avcs?\n@kparal do you happen to know how this denial is triggered? This one definitely is new, but likely a result of updating other packages.\nI don't think this build brings any regression.", "timestamp": "2022-07-28 09:10:49", "update_id": 426909, "user_id": 5290, "id": 2657330, "testcase_feedback": [], "user": {"name": "zpytela", "email": "zpytela@redhat.com", "id": 5290, "avatar": "https://seccdn.libravatar.org/avatar/f5f39686c696f412e8ed564241807306fff38278b276da30a2d3c41583d69f2a?s=24&d=retro", "openid": "zpytela.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}}, {"karma": 0, "comment_id": 2657331, "bug_id": 2080043, "comment": {"karma": 0, "karma_critpath": 0, "text": "@zpytela: No, the tests themselves were okay. Just the many avcs.", "timestamp": "2022-07-28 09:21:00", "update_id": 426909, "user_id": 3506, "id": 2657331, "testcase_feedback": [], "user": {"name": "martinpitt", "email": "mpitt@redhat.com", "id": 3506, "avatar": "https://seccdn.libravatar.org/avatar/a6a00790fadaca10623f4464437e482d4ec110fe331397506ea9fe2664bec740?s=24&d=retro", "openid": "martinpitt.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "cockpitteam"}, {"name": "ocp-cico-cockpit"}]}}}, {"karma": 0, "comment_id": 2657341, "bug_id": 2080043, "comment": {"karma": 0, "karma_critpath": 0, "text": "@zpytela: I created https://bugzilla.redhat.com/show_bug.cgi?id=2111834 so we can discuss there.", "timestamp": "2022-07-28 09:33:05", "update_id": 426909, "user_id": 411, "id": 2657341, "testcase_feedback": [], "user": {"name": "kparal", "email": "kparal@redhat.com", "id": 411, "avatar": "https://seccdn.libravatar.org/avatar/5da027c64997c654044c3d0fdefea4cde1b5cea73f8ecfca77af48e2ba5ed772?s=24&d=retro", "openid": "kparal.id.fedoraproject.org", "groups": [{"name": "qa-tools-sig"}, {"name": "proventesters"}, {"name": "qa"}, {"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "qa-admin"}]}}}, {"karma": 0, "comment_id": 2667508, "bug_id": 2080043, "comment": {"karma": 1, "karma_critpath": 0, "text": "Works fine, and BZ#2092808 does seem to be fixed.", "timestamp": "2022-08-04 09:35:09", "update_id": 437222, "user_id": 6865, "id": 2667508, "testcase_feedback": [], "user": {"name": "rakuco", "email": "raphael.kubo.da.costa@intel.com", "id": 6865, "avatar": "https://seccdn.libravatar.org/avatar/ef8a1b6db40d4057d6789aac352e9795b3951e5bc5a3aa895b2214cc05dcd579?s=24&d=retro", "openid": "rakuco.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 2668804, "bug_id": 2080043, "comment": {"karma": 1, "karma_critpath": 0, "text": "I tested this new version [with cockpit's tests](https://github.com/cockpit-project/bots/pull/3703). My [previously reported regression](https://bodhi.fedoraproject.org/updates/FEDORA-2022-320775eb9a#comment-2621218) (dispatcher denials for `mv`) does not happen any more. Thanks!", "timestamp": "2022-08-05 09:53:46", "update_id": 437222, "user_id": 3506, "id": 2668804, "testcase_feedback": [], "user": {"name": "martinpitt", "email": "mpitt@redhat.com", "id": 3506, "avatar": "https://seccdn.libravatar.org/avatar/a6a00790fadaca10623f4464437e482d4ec110fe331397506ea9fe2664bec740?s=24&d=retro", "openid": "martinpitt.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "cockpitteam"}, {"name": "ocp-cico-cockpit"}]}}}, {"karma": 0, "comment_id": 2727016, "bug_id": 2080043, "comment": {"karma": 0, "karma_critpath": 0, "text": "", "timestamp": "2022-09-23 10:50:59", "update_id": 447691, "user_id": 5528, "id": 2727016, "testcase_feedback": [], "user": {"name": "amore", "email": "amore@redhat.com", "id": 5528, "avatar": "https://seccdn.libravatar.org/avatar/f24806c28877e8efdcb5b3f53300eaf86e7ea985922fee5f22a9b927ce324bc0?s=24&d=retro", "openid": "amore.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}}]}, {"bug_id": 2082547, "title": "selinux-policy-targeted post install script fails when NetworkManager is not installed", "security": false, "parent": false, "feedback": [{"karma": 0, "comment_id": 2537441, "bug_id": 2082547, "comment": {"karma": 1, "karma_critpath": 0, "text": "Works for me and fixes problem with `systemd-run`.", "timestamp": "2022-05-20 07:51:30", "update_id": 406872, "user_id": 7056, "id": 2537441, "testcase_feedback": [], "user": {"name": "roshanshariff", "email": "roshan.shariff+fedora@gmail.com", "id": 7056, "avatar": "https://seccdn.libravatar.org/avatar/14a41f2b436bead91bebdd296267afc3fa5b5650064285c02f1dc4f1960702ee?s=24&d=retro", "openid": "roshanshariff.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 2537452, "bug_id": 2082547, "comment": {"karma": 1, "karma_critpath": 0, "text": "Seems to be working and it has fixed BZ#2063483 that happened on every login to cinnamon.", "timestamp": "2022-05-20 08:05:51", "update_id": 406872, "user_id": 4756, "id": 2537452, "testcase_feedback": [], "user": {"name": "nixuser", "email": "nixuser@mail.com", "id": 4756, "avatar": "https://seccdn.libravatar.org/avatar/365861a25716b355bf17bd01d55d25c29e1d98a79e197ef46bd8cfafdd93c836?s=24&d=retro", "openid": "nixuser.id.fedoraproject.org", "groups": [{"name": "qa"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}}, {"karma": 0, "comment_id": 2539226, "bug_id": 2082547, "comment": {"karma": 0, "karma_critpath": 0, "text": "@gtwilliams do you know which plugin triggers this denial?\n\nI assume there are only the AVCs audited and no functional problem since there is \"permissive=1\" which does not prevent from any action to continue.", "timestamp": "2022-05-23 08:05:31", "update_id": 406872, "user_id": 5290, "id": 2539226, "testcase_feedback": [], "user": {"name": "zpytela", "email": "zpytela@redhat.com", "id": 5290, "avatar": "https://seccdn.libravatar.org/avatar/f5f39686c696f412e8ed564241807306fff38278b276da30a2d3c41583d69f2a?s=24&d=retro", "openid": "zpytela.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}}, {"karma": 0, "comment_id": 2539287, "bug_id": 2082547, "comment": {"karma": 0, "karma_critpath": 0, "text": "I think this update causes the following regressions:\n\nhttps://bugzilla.redhat.com/show_bug.cgi?id=2089170  \nhttps://bugzilla.redhat.com/show_bug.cgi?id=2089171  \nhttps://bugzilla.redhat.com/show_bug.cgi?id=2089172  \nhttps://bugzilla.redhat.com/show_bug.cgi?id=2089174  \nhttps://bugzilla.redhat.com/show_bug.cgi?id=2089175  \nhttps://bugzilla.redhat.com/show_bug.cgi?id=2089176  \nhttps://bugzilla.redhat.com/show_bug.cgi?id=2089177\n", "timestamp": "2022-05-23 09:27:18", "update_id": 406872, "user_id": 411, "id": 2539287, "testcase_feedback": [], "user": {"name": "kparal", "email": "kparal@redhat.com", "id": 411, "avatar": "https://seccdn.libravatar.org/avatar/5da027c64997c654044c3d0fdefea4cde1b5cea73f8ecfca77af48e2ba5ed772?s=24&d=retro", "openid": "kparal.id.fedoraproject.org", "groups": [{"name": "qa-tools-sig"}, {"name": "proventesters"}, {"name": "qa"}, {"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "qa-admin"}]}}}, {"karma": 0, "comment_id": 2539425, "bug_id": 2082547, "comment": {"karma": 0, "karma_critpath": 0, "text": "This update makes the custom nm-dispatcher plugins run in a permissive domain which means denials are logged, but allowed. I believe there is no regression in the plugins functionality.", "timestamp": "2022-05-23 11:50:07", "update_id": 406872, "user_id": 5290, "id": 2539425, "testcase_feedback": [], "user": {"name": "zpytela", "email": "zpytela@redhat.com", "id": 5290, "avatar": "https://seccdn.libravatar.org/avatar/f5f39686c696f412e8ed564241807306fff38278b276da30a2d3c41583d69f2a?s=24&d=retro", "openid": "zpytela.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}}, {"karma": 0, "comment_id": 2539470, "bug_id": 2082547, "comment": {"karma": 0, "karma_critpath": 0, "text": "I don't know what plugin is causing the AVCs, but I see the same ones that Kamil reported.  I never saw the AVCs reported before the F36 update, so I would agree there is a regression.", "timestamp": "2022-05-23 13:47:41", "update_id": 406872, "user_id": 3146, "id": 2539470, "testcase_feedback": [], "user": {"name": "gtwilliams", "email": "gtwilliams@gmail.com", "id": 3146, "avatar": "https://seccdn.libravatar.org/avatar/df8b0216e18b4d2b90389265af68e4d4bf6a302e7d01e80c03af11d761afe7c9?s=24&d=retro", "openid": "gtwilliams.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}}, {"karma": 0, "comment_id": 2546338, "bug_id": 2082547, "comment": {"karma": 0, "karma_critpath": 0, "text": "This update has improvements for known nm-dispatcher plugins and it makes custom plugins run in permissive domain, i. e. all actions are allowed, but at the same time audited. I can't see any regression here, at least in functionality. I agree the audited denials and sealert messages may be annoying, but it helps to catch the required permissions which will be fixed in the next build.", "timestamp": "2022-05-25 14:29:41", "update_id": 406872, "user_id": 5290, "id": 2546338, "testcase_feedback": [], "user": {"name": "zpytela", "email": "zpytela@redhat.com", "id": 5290, "avatar": "https://seccdn.libravatar.org/avatar/f5f39686c696f412e8ed564241807306fff38278b276da30a2d3c41583d69f2a?s=24&d=retro", "openid": "zpytela.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}}, {"karma": 0, "comment_id": 2548619, "bug_id": 2082547, "comment": {"karma": 0, "karma_critpath": 0, "text": "Pushing to stable due to prevailing positive feedback.", "timestamp": "2022-05-27 16:35:36", "update_id": 406872, "user_id": 5290, "id": 2548619, "testcase_feedback": [], "user": {"name": "zpytela", "email": "zpytela@redhat.com", "id": 5290, "avatar": "https://seccdn.libravatar.org/avatar/f5f39686c696f412e8ed564241807306fff38278b276da30a2d3c41583d69f2a?s=24&d=retro", "openid": "zpytela.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}}, {"karma": 0, "comment_id": 2600845, "bug_id": 2082547, "comment": {"karma": 1, "karma_critpath": 0, "text": "Works for me.\nI'm not 100% sure it fixes BZ#2093285, because that AVC presented itself only occasionally.\n\n", "timestamp": "2022-06-30 21:55:49", "update_id": 422899, "user_id": 1582, "id": 2600845, "testcase_feedback": [], "user": {"name": "drepetto", "email": "drepetto@fedoraproject.org", "id": 1582, "avatar": "https://seccdn.libravatar.org/avatar/2684d7c401ddf615a3d154e0ee3662e8611df4825c112a7e264fcddde7b6f93a?s=24&d=retro", "openid": "drepetto.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}}, {"karma": 0, "comment_id": 2602450, "bug_id": 2082547, "comment": {"karma": 0, "karma_critpath": 0, "text": "This does not fully fix BZ#2092808. Invoking smbcontrol works, but testparm is still returning an empty string.", "timestamp": "2022-07-01 08:03:48", "update_id": 422899, "user_id": 6865, "id": 2602450, "testcase_feedback": [], "user": {"name": "rakuco", "email": "raphael.kubo.da.costa@intel.com", "id": 6865, "avatar": "https://seccdn.libravatar.org/avatar/ef8a1b6db40d4057d6789aac352e9795b3951e5bc5a3aa895b2214cc05dcd579?s=24&d=retro", "openid": "rakuco.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 2618899, "bug_id": 2082547, "comment": {"karma": 0, "karma_critpath": 0, "text": "Thanks everybody for the feedback, I am working on another build to replace this one.", "timestamp": "2022-07-15 14:39:55", "update_id": 422899, "user_id": 5290, "id": 2618899, "testcase_feedback": [], "user": {"name": "zpytela", "email": "zpytela@redhat.com", "id": 5290, "avatar": "https://seccdn.libravatar.org/avatar/f5f39686c696f412e8ed564241807306fff38278b276da30a2d3c41583d69f2a?s=24&d=retro", "openid": "zpytela.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}}, {"karma": 0, "comment_id": 2621102, "bug_id": 2082547, "comment": {"karma": 0, "karma_critpath": 0, "text": "Works for me.", "timestamp": "2022-07-17 14:26:20", "update_id": 426909, "user_id": 1582, "id": 2621102, "testcase_feedback": [], "user": {"name": "drepetto", "email": "drepetto@fedoraproject.org", "id": 1582, "avatar": "https://seccdn.libravatar.org/avatar/2684d7c401ddf615a3d154e0ee3662e8611df4825c112a7e264fcddde7b6f93a?s=24&d=retro", "openid": "drepetto.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}}, {"karma": 0, "comment_id": 2621103, "bug_id": 2082547, "comment": {"karma": 1, "karma_critpath": 0, "text": "", "timestamp": "2022-07-17 14:26:59", "update_id": 426909, "user_id": 1582, "id": 2621103, "testcase_feedback": [], "user": {"name": "drepetto", "email": "drepetto@fedoraproject.org", "id": 1582, "avatar": "https://seccdn.libravatar.org/avatar/2684d7c401ddf615a3d154e0ee3662e8611df4825c112a7e264fcddde7b6f93a?s=24&d=retro", "openid": "drepetto.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}}, {"karma": 0, "comment_id": 2608055, "bug_id": 2082547, "comment": {"karma": 0, "karma_critpath": 0, "text": "@rakuco the denials mentioned in the bz should be addressed. Please open a new bz and add some details and avc denials you see.", "timestamp": "2022-07-07 09:37:28", "update_id": 422899, "user_id": 5290, "id": 2608055, "testcase_feedback": [], "user": {"name": "zpytela", "email": "zpytela@redhat.com", "id": 5290, "avatar": "https://seccdn.libravatar.org/avatar/f5f39686c696f412e8ed564241807306fff38278b276da30a2d3c41583d69f2a?s=24&d=retro", "openid": "zpytela.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}}, {"karma": 0, "comment_id": 2609302, "bug_id": 2082547, "comment": {"karma": 0, "karma_critpath": 0, "text": "I've added more information to bz#2092808 (the bug report already mentions the issue with testparm).", "timestamp": "2022-07-08 09:33:51", "update_id": 422899, "user_id": 6865, "id": 2609302, "testcase_feedback": [], "user": {"name": "rakuco", "email": "raphael.kubo.da.costa@intel.com", "id": 6865, "avatar": "https://seccdn.libravatar.org/avatar/ef8a1b6db40d4057d6789aac352e9795b3951e5bc5a3aa895b2214cc05dcd579?s=24&d=retro", "openid": "rakuco.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 2610615, "bug_id": 2082547, "comment": {"karma": -1, "karma_critpath": 0, "text": "This is causing IPA CI to fail. I'm not completely sure why. The behavior we see is that the current principal is cifs/<fqdn> when we expect it to be something else.\n\nThe AVC we see is:\n\ntype=AVC msg=audit(1657297049.999:3709): avc:  denied  { sendto } for  pid=13209 comm=\"smbcontrol\" path=\"/var/lib/samba/private/msg.sock/13151\" scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=unix_dgram_socket permissive=0", "timestamp": "2022-07-08 16:54:30", "update_id": 422899, "user_id": 1255, "id": 2610615, "testcase_feedback": [], "user": {"name": "rcritten", "email": "rcritten@redhat.com", "id": 1255, "avatar": "https://seccdn.libravatar.org/avatar/170a44090c681a8b42a8cb53b0952228413f629b4696953d22ea19a847fd4b4a?s=24&d=retro", "openid": "rcritten.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "gitfreeipa-docs"}, {"name": "gitfreeipa"}, {"name": "cvsdirsec"}, {"name": "svnpki"}, {"name": "gitipsilon"}, {"name": "gitnsspem"}, {"name": "git389"}, {"name": "svnidmcommon"}, {"name": "fedorabugs"}, {"name": "gitfreeipa-foreman-smartproxy"}, {"name": "signed_fpca"}, {"name": "gitmod_nss"}, {"name": "fedora-contributor"}, {"name": "gitcertmonger"}, {"name": "ipausers"}, {"name": "gitmod_revocator"}, {"name": "trust admins"}]}}}, {"karma": 0, "comment_id": 2613378, "bug_id": 2082547, "comment": {"karma": -1, "karma_critpath": 0, "text": "@zpytela, it looks like smbcontrol_t lacks rights for winbind_rpcd_t, so SELinux policy needs to be extended.", "timestamp": "2022-07-11 10:41:08", "update_id": 422899, "user_id": 1242, "id": 2613378, "testcase_feedback": [], "user": {"name": "abbra", "email": "abokovoy@redhat.com", "id": 1242, "avatar": "https://seccdn.libravatar.org/avatar/3f3c51cb81fb43e685e65ff696d895ac268ff71949128c02b81dec65a4405a0a?s=24&d=retro", "openid": "abbra.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "bind-dyndb-ldap"}, {"name": "gitfreeipa"}, {"name": "gitslapi-nis"}, {"name": "gitfreeipa-docs"}]}}}, {"karma": 0, "comment_id": 2613599, "bug_id": 2082547, "comment": {"karma": 0, "karma_critpath": 0, "text": "BZ https://bugzilla.redhat.com/show_bug.cgi?id=2106006 opened for the issue reported by rcritten", "timestamp": "2022-07-11 14:04:06", "update_id": 422899, "user_id": 3071, "id": 2613599, "testcase_feedback": [], "user": {"name": "frenaud", "email": "frenaud@redhat.com", "id": 3071, "avatar": "https://seccdn.libravatar.org/avatar/1e52aaae9646f0f890f5f6c771cd060c66898d5fdf78e8a6021eb2b75e27ffe2?s=24&d=retro", "openid": "frenaud.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "gitfreeipa"}]}}}, {"karma": 0, "comment_id": 2621218, "bug_id": 2082547, "comment": {"karma": -1, "karma_critpath": 0, "text": "See here: https://github.com/cockpit-project/bots/pull/3627 Lots of tests fail with\n```\naudit: type=1400 audit(2114380829.764:191): avc:  denied  { search } for  pid=813 comm=\"mv\" name=\"contexts\" dev=\"vda5\" ino=16829 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir permissive=0\naudit: type=1400 audit(2114380829.770:192): avc:  denied  { sys_admin } for  pid=813 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\naudit: type=1400 audit(2114380829.770:193): avc:  denied  { sys_admin } for  pid=813 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\n```\n\nNetworkManager did *not* change in this image, just\n\n- selinux-policy (36.11-1.fc36 -> 36.12-1.fc36)\n- kernel-core (5.18.10-200.fc36 -> 5.18.11-200.fc36)\n\nand [some others](https://logs.cockpit-project.org/logs/image-refresh-3627-20220716-224141/log) which sound less relevant.\n", "timestamp": "2022-07-17 18:47:16", "update_id": 426909, "user_id": 3506, "id": 2621218, "testcase_feedback": [], "user": {"name": "martinpitt", "email": "mpitt@redhat.com", "id": 3506, "avatar": "https://seccdn.libravatar.org/avatar/a6a00790fadaca10623f4464437e482d4ec110fe331397506ea9fe2664bec740?s=24&d=retro", "openid": "martinpitt.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "cockpitteam"}, {"name": "ocp-cico-cockpit"}]}}}, {"karma": 0, "comment_id": 2623810, "bug_id": 2082547, "comment": {"karma": 1, "karma_critpath": 0, "text": "no problems here", "timestamp": "2022-07-19 05:16:49", "update_id": 426909, "user_id": 5881, "id": 2623810, "testcase_feedback": [], "user": {"name": "geraldosimiao", "email": "geraldo.simiao.kutz@gmail.com", "id": 5881, "avatar": "https://seccdn.libravatar.org/avatar/03fa5b58e8ac78544bf41ad8ecf9ee1920f2ebedb86542c2f4cdf7ef15813168?s=24&d=retro", "openid": "geraldosimiao.id.fedoraproject.org", "groups": [{"name": "qa"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "ambassadors"}, {"name": "fedora-br"}, {"name": "advocates"}, {"name": "respins-sig"}]}}}, {"karma": 0, "comment_id": 2625365, "bug_id": 2082547, "comment": {"karma": 0, "karma_critpath": 0, "text": "This does appear to fix BZ#2080043. I do see some other denials, though (as @martinpitt mentioned): \n\n```\n$ sudo journalctl | grep -i avc \nJul 19 19:28:40 cosa-devsh audit[1556]: AVC avc:  denied  { sys_admin } for  pid=1556 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\nJul 19 19:28:40 cosa-devsh audit[1556]: AVC avc:  denied  { sys_admin } for  pid=1556 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\n```\n\nThey don't seem to be harming my system. ", "timestamp": "2022-07-19 19:33:30", "update_id": 426909, "user_id": 659, "id": 2625365, "testcase_feedback": [], "user": {"name": "dustymabe", "email": "dusty@dustymabe.com", "id": 659, "avatar": "https://seccdn.libravatar.org/avatar/9ec855a28fe61a7fe3d6788882c87ee4c95b38da423234fbb70673a977552c4c?s=24&d=retro", "openid": "dustymabe.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "sysadmin-badges"}, {"name": "aws"}, {"name": "qa-beaker-user"}, {"name": "gitfedora-web"}, {"name": "centosproject-email-aliases"}, {"name": "fi-apprentice"}, {"name": "sysadmin-veteran"}, {"name": "web"}, {"name": "sig-paas"}, {"name": "atomic-wg"}, {"name": "qa"}, {"name": "fedorabugs"}, {"name": "msftazure"}, {"name": "pungi-devel"}, {"name": "qa-automation-shell"}, {"name": "sysadmin-fedimg"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "coreos"}, {"name": "sysadmin"}, {"name": "communishift"}, {"name": "aws-fcos-mgmt"}, {"name": "sysadmin-bodhi"}, {"name": "sysadmin-releng"}, {"name": "sysadmin-coreos"}, {"name": "ipausers"}, {"name": "ibmcloud"}, {"name": "discussion-mods-project"}, {"name": "discussion-mods-ask"}, {"name": "hetznercloud"}, {"name": "trust admins"}, {"name": "coreos-sig"}]}}}, {"karma": 0, "comment_id": 2626048, "bug_id": 2082547, "comment": {"karma": 0, "karma_critpath": 0, "text": "I see:\n```\nsystemd[1655]: selinux: avc:  denied  { status } for auid=1000 uid=1000 gid=1000 path=\"/proc/self/mountinfo\" cmdline=\"/usr/bin/gnome-shell\" function=\"mac_selinux_filter\" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=service permissive=0\n```\nrepeated in journal over and over again. Quite interestingly, it's not shown in \"selinux alert browser\".", "timestamp": "2022-07-20 07:30:55", "update_id": 426909, "user_id": 411, "id": 2626048, "testcase_feedback": [], "user": {"name": "kparal", "email": "kparal@redhat.com", "id": 411, "avatar": "https://seccdn.libravatar.org/avatar/5da027c64997c654044c3d0fdefea4cde1b5cea73f8ecfca77af48e2ba5ed772?s=24&d=retro", "openid": "kparal.id.fedoraproject.org", "groups": [{"name": "qa-tools-sig"}, {"name": "proventesters"}, {"name": "qa"}, {"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "qa-admin"}]}}}, {"karma": 0, "comment_id": 2627353, "bug_id": 2082547, "comment": {"karma": 1, "karma_critpath": 0, "text": "BZ#2092808 seems to have been fixed. The first connection to the VPN causes winbind to go offline for some reason, but I don't think it's related to SELinux.", "timestamp": "2022-07-21 12:58:44", "update_id": 426909, "user_id": 6865, "id": 2627353, "testcase_feedback": [], "user": {"name": "rakuco", "email": "raphael.kubo.da.costa@intel.com", "id": 6865, "avatar": "https://seccdn.libravatar.org/avatar/ef8a1b6db40d4057d6789aac352e9795b3951e5bc5a3aa895b2214cc05dcd579?s=24&d=retro", "openid": "rakuco.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 2657330, "bug_id": 2082547, "comment": {"karma": 0, "karma_critpath": 0, "text": "@dustymabe I think it is needed to backport https://github.com/coreos/console-login-helper-messages/pull/110 to F36, will it be?\n@martinpitt did you notice any actual failure apart from the avcs?\n@kparal do you happen to know how this denial is triggered? This one definitely is new, but likely a result of updating other packages.\nI don't think this build brings any regression.", "timestamp": "2022-07-28 09:10:49", "update_id": 426909, "user_id": 5290, "id": 2657330, "testcase_feedback": [], "user": {"name": "zpytela", "email": "zpytela@redhat.com", "id": 5290, "avatar": "https://seccdn.libravatar.org/avatar/f5f39686c696f412e8ed564241807306fff38278b276da30a2d3c41583d69f2a?s=24&d=retro", "openid": "zpytela.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}}, {"karma": 0, "comment_id": 2657331, "bug_id": 2082547, "comment": {"karma": 0, "karma_critpath": 0, "text": "@zpytela: No, the tests themselves were okay. Just the many avcs.", "timestamp": "2022-07-28 09:21:00", "update_id": 426909, "user_id": 3506, "id": 2657331, "testcase_feedback": [], "user": {"name": "martinpitt", "email": "mpitt@redhat.com", "id": 3506, "avatar": "https://seccdn.libravatar.org/avatar/a6a00790fadaca10623f4464437e482d4ec110fe331397506ea9fe2664bec740?s=24&d=retro", "openid": "martinpitt.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "cockpitteam"}, {"name": "ocp-cico-cockpit"}]}}}, {"karma": 0, "comment_id": 2657341, "bug_id": 2082547, "comment": {"karma": 0, "karma_critpath": 0, "text": "@zpytela: I created https://bugzilla.redhat.com/show_bug.cgi?id=2111834 so we can discuss there.", "timestamp": "2022-07-28 09:33:05", "update_id": 426909, "user_id": 411, "id": 2657341, "testcase_feedback": [], "user": {"name": "kparal", "email": "kparal@redhat.com", "id": 411, "avatar": "https://seccdn.libravatar.org/avatar/5da027c64997c654044c3d0fdefea4cde1b5cea73f8ecfca77af48e2ba5ed772?s=24&d=retro", "openid": "kparal.id.fedoraproject.org", "groups": [{"name": "qa-tools-sig"}, {"name": "proventesters"}, {"name": "qa"}, {"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "qa-admin"}]}}}, {"karma": 0, "comment_id": 2667508, "bug_id": 2082547, "comment": {"karma": 1, "karma_critpath": 0, "text": "Works fine, and BZ#2092808 does seem to be fixed.", "timestamp": "2022-08-04 09:35:09", "update_id": 437222, "user_id": 6865, "id": 2667508, "testcase_feedback": [], "user": {"name": "rakuco", "email": "raphael.kubo.da.costa@intel.com", "id": 6865, "avatar": "https://seccdn.libravatar.org/avatar/ef8a1b6db40d4057d6789aac352e9795b3951e5bc5a3aa895b2214cc05dcd579?s=24&d=retro", "openid": "rakuco.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 2668804, "bug_id": 2082547, "comment": {"karma": 1, "karma_critpath": 0, "text": "I tested this new version [with cockpit's tests](https://github.com/cockpit-project/bots/pull/3703). My [previously reported regression](https://bodhi.fedoraproject.org/updates/FEDORA-2022-320775eb9a#comment-2621218) (dispatcher denials for `mv`) does not happen any more. Thanks!", "timestamp": "2022-08-05 09:53:46", "update_id": 437222, "user_id": 3506, "id": 2668804, "testcase_feedback": [], "user": {"name": "martinpitt", "email": "mpitt@redhat.com", "id": 3506, "avatar": "https://seccdn.libravatar.org/avatar/a6a00790fadaca10623f4464437e482d4ec110fe331397506ea9fe2664bec740?s=24&d=retro", "openid": "martinpitt.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "cockpitteam"}, {"name": "ocp-cico-cockpit"}]}}}]}, {"bug_id": 2083511, "title": "samba-dcerpcd and samba rpcd programs need selinux-policy permissions", "security": false, "parent": false, "feedback": [{"karma": 0, "comment_id": 2600845, "bug_id": 2083511, "comment": {"karma": 1, "karma_critpath": 0, "text": "Works for me.\nI'm not 100% sure it fixes BZ#2093285, because that AVC presented itself only occasionally.\n\n", "timestamp": "2022-06-30 21:55:49", "update_id": 422899, "user_id": 1582, "id": 2600845, "testcase_feedback": [], "user": {"name": "drepetto", "email": "drepetto@fedoraproject.org", "id": 1582, "avatar": "https://seccdn.libravatar.org/avatar/2684d7c401ddf615a3d154e0ee3662e8611df4825c112a7e264fcddde7b6f93a?s=24&d=retro", "openid": "drepetto.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}}, {"karma": 0, "comment_id": 2602450, "bug_id": 2083511, "comment": {"karma": 0, "karma_critpath": 0, "text": "This does not fully fix BZ#2092808. Invoking smbcontrol works, but testparm is still returning an empty string.", "timestamp": "2022-07-01 08:03:48", "update_id": 422899, "user_id": 6865, "id": 2602450, "testcase_feedback": [], "user": {"name": "rakuco", "email": "raphael.kubo.da.costa@intel.com", "id": 6865, "avatar": "https://seccdn.libravatar.org/avatar/ef8a1b6db40d4057d6789aac352e9795b3951e5bc5a3aa895b2214cc05dcd579?s=24&d=retro", "openid": "rakuco.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 2618899, "bug_id": 2083511, "comment": {"karma": 0, "karma_critpath": 0, "text": "Thanks everybody for the feedback, I am working on another build to replace this one.", "timestamp": "2022-07-15 14:39:55", "update_id": 422899, "user_id": 5290, "id": 2618899, "testcase_feedback": [], "user": {"name": "zpytela", "email": "zpytela@redhat.com", "id": 5290, "avatar": "https://seccdn.libravatar.org/avatar/f5f39686c696f412e8ed564241807306fff38278b276da30a2d3c41583d69f2a?s=24&d=retro", "openid": "zpytela.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}}, {"karma": 0, "comment_id": 2621102, "bug_id": 2083511, "comment": {"karma": 0, "karma_critpath": 0, "text": "Works for me.", "timestamp": "2022-07-17 14:26:20", "update_id": 426909, "user_id": 1582, "id": 2621102, "testcase_feedback": [], "user": {"name": "drepetto", "email": "drepetto@fedoraproject.org", "id": 1582, "avatar": "https://seccdn.libravatar.org/avatar/2684d7c401ddf615a3d154e0ee3662e8611df4825c112a7e264fcddde7b6f93a?s=24&d=retro", "openid": "drepetto.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}}, {"karma": 0, "comment_id": 2621103, "bug_id": 2083511, "comment": {"karma": 1, "karma_critpath": 0, "text": "", "timestamp": "2022-07-17 14:26:59", "update_id": 426909, "user_id": 1582, "id": 2621103, "testcase_feedback": [], "user": {"name": "drepetto", "email": "drepetto@fedoraproject.org", "id": 1582, "avatar": "https://seccdn.libravatar.org/avatar/2684d7c401ddf615a3d154e0ee3662e8611df4825c112a7e264fcddde7b6f93a?s=24&d=retro", "openid": "drepetto.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}}, {"karma": 0, "comment_id": 2608055, "bug_id": 2083511, "comment": {"karma": 0, "karma_critpath": 0, "text": "@rakuco the denials mentioned in the bz should be addressed. Please open a new bz and add some details and avc denials you see.", "timestamp": "2022-07-07 09:37:28", "update_id": 422899, "user_id": 5290, "id": 2608055, "testcase_feedback": [], "user": {"name": "zpytela", "email": "zpytela@redhat.com", "id": 5290, "avatar": "https://seccdn.libravatar.org/avatar/f5f39686c696f412e8ed564241807306fff38278b276da30a2d3c41583d69f2a?s=24&d=retro", "openid": "zpytela.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}}, {"karma": 0, "comment_id": 2609302, "bug_id": 2083511, "comment": {"karma": 0, "karma_critpath": 0, "text": "I've added more information to bz#2092808 (the bug report already mentions the issue with testparm).", "timestamp": "2022-07-08 09:33:51", "update_id": 422899, "user_id": 6865, "id": 2609302, "testcase_feedback": [], "user": {"name": "rakuco", "email": "raphael.kubo.da.costa@intel.com", "id": 6865, "avatar": "https://seccdn.libravatar.org/avatar/ef8a1b6db40d4057d6789aac352e9795b3951e5bc5a3aa895b2214cc05dcd579?s=24&d=retro", "openid": "rakuco.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 2610615, "bug_id": 2083511, "comment": {"karma": -1, "karma_critpath": 0, "text": "This is causing IPA CI to fail. I'm not completely sure why. The behavior we see is that the current principal is cifs/<fqdn> when we expect it to be something else.\n\nThe AVC we see is:\n\ntype=AVC msg=audit(1657297049.999:3709): avc:  denied  { sendto } for  pid=13209 comm=\"smbcontrol\" path=\"/var/lib/samba/private/msg.sock/13151\" scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=unix_dgram_socket permissive=0", "timestamp": "2022-07-08 16:54:30", "update_id": 422899, "user_id": 1255, "id": 2610615, "testcase_feedback": [], "user": {"name": "rcritten", "email": "rcritten@redhat.com", "id": 1255, "avatar": "https://seccdn.libravatar.org/avatar/170a44090c681a8b42a8cb53b0952228413f629b4696953d22ea19a847fd4b4a?s=24&d=retro", "openid": "rcritten.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "gitfreeipa-docs"}, {"name": "gitfreeipa"}, {"name": "cvsdirsec"}, {"name": "svnpki"}, {"name": "gitipsilon"}, {"name": "gitnsspem"}, {"name": "git389"}, {"name": "svnidmcommon"}, {"name": "fedorabugs"}, {"name": "gitfreeipa-foreman-smartproxy"}, {"name": "signed_fpca"}, {"name": "gitmod_nss"}, {"name": "fedora-contributor"}, {"name": "gitcertmonger"}, {"name": "ipausers"}, {"name": "gitmod_revocator"}, {"name": "trust admins"}]}}}, {"karma": 0, "comment_id": 2613378, "bug_id": 2083511, "comment": {"karma": -1, "karma_critpath": 0, "text": "@zpytela, it looks like smbcontrol_t lacks rights for winbind_rpcd_t, so SELinux policy needs to be extended.", "timestamp": "2022-07-11 10:41:08", "update_id": 422899, "user_id": 1242, "id": 2613378, "testcase_feedback": [], "user": {"name": "abbra", "email": "abokovoy@redhat.com", "id": 1242, "avatar": "https://seccdn.libravatar.org/avatar/3f3c51cb81fb43e685e65ff696d895ac268ff71949128c02b81dec65a4405a0a?s=24&d=retro", "openid": "abbra.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "bind-dyndb-ldap"}, {"name": "gitfreeipa"}, {"name": "gitslapi-nis"}, {"name": "gitfreeipa-docs"}]}}}, {"karma": 0, "comment_id": 2613599, "bug_id": 2083511, "comment": {"karma": 0, "karma_critpath": 0, "text": "BZ https://bugzilla.redhat.com/show_bug.cgi?id=2106006 opened for the issue reported by rcritten", "timestamp": "2022-07-11 14:04:06", "update_id": 422899, "user_id": 3071, "id": 2613599, "testcase_feedback": [], "user": {"name": "frenaud", "email": "frenaud@redhat.com", "id": 3071, "avatar": "https://seccdn.libravatar.org/avatar/1e52aaae9646f0f890f5f6c771cd060c66898d5fdf78e8a6021eb2b75e27ffe2?s=24&d=retro", "openid": "frenaud.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "gitfreeipa"}]}}}, {"karma": 0, "comment_id": 2621218, "bug_id": 2083511, "comment": {"karma": -1, "karma_critpath": 0, "text": "See here: https://github.com/cockpit-project/bots/pull/3627 Lots of tests fail with\n```\naudit: type=1400 audit(2114380829.764:191): avc:  denied  { search } for  pid=813 comm=\"mv\" name=\"contexts\" dev=\"vda5\" ino=16829 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir permissive=0\naudit: type=1400 audit(2114380829.770:192): avc:  denied  { sys_admin } for  pid=813 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\naudit: type=1400 audit(2114380829.770:193): avc:  denied  { sys_admin } for  pid=813 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\n```\n\nNetworkManager did *not* change in this image, just\n\n- selinux-policy (36.11-1.fc36 -> 36.12-1.fc36)\n- kernel-core (5.18.10-200.fc36 -> 5.18.11-200.fc36)\n\nand [some others](https://logs.cockpit-project.org/logs/image-refresh-3627-20220716-224141/log) which sound less relevant.\n", "timestamp": "2022-07-17 18:47:16", "update_id": 426909, "user_id": 3506, "id": 2621218, "testcase_feedback": [], "user": {"name": "martinpitt", "email": "mpitt@redhat.com", "id": 3506, "avatar": "https://seccdn.libravatar.org/avatar/a6a00790fadaca10623f4464437e482d4ec110fe331397506ea9fe2664bec740?s=24&d=retro", "openid": "martinpitt.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "cockpitteam"}, {"name": "ocp-cico-cockpit"}]}}}, {"karma": 0, "comment_id": 2623810, "bug_id": 2083511, "comment": {"karma": 1, "karma_critpath": 0, "text": "no problems here", "timestamp": "2022-07-19 05:16:49", "update_id": 426909, "user_id": 5881, "id": 2623810, "testcase_feedback": [], "user": {"name": "geraldosimiao", "email": "geraldo.simiao.kutz@gmail.com", "id": 5881, "avatar": "https://seccdn.libravatar.org/avatar/03fa5b58e8ac78544bf41ad8ecf9ee1920f2ebedb86542c2f4cdf7ef15813168?s=24&d=retro", "openid": "geraldosimiao.id.fedoraproject.org", "groups": [{"name": "qa"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "ambassadors"}, {"name": "fedora-br"}, {"name": "advocates"}, {"name": "respins-sig"}]}}}, {"karma": 0, "comment_id": 2625365, "bug_id": 2083511, "comment": {"karma": 0, "karma_critpath": 0, "text": "This does appear to fix BZ#2080043. I do see some other denials, though (as @martinpitt mentioned): \n\n```\n$ sudo journalctl | grep -i avc \nJul 19 19:28:40 cosa-devsh audit[1556]: AVC avc:  denied  { sys_admin } for  pid=1556 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\nJul 19 19:28:40 cosa-devsh audit[1556]: AVC avc:  denied  { sys_admin } for  pid=1556 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\n```\n\nThey don't seem to be harming my system. ", "timestamp": "2022-07-19 19:33:30", "update_id": 426909, "user_id": 659, "id": 2625365, "testcase_feedback": [], "user": {"name": "dustymabe", "email": "dusty@dustymabe.com", "id": 659, "avatar": "https://seccdn.libravatar.org/avatar/9ec855a28fe61a7fe3d6788882c87ee4c95b38da423234fbb70673a977552c4c?s=24&d=retro", "openid": "dustymabe.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "sysadmin-badges"}, {"name": "aws"}, {"name": "qa-beaker-user"}, {"name": "gitfedora-web"}, {"name": "centosproject-email-aliases"}, {"name": "fi-apprentice"}, {"name": "sysadmin-veteran"}, {"name": "web"}, {"name": "sig-paas"}, {"name": "atomic-wg"}, {"name": "qa"}, {"name": "fedorabugs"}, {"name": "msftazure"}, {"name": "pungi-devel"}, {"name": "qa-automation-shell"}, {"name": "sysadmin-fedimg"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "coreos"}, {"name": "sysadmin"}, {"name": "communishift"}, {"name": "aws-fcos-mgmt"}, {"name": "sysadmin-bodhi"}, {"name": "sysadmin-releng"}, {"name": "sysadmin-coreos"}, {"name": "ipausers"}, {"name": "ibmcloud"}, {"name": "discussion-mods-project"}, {"name": "discussion-mods-ask"}, {"name": "hetznercloud"}, {"name": "trust admins"}, {"name": "coreos-sig"}]}}}, {"karma": 0, "comment_id": 2626048, "bug_id": 2083511, "comment": {"karma": 0, "karma_critpath": 0, "text": "I see:\n```\nsystemd[1655]: selinux: avc:  denied  { status } for auid=1000 uid=1000 gid=1000 path=\"/proc/self/mountinfo\" cmdline=\"/usr/bin/gnome-shell\" function=\"mac_selinux_filter\" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=service permissive=0\n```\nrepeated in journal over and over again. Quite interestingly, it's not shown in \"selinux alert browser\".", "timestamp": "2022-07-20 07:30:55", "update_id": 426909, "user_id": 411, "id": 2626048, "testcase_feedback": [], "user": {"name": "kparal", "email": "kparal@redhat.com", "id": 411, "avatar": "https://seccdn.libravatar.org/avatar/5da027c64997c654044c3d0fdefea4cde1b5cea73f8ecfca77af48e2ba5ed772?s=24&d=retro", "openid": "kparal.id.fedoraproject.org", "groups": [{"name": "qa-tools-sig"}, {"name": "proventesters"}, {"name": "qa"}, {"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "qa-admin"}]}}}, {"karma": 0, "comment_id": 2627353, "bug_id": 2083511, "comment": {"karma": 1, "karma_critpath": 0, "text": "BZ#2092808 seems to have been fixed. The first connection to the VPN causes winbind to go offline for some reason, but I don't think it's related to SELinux.", "timestamp": "2022-07-21 12:58:44", "update_id": 426909, "user_id": 6865, "id": 2627353, "testcase_feedback": [], "user": {"name": "rakuco", "email": "raphael.kubo.da.costa@intel.com", "id": 6865, "avatar": "https://seccdn.libravatar.org/avatar/ef8a1b6db40d4057d6789aac352e9795b3951e5bc5a3aa895b2214cc05dcd579?s=24&d=retro", "openid": "rakuco.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 2657330, "bug_id": 2083511, "comment": {"karma": 0, "karma_critpath": 0, "text": "@dustymabe I think it is needed to backport https://github.com/coreos/console-login-helper-messages/pull/110 to F36, will it be?\n@martinpitt did you notice any actual failure apart from the avcs?\n@kparal do you happen to know how this denial is triggered? This one definitely is new, but likely a result of updating other packages.\nI don't think this build brings any regression.", "timestamp": "2022-07-28 09:10:49", "update_id": 426909, "user_id": 5290, "id": 2657330, "testcase_feedback": [], "user": {"name": "zpytela", "email": "zpytela@redhat.com", "id": 5290, "avatar": "https://seccdn.libravatar.org/avatar/f5f39686c696f412e8ed564241807306fff38278b276da30a2d3c41583d69f2a?s=24&d=retro", "openid": "zpytela.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}}, {"karma": 0, "comment_id": 2657331, "bug_id": 2083511, "comment": {"karma": 0, "karma_critpath": 0, "text": "@zpytela: No, the tests themselves were okay. Just the many avcs.", "timestamp": "2022-07-28 09:21:00", "update_id": 426909, "user_id": 3506, "id": 2657331, "testcase_feedback": [], "user": {"name": "martinpitt", "email": "mpitt@redhat.com", "id": 3506, "avatar": "https://seccdn.libravatar.org/avatar/a6a00790fadaca10623f4464437e482d4ec110fe331397506ea9fe2664bec740?s=24&d=retro", "openid": "martinpitt.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "cockpitteam"}, {"name": "ocp-cico-cockpit"}]}}}, {"karma": 0, "comment_id": 2657341, "bug_id": 2083511, "comment": {"karma": 0, "karma_critpath": 0, "text": "@zpytela: I created https://bugzilla.redhat.com/show_bug.cgi?id=2111834 so we can discuss there.", "timestamp": "2022-07-28 09:33:05", "update_id": 426909, "user_id": 411, "id": 2657341, "testcase_feedback": [], "user": {"name": "kparal", "email": "kparal@redhat.com", "id": 411, "avatar": "https://seccdn.libravatar.org/avatar/5da027c64997c654044c3d0fdefea4cde1b5cea73f8ecfca77af48e2ba5ed772?s=24&d=retro", "openid": "kparal.id.fedoraproject.org", "groups": [{"name": "qa-tools-sig"}, {"name": "proventesters"}, {"name": "qa"}, {"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "qa-admin"}]}}}, {"karma": 0, "comment_id": 2667508, "bug_id": 2083511, "comment": {"karma": 1, "karma_critpath": 0, "text": "Works fine, and BZ#2092808 does seem to be fixed.", "timestamp": "2022-08-04 09:35:09", "update_id": 437222, "user_id": 6865, "id": 2667508, "testcase_feedback": [], "user": {"name": "rakuco", "email": "raphael.kubo.da.costa@intel.com", "id": 6865, "avatar": "https://seccdn.libravatar.org/avatar/ef8a1b6db40d4057d6789aac352e9795b3951e5bc5a3aa895b2214cc05dcd579?s=24&d=retro", "openid": "rakuco.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 2668804, "bug_id": 2083511, "comment": {"karma": 1, "karma_critpath": 0, "text": "I tested this new version [with cockpit's tests](https://github.com/cockpit-project/bots/pull/3703). My [previously reported regression](https://bodhi.fedoraproject.org/updates/FEDORA-2022-320775eb9a#comment-2621218) (dispatcher denials for `mv`) does not happen any more. Thanks!", "timestamp": "2022-08-05 09:53:46", "update_id": 437222, "user_id": 3506, "id": 2668804, "testcase_feedback": [], "user": {"name": "martinpitt", "email": "mpitt@redhat.com", "id": 3506, "avatar": "https://seccdn.libravatar.org/avatar/a6a00790fadaca10623f4464437e482d4ec110fe331397506ea9fe2664bec740?s=24&d=retro", "openid": "martinpitt.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "cockpitteam"}, {"name": "ocp-cico-cockpit"}]}}}]}, {"bug_id": 2091417, "title": "SELinux is preventing ksmctl from 'add_name' accesses on the cartella run.", "security": false, "parent": false, "feedback": [{"karma": 1, "comment_id": 2600845, "bug_id": 2091417, "comment": {"karma": 1, "karma_critpath": 0, "text": "Works for me.\nI'm not 100% sure it fixes BZ#2093285, because that AVC presented itself only occasionally.\n\n", "timestamp": "2022-06-30 21:55:49", "update_id": 422899, "user_id": 1582, "id": 2600845, "testcase_feedback": [], "user": {"name": "drepetto", "email": "drepetto@fedoraproject.org", "id": 1582, "avatar": "https://seccdn.libravatar.org/avatar/2684d7c401ddf615a3d154e0ee3662e8611df4825c112a7e264fcddde7b6f93a?s=24&d=retro", "openid": "drepetto.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}}, {"karma": 0, "comment_id": 2602450, "bug_id": 2091417, "comment": {"karma": 0, "karma_critpath": 0, "text": "This does not fully fix BZ#2092808. Invoking smbcontrol works, but testparm is still returning an empty string.", "timestamp": "2022-07-01 08:03:48", "update_id": 422899, "user_id": 6865, "id": 2602450, "testcase_feedback": [], "user": {"name": "rakuco", "email": "raphael.kubo.da.costa@intel.com", "id": 6865, "avatar": "https://seccdn.libravatar.org/avatar/ef8a1b6db40d4057d6789aac352e9795b3951e5bc5a3aa895b2214cc05dcd579?s=24&d=retro", "openid": "rakuco.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 2618899, "bug_id": 2091417, "comment": {"karma": 0, "karma_critpath": 0, "text": "Thanks everybody for the feedback, I am working on another build to replace this one.", "timestamp": "2022-07-15 14:39:55", "update_id": 422899, "user_id": 5290, "id": 2618899, "testcase_feedback": [], "user": {"name": "zpytela", "email": "zpytela@redhat.com", "id": 5290, "avatar": "https://seccdn.libravatar.org/avatar/f5f39686c696f412e8ed564241807306fff38278b276da30a2d3c41583d69f2a?s=24&d=retro", "openid": "zpytela.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}}, {"karma": 0, "comment_id": 2621102, "bug_id": 2091417, "comment": {"karma": 0, "karma_critpath": 0, "text": "Works for me.", "timestamp": "2022-07-17 14:26:20", "update_id": 426909, "user_id": 1582, "id": 2621102, "testcase_feedback": [], "user": {"name": "drepetto", "email": "drepetto@fedoraproject.org", "id": 1582, "avatar": "https://seccdn.libravatar.org/avatar/2684d7c401ddf615a3d154e0ee3662e8611df4825c112a7e264fcddde7b6f93a?s=24&d=retro", "openid": "drepetto.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}}, {"karma": 0, "comment_id": 2621103, "bug_id": 2091417, "comment": {"karma": 1, "karma_critpath": 0, "text": "", "timestamp": "2022-07-17 14:26:59", "update_id": 426909, "user_id": 1582, "id": 2621103, "testcase_feedback": [], "user": {"name": "drepetto", "email": "drepetto@fedoraproject.org", "id": 1582, "avatar": "https://seccdn.libravatar.org/avatar/2684d7c401ddf615a3d154e0ee3662e8611df4825c112a7e264fcddde7b6f93a?s=24&d=retro", "openid": "drepetto.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}}, {"karma": 0, "comment_id": 2608055, "bug_id": 2091417, "comment": {"karma": 0, "karma_critpath": 0, "text": "@rakuco the denials mentioned in the bz should be addressed. Please open a new bz and add some details and avc denials you see.", "timestamp": "2022-07-07 09:37:28", "update_id": 422899, "user_id": 5290, "id": 2608055, "testcase_feedback": [], "user": {"name": "zpytela", "email": "zpytela@redhat.com", "id": 5290, "avatar": "https://seccdn.libravatar.org/avatar/f5f39686c696f412e8ed564241807306fff38278b276da30a2d3c41583d69f2a?s=24&d=retro", "openid": "zpytela.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}}, {"karma": 0, "comment_id": 2609302, "bug_id": 2091417, "comment": {"karma": 0, "karma_critpath": 0, "text": "I've added more information to bz#2092808 (the bug report already mentions the issue with testparm).", "timestamp": "2022-07-08 09:33:51", "update_id": 422899, "user_id": 6865, "id": 2609302, "testcase_feedback": [], "user": {"name": "rakuco", "email": "raphael.kubo.da.costa@intel.com", "id": 6865, "avatar": "https://seccdn.libravatar.org/avatar/ef8a1b6db40d4057d6789aac352e9795b3951e5bc5a3aa895b2214cc05dcd579?s=24&d=retro", "openid": "rakuco.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 2610615, "bug_id": 2091417, "comment": {"karma": -1, "karma_critpath": 0, "text": "This is causing IPA CI to fail. I'm not completely sure why. The behavior we see is that the current principal is cifs/<fqdn> when we expect it to be something else.\n\nThe AVC we see is:\n\ntype=AVC msg=audit(1657297049.999:3709): avc:  denied  { sendto } for  pid=13209 comm=\"smbcontrol\" path=\"/var/lib/samba/private/msg.sock/13151\" scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=unix_dgram_socket permissive=0", "timestamp": "2022-07-08 16:54:30", "update_id": 422899, "user_id": 1255, "id": 2610615, "testcase_feedback": [], "user": {"name": "rcritten", "email": "rcritten@redhat.com", "id": 1255, "avatar": "https://seccdn.libravatar.org/avatar/170a44090c681a8b42a8cb53b0952228413f629b4696953d22ea19a847fd4b4a?s=24&d=retro", "openid": "rcritten.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "gitfreeipa-docs"}, {"name": "gitfreeipa"}, {"name": "cvsdirsec"}, {"name": "svnpki"}, {"name": "gitipsilon"}, {"name": "gitnsspem"}, {"name": "git389"}, {"name": "svnidmcommon"}, {"name": "fedorabugs"}, {"name": "gitfreeipa-foreman-smartproxy"}, {"name": "signed_fpca"}, {"name": "gitmod_nss"}, {"name": "fedora-contributor"}, {"name": "gitcertmonger"}, {"name": "ipausers"}, {"name": "gitmod_revocator"}, {"name": "trust admins"}]}}}, {"karma": 0, "comment_id": 2613378, "bug_id": 2091417, "comment": {"karma": -1, "karma_critpath": 0, "text": "@zpytela, it looks like smbcontrol_t lacks rights for winbind_rpcd_t, so SELinux policy needs to be extended.", "timestamp": "2022-07-11 10:41:08", "update_id": 422899, "user_id": 1242, "id": 2613378, "testcase_feedback": [], "user": {"name": "abbra", "email": "abokovoy@redhat.com", "id": 1242, "avatar": "https://seccdn.libravatar.org/avatar/3f3c51cb81fb43e685e65ff696d895ac268ff71949128c02b81dec65a4405a0a?s=24&d=retro", "openid": "abbra.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "bind-dyndb-ldap"}, {"name": "gitfreeipa"}, {"name": "gitslapi-nis"}, {"name": "gitfreeipa-docs"}]}}}, {"karma": 0, "comment_id": 2613599, "bug_id": 2091417, "comment": {"karma": 0, "karma_critpath": 0, "text": "BZ https://bugzilla.redhat.com/show_bug.cgi?id=2106006 opened for the issue reported by rcritten", "timestamp": "2022-07-11 14:04:06", "update_id": 422899, "user_id": 3071, "id": 2613599, "testcase_feedback": [], "user": {"name": "frenaud", "email": "frenaud@redhat.com", "id": 3071, "avatar": "https://seccdn.libravatar.org/avatar/1e52aaae9646f0f890f5f6c771cd060c66898d5fdf78e8a6021eb2b75e27ffe2?s=24&d=retro", "openid": "frenaud.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "gitfreeipa"}]}}}, {"karma": 0, "comment_id": 2621218, "bug_id": 2091417, "comment": {"karma": -1, "karma_critpath": 0, "text": "See here: https://github.com/cockpit-project/bots/pull/3627 Lots of tests fail with\n```\naudit: type=1400 audit(2114380829.764:191): avc:  denied  { search } for  pid=813 comm=\"mv\" name=\"contexts\" dev=\"vda5\" ino=16829 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir permissive=0\naudit: type=1400 audit(2114380829.770:192): avc:  denied  { sys_admin } for  pid=813 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\naudit: type=1400 audit(2114380829.770:193): avc:  denied  { sys_admin } for  pid=813 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\n```\n\nNetworkManager did *not* change in this image, just\n\n- selinux-policy (36.11-1.fc36 -> 36.12-1.fc36)\n- kernel-core (5.18.10-200.fc36 -> 5.18.11-200.fc36)\n\nand [some others](https://logs.cockpit-project.org/logs/image-refresh-3627-20220716-224141/log) which sound less relevant.\n", "timestamp": "2022-07-17 18:47:16", "update_id": 426909, "user_id": 3506, "id": 2621218, "testcase_feedback": [], "user": {"name": "martinpitt", "email": "mpitt@redhat.com", "id": 3506, "avatar": "https://seccdn.libravatar.org/avatar/a6a00790fadaca10623f4464437e482d4ec110fe331397506ea9fe2664bec740?s=24&d=retro", "openid": "martinpitt.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "cockpitteam"}, {"name": "ocp-cico-cockpit"}]}}}, {"karma": 0, "comment_id": 2623810, "bug_id": 2091417, "comment": {"karma": 1, "karma_critpath": 0, "text": "no problems here", "timestamp": "2022-07-19 05:16:49", "update_id": 426909, "user_id": 5881, "id": 2623810, "testcase_feedback": [], "user": {"name": "geraldosimiao", "email": "geraldo.simiao.kutz@gmail.com", "id": 5881, "avatar": "https://seccdn.libravatar.org/avatar/03fa5b58e8ac78544bf41ad8ecf9ee1920f2ebedb86542c2f4cdf7ef15813168?s=24&d=retro", "openid": "geraldosimiao.id.fedoraproject.org", "groups": [{"name": "qa"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "ambassadors"}, {"name": "fedora-br"}, {"name": "advocates"}, {"name": "respins-sig"}]}}}, {"karma": 0, "comment_id": 2625365, "bug_id": 2091417, "comment": {"karma": 0, "karma_critpath": 0, "text": "This does appear to fix BZ#2080043. I do see some other denials, though (as @martinpitt mentioned): \n\n```\n$ sudo journalctl | grep -i avc \nJul 19 19:28:40 cosa-devsh audit[1556]: AVC avc:  denied  { sys_admin } for  pid=1556 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\nJul 19 19:28:40 cosa-devsh audit[1556]: AVC avc:  denied  { sys_admin } for  pid=1556 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\n```\n\nThey don't seem to be harming my system. ", "timestamp": "2022-07-19 19:33:30", "update_id": 426909, "user_id": 659, "id": 2625365, "testcase_feedback": [], "user": {"name": "dustymabe", "email": "dusty@dustymabe.com", "id": 659, "avatar": "https://seccdn.libravatar.org/avatar/9ec855a28fe61a7fe3d6788882c87ee4c95b38da423234fbb70673a977552c4c?s=24&d=retro", "openid": "dustymabe.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "sysadmin-badges"}, {"name": "aws"}, {"name": "qa-beaker-user"}, {"name": "gitfedora-web"}, {"name": "centosproject-email-aliases"}, {"name": "fi-apprentice"}, {"name": "sysadmin-veteran"}, {"name": "web"}, {"name": "sig-paas"}, {"name": "atomic-wg"}, {"name": "qa"}, {"name": "fedorabugs"}, {"name": "msftazure"}, {"name": "pungi-devel"}, {"name": "qa-automation-shell"}, {"name": "sysadmin-fedimg"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "coreos"}, {"name": "sysadmin"}, {"name": "communishift"}, {"name": "aws-fcos-mgmt"}, {"name": "sysadmin-bodhi"}, {"name": "sysadmin-releng"}, {"name": "sysadmin-coreos"}, {"name": "ipausers"}, {"name": "ibmcloud"}, {"name": "discussion-mods-project"}, {"name": "discussion-mods-ask"}, {"name": "hetznercloud"}, {"name": "trust admins"}, {"name": "coreos-sig"}]}}}, {"karma": 0, "comment_id": 2626048, "bug_id": 2091417, "comment": {"karma": 0, "karma_critpath": 0, "text": "I see:\n```\nsystemd[1655]: selinux: avc:  denied  { status } for auid=1000 uid=1000 gid=1000 path=\"/proc/self/mountinfo\" cmdline=\"/usr/bin/gnome-shell\" function=\"mac_selinux_filter\" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=service permissive=0\n```\nrepeated in journal over and over again. Quite interestingly, it's not shown in \"selinux alert browser\".", "timestamp": "2022-07-20 07:30:55", "update_id": 426909, "user_id": 411, "id": 2626048, "testcase_feedback": [], "user": {"name": "kparal", "email": "kparal@redhat.com", "id": 411, "avatar": "https://seccdn.libravatar.org/avatar/5da027c64997c654044c3d0fdefea4cde1b5cea73f8ecfca77af48e2ba5ed772?s=24&d=retro", "openid": "kparal.id.fedoraproject.org", "groups": [{"name": "qa-tools-sig"}, {"name": "proventesters"}, {"name": "qa"}, {"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "qa-admin"}]}}}, {"karma": 0, "comment_id": 2627353, "bug_id": 2091417, "comment": {"karma": 1, "karma_critpath": 0, "text": "BZ#2092808 seems to have been fixed. The first connection to the VPN causes winbind to go offline for some reason, but I don't think it's related to SELinux.", "timestamp": "2022-07-21 12:58:44", "update_id": 426909, "user_id": 6865, "id": 2627353, "testcase_feedback": [], "user": {"name": "rakuco", "email": "raphael.kubo.da.costa@intel.com", "id": 6865, "avatar": "https://seccdn.libravatar.org/avatar/ef8a1b6db40d4057d6789aac352e9795b3951e5bc5a3aa895b2214cc05dcd579?s=24&d=retro", "openid": "rakuco.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 2657330, "bug_id": 2091417, "comment": {"karma": 0, "karma_critpath": 0, "text": "@dustymabe I think it is needed to backport https://github.com/coreos/console-login-helper-messages/pull/110 to F36, will it be?\n@martinpitt did you notice any actual failure apart from the avcs?\n@kparal do you happen to know how this denial is triggered? This one definitely is new, but likely a result of updating other packages.\nI don't think this build brings any regression.", "timestamp": "2022-07-28 09:10:49", "update_id": 426909, "user_id": 5290, "id": 2657330, "testcase_feedback": [], "user": {"name": "zpytela", "email": "zpytela@redhat.com", "id": 5290, "avatar": "https://seccdn.libravatar.org/avatar/f5f39686c696f412e8ed564241807306fff38278b276da30a2d3c41583d69f2a?s=24&d=retro", "openid": "zpytela.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}}, {"karma": 0, "comment_id": 2657331, "bug_id": 2091417, "comment": {"karma": 0, "karma_critpath": 0, "text": "@zpytela: No, the tests themselves were okay. Just the many avcs.", "timestamp": "2022-07-28 09:21:00", "update_id": 426909, "user_id": 3506, "id": 2657331, "testcase_feedback": [], "user": {"name": "martinpitt", "email": "mpitt@redhat.com", "id": 3506, "avatar": "https://seccdn.libravatar.org/avatar/a6a00790fadaca10623f4464437e482d4ec110fe331397506ea9fe2664bec740?s=24&d=retro", "openid": "martinpitt.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "cockpitteam"}, {"name": "ocp-cico-cockpit"}]}}}, {"karma": 0, "comment_id": 2657341, "bug_id": 2091417, "comment": {"karma": 0, "karma_critpath": 0, "text": "@zpytela: I created https://bugzilla.redhat.com/show_bug.cgi?id=2111834 so we can discuss there.", "timestamp": "2022-07-28 09:33:05", "update_id": 426909, "user_id": 411, "id": 2657341, "testcase_feedback": [], "user": {"name": "kparal", "email": "kparal@redhat.com", "id": 411, "avatar": "https://seccdn.libravatar.org/avatar/5da027c64997c654044c3d0fdefea4cde1b5cea73f8ecfca77af48e2ba5ed772?s=24&d=retro", "openid": "kparal.id.fedoraproject.org", "groups": [{"name": "qa-tools-sig"}, {"name": "proventesters"}, {"name": "qa"}, {"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "qa-admin"}]}}}, {"karma": 0, "comment_id": 2667508, "bug_id": 2091417, "comment": {"karma": 1, "karma_critpath": 0, "text": "Works fine, and BZ#2092808 does seem to be fixed.", "timestamp": "2022-08-04 09:35:09", "update_id": 437222, "user_id": 6865, "id": 2667508, "testcase_feedback": [], "user": {"name": "rakuco", "email": "raphael.kubo.da.costa@intel.com", "id": 6865, "avatar": "https://seccdn.libravatar.org/avatar/ef8a1b6db40d4057d6789aac352e9795b3951e5bc5a3aa895b2214cc05dcd579?s=24&d=retro", "openid": "rakuco.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 2668804, "bug_id": 2091417, "comment": {"karma": 1, "karma_critpath": 0, "text": "I tested this new version [with cockpit's tests](https://github.com/cockpit-project/bots/pull/3703). My [previously reported regression](https://bodhi.fedoraproject.org/updates/FEDORA-2022-320775eb9a#comment-2621218) (dispatcher denials for `mv`) does not happen any more. Thanks!", "timestamp": "2022-08-05 09:53:46", "update_id": 437222, "user_id": 3506, "id": 2668804, "testcase_feedback": [], "user": {"name": "martinpitt", "email": "mpitt@redhat.com", "id": 3506, "avatar": "https://seccdn.libravatar.org/avatar/a6a00790fadaca10623f4464437e482d4ec110fe331397506ea9fe2664bec740?s=24&d=retro", "openid": "martinpitt.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "cockpitteam"}, {"name": "ocp-cico-cockpit"}]}}}]}, {"bug_id": 2092808, "title": "selinux-policy prevents 30-winbind from invoking smbcontrol and testparam", "security": false, "parent": false, "feedback": [{"karma": 0, "comment_id": 2600845, "bug_id": 2092808, "comment": {"karma": 1, "karma_critpath": 0, "text": "Works for me.\nI'm not 100% sure it fixes BZ#2093285, because that AVC presented itself only occasionally.\n\n", "timestamp": "2022-06-30 21:55:49", "update_id": 422899, "user_id": 1582, "id": 2600845, "testcase_feedback": [], "user": {"name": "drepetto", "email": "drepetto@fedoraproject.org", "id": 1582, "avatar": "https://seccdn.libravatar.org/avatar/2684d7c401ddf615a3d154e0ee3662e8611df4825c112a7e264fcddde7b6f93a?s=24&d=retro", "openid": "drepetto.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}}, {"karma": -1, "comment_id": 2602450, "bug_id": 2092808, "comment": {"karma": 0, "karma_critpath": 0, "text": "This does not fully fix BZ#2092808. Invoking smbcontrol works, but testparm is still returning an empty string.", "timestamp": "2022-07-01 08:03:48", "update_id": 422899, "user_id": 6865, "id": 2602450, "testcase_feedback": [], "user": {"name": "rakuco", "email": "raphael.kubo.da.costa@intel.com", "id": 6865, "avatar": "https://seccdn.libravatar.org/avatar/ef8a1b6db40d4057d6789aac352e9795b3951e5bc5a3aa895b2214cc05dcd579?s=24&d=retro", "openid": "rakuco.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 2618899, "bug_id": 2092808, "comment": {"karma": 0, "karma_critpath": 0, "text": "Thanks everybody for the feedback, I am working on another build to replace this one.", "timestamp": "2022-07-15 14:39:55", "update_id": 422899, "user_id": 5290, "id": 2618899, "testcase_feedback": [], "user": {"name": "zpytela", "email": "zpytela@redhat.com", "id": 5290, "avatar": "https://seccdn.libravatar.org/avatar/f5f39686c696f412e8ed564241807306fff38278b276da30a2d3c41583d69f2a?s=24&d=retro", "openid": "zpytela.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}}, {"karma": 0, "comment_id": 2621102, "bug_id": 2092808, "comment": {"karma": 0, "karma_critpath": 0, "text": "Works for me.", "timestamp": "2022-07-17 14:26:20", "update_id": 426909, "user_id": 1582, "id": 2621102, "testcase_feedback": [], "user": {"name": "drepetto", "email": "drepetto@fedoraproject.org", "id": 1582, "avatar": "https://seccdn.libravatar.org/avatar/2684d7c401ddf615a3d154e0ee3662e8611df4825c112a7e264fcddde7b6f93a?s=24&d=retro", "openid": "drepetto.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}}, {"karma": 0, "comment_id": 2621103, "bug_id": 2092808, "comment": {"karma": 1, "karma_critpath": 0, "text": "", "timestamp": "2022-07-17 14:26:59", "update_id": 426909, "user_id": 1582, "id": 2621103, "testcase_feedback": [], "user": {"name": "drepetto", "email": "drepetto@fedoraproject.org", "id": 1582, "avatar": "https://seccdn.libravatar.org/avatar/2684d7c401ddf615a3d154e0ee3662e8611df4825c112a7e264fcddde7b6f93a?s=24&d=retro", "openid": "drepetto.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}}, {"karma": 0, "comment_id": 2608055, "bug_id": 2092808, "comment": {"karma": 0, "karma_critpath": 0, "text": "@rakuco the denials mentioned in the bz should be addressed. Please open a new bz and add some details and avc denials you see.", "timestamp": "2022-07-07 09:37:28", "update_id": 422899, "user_id": 5290, "id": 2608055, "testcase_feedback": [], "user": {"name": "zpytela", "email": "zpytela@redhat.com", "id": 5290, "avatar": "https://seccdn.libravatar.org/avatar/f5f39686c696f412e8ed564241807306fff38278b276da30a2d3c41583d69f2a?s=24&d=retro", "openid": "zpytela.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}}, {"karma": 0, "comment_id": 2609302, "bug_id": 2092808, "comment": {"karma": 0, "karma_critpath": 0, "text": "I've added more information to bz#2092808 (the bug report already mentions the issue with testparm).", "timestamp": "2022-07-08 09:33:51", "update_id": 422899, "user_id": 6865, "id": 2609302, "testcase_feedback": [], "user": {"name": "rakuco", "email": "raphael.kubo.da.costa@intel.com", "id": 6865, "avatar": "https://seccdn.libravatar.org/avatar/ef8a1b6db40d4057d6789aac352e9795b3951e5bc5a3aa895b2214cc05dcd579?s=24&d=retro", "openid": "rakuco.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 2610615, "bug_id": 2092808, "comment": {"karma": -1, "karma_critpath": 0, "text": "This is causing IPA CI to fail. I'm not completely sure why. The behavior we see is that the current principal is cifs/<fqdn> when we expect it to be something else.\n\nThe AVC we see is:\n\ntype=AVC msg=audit(1657297049.999:3709): avc:  denied  { sendto } for  pid=13209 comm=\"smbcontrol\" path=\"/var/lib/samba/private/msg.sock/13151\" scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=unix_dgram_socket permissive=0", "timestamp": "2022-07-08 16:54:30", "update_id": 422899, "user_id": 1255, "id": 2610615, "testcase_feedback": [], "user": {"name": "rcritten", "email": "rcritten@redhat.com", "id": 1255, "avatar": "https://seccdn.libravatar.org/avatar/170a44090c681a8b42a8cb53b0952228413f629b4696953d22ea19a847fd4b4a?s=24&d=retro", "openid": "rcritten.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "gitfreeipa-docs"}, {"name": "gitfreeipa"}, {"name": "cvsdirsec"}, {"name": "svnpki"}, {"name": "gitipsilon"}, {"name": "gitnsspem"}, {"name": "git389"}, {"name": "svnidmcommon"}, {"name": "fedorabugs"}, {"name": "gitfreeipa-foreman-smartproxy"}, {"name": "signed_fpca"}, {"name": "gitmod_nss"}, {"name": "fedora-contributor"}, {"name": "gitcertmonger"}, {"name": "ipausers"}, {"name": "gitmod_revocator"}, {"name": "trust admins"}]}}}, {"karma": 0, "comment_id": 2613378, "bug_id": 2092808, "comment": {"karma": -1, "karma_critpath": 0, "text": "@zpytela, it looks like smbcontrol_t lacks rights for winbind_rpcd_t, so SELinux policy needs to be extended.", "timestamp": "2022-07-11 10:41:08", "update_id": 422899, "user_id": 1242, "id": 2613378, "testcase_feedback": [], "user": {"name": "abbra", "email": "abokovoy@redhat.com", "id": 1242, "avatar": "https://seccdn.libravatar.org/avatar/3f3c51cb81fb43e685e65ff696d895ac268ff71949128c02b81dec65a4405a0a?s=24&d=retro", "openid": "abbra.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "bind-dyndb-ldap"}, {"name": "gitfreeipa"}, {"name": "gitslapi-nis"}, {"name": "gitfreeipa-docs"}]}}}, {"karma": 0, "comment_id": 2613599, "bug_id": 2092808, "comment": {"karma": 0, "karma_critpath": 0, "text": "BZ https://bugzilla.redhat.com/show_bug.cgi?id=2106006 opened for the issue reported by rcritten", "timestamp": "2022-07-11 14:04:06", "update_id": 422899, "user_id": 3071, "id": 2613599, "testcase_feedback": [], "user": {"name": "frenaud", "email": "frenaud@redhat.com", "id": 3071, "avatar": "https://seccdn.libravatar.org/avatar/1e52aaae9646f0f890f5f6c771cd060c66898d5fdf78e8a6021eb2b75e27ffe2?s=24&d=retro", "openid": "frenaud.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "gitfreeipa"}]}}}, {"karma": 0, "comment_id": 2621218, "bug_id": 2092808, "comment": {"karma": -1, "karma_critpath": 0, "text": "See here: https://github.com/cockpit-project/bots/pull/3627 Lots of tests fail with\n```\naudit: type=1400 audit(2114380829.764:191): avc:  denied  { search } for  pid=813 comm=\"mv\" name=\"contexts\" dev=\"vda5\" ino=16829 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir permissive=0\naudit: type=1400 audit(2114380829.770:192): avc:  denied  { sys_admin } for  pid=813 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\naudit: type=1400 audit(2114380829.770:193): avc:  denied  { sys_admin } for  pid=813 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\n```\n\nNetworkManager did *not* change in this image, just\n\n- selinux-policy (36.11-1.fc36 -> 36.12-1.fc36)\n- kernel-core (5.18.10-200.fc36 -> 5.18.11-200.fc36)\n\nand [some others](https://logs.cockpit-project.org/logs/image-refresh-3627-20220716-224141/log) which sound less relevant.\n", "timestamp": "2022-07-17 18:47:16", "update_id": 426909, "user_id": 3506, "id": 2621218, "testcase_feedback": [], "user": {"name": "martinpitt", "email": "mpitt@redhat.com", "id": 3506, "avatar": "https://seccdn.libravatar.org/avatar/a6a00790fadaca10623f4464437e482d4ec110fe331397506ea9fe2664bec740?s=24&d=retro", "openid": "martinpitt.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "cockpitteam"}, {"name": "ocp-cico-cockpit"}]}}}, {"karma": 0, "comment_id": 2623810, "bug_id": 2092808, "comment": {"karma": 1, "karma_critpath": 0, "text": "no problems here", "timestamp": "2022-07-19 05:16:49", "update_id": 426909, "user_id": 5881, "id": 2623810, "testcase_feedback": [], "user": {"name": "geraldosimiao", "email": "geraldo.simiao.kutz@gmail.com", "id": 5881, "avatar": "https://seccdn.libravatar.org/avatar/03fa5b58e8ac78544bf41ad8ecf9ee1920f2ebedb86542c2f4cdf7ef15813168?s=24&d=retro", "openid": "geraldosimiao.id.fedoraproject.org", "groups": [{"name": "qa"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "ambassadors"}, {"name": "fedora-br"}, {"name": "advocates"}, {"name": "respins-sig"}]}}}, {"karma": 0, "comment_id": 2625365, "bug_id": 2092808, "comment": {"karma": 0, "karma_critpath": 0, "text": "This does appear to fix BZ#2080043. I do see some other denials, though (as @martinpitt mentioned): \n\n```\n$ sudo journalctl | grep -i avc \nJul 19 19:28:40 cosa-devsh audit[1556]: AVC avc:  denied  { sys_admin } for  pid=1556 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\nJul 19 19:28:40 cosa-devsh audit[1556]: AVC avc:  denied  { sys_admin } for  pid=1556 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\n```\n\nThey don't seem to be harming my system. ", "timestamp": "2022-07-19 19:33:30", "update_id": 426909, "user_id": 659, "id": 2625365, "testcase_feedback": [], "user": {"name": "dustymabe", "email": "dusty@dustymabe.com", "id": 659, "avatar": "https://seccdn.libravatar.org/avatar/9ec855a28fe61a7fe3d6788882c87ee4c95b38da423234fbb70673a977552c4c?s=24&d=retro", "openid": "dustymabe.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "sysadmin-badges"}, {"name": "aws"}, {"name": "qa-beaker-user"}, {"name": "gitfedora-web"}, {"name": "centosproject-email-aliases"}, {"name": "fi-apprentice"}, {"name": "sysadmin-veteran"}, {"name": "web"}, {"name": "sig-paas"}, {"name": "atomic-wg"}, {"name": "qa"}, {"name": "fedorabugs"}, {"name": "msftazure"}, {"name": "pungi-devel"}, {"name": "qa-automation-shell"}, {"name": "sysadmin-fedimg"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "coreos"}, {"name": "sysadmin"}, {"name": "communishift"}, {"name": "aws-fcos-mgmt"}, {"name": "sysadmin-bodhi"}, {"name": "sysadmin-releng"}, {"name": "sysadmin-coreos"}, {"name": "ipausers"}, {"name": "ibmcloud"}, {"name": "discussion-mods-project"}, {"name": "discussion-mods-ask"}, {"name": "hetznercloud"}, {"name": "trust admins"}, {"name": "coreos-sig"}]}}}, {"karma": 0, "comment_id": 2626048, "bug_id": 2092808, "comment": {"karma": 0, "karma_critpath": 0, "text": "I see:\n```\nsystemd[1655]: selinux: avc:  denied  { status } for auid=1000 uid=1000 gid=1000 path=\"/proc/self/mountinfo\" cmdline=\"/usr/bin/gnome-shell\" function=\"mac_selinux_filter\" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=service permissive=0\n```\nrepeated in journal over and over again. Quite interestingly, it's not shown in \"selinux alert browser\".", "timestamp": "2022-07-20 07:30:55", "update_id": 426909, "user_id": 411, "id": 2626048, "testcase_feedback": [], "user": {"name": "kparal", "email": "kparal@redhat.com", "id": 411, "avatar": "https://seccdn.libravatar.org/avatar/5da027c64997c654044c3d0fdefea4cde1b5cea73f8ecfca77af48e2ba5ed772?s=24&d=retro", "openid": "kparal.id.fedoraproject.org", "groups": [{"name": "qa-tools-sig"}, {"name": "proventesters"}, {"name": "qa"}, {"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "qa-admin"}]}}}, {"karma": 1, "comment_id": 2627353, "bug_id": 2092808, "comment": {"karma": 1, "karma_critpath": 0, "text": "BZ#2092808 seems to have been fixed. The first connection to the VPN causes winbind to go offline for some reason, but I don't think it's related to SELinux.", "timestamp": "2022-07-21 12:58:44", "update_id": 426909, "user_id": 6865, "id": 2627353, "testcase_feedback": [], "user": {"name": "rakuco", "email": "raphael.kubo.da.costa@intel.com", "id": 6865, "avatar": "https://seccdn.libravatar.org/avatar/ef8a1b6db40d4057d6789aac352e9795b3951e5bc5a3aa895b2214cc05dcd579?s=24&d=retro", "openid": "rakuco.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 2657330, "bug_id": 2092808, "comment": {"karma": 0, "karma_critpath": 0, "text": "@dustymabe I think it is needed to backport https://github.com/coreos/console-login-helper-messages/pull/110 to F36, will it be?\n@martinpitt did you notice any actual failure apart from the avcs?\n@kparal do you happen to know how this denial is triggered? This one definitely is new, but likely a result of updating other packages.\nI don't think this build brings any regression.", "timestamp": "2022-07-28 09:10:49", "update_id": 426909, "user_id": 5290, "id": 2657330, "testcase_feedback": [], "user": {"name": "zpytela", "email": "zpytela@redhat.com", "id": 5290, "avatar": "https://seccdn.libravatar.org/avatar/f5f39686c696f412e8ed564241807306fff38278b276da30a2d3c41583d69f2a?s=24&d=retro", "openid": "zpytela.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}}, {"karma": 0, "comment_id": 2657331, "bug_id": 2092808, "comment": {"karma": 0, "karma_critpath": 0, "text": "@zpytela: No, the tests themselves were okay. Just the many avcs.", "timestamp": "2022-07-28 09:21:00", "update_id": 426909, "user_id": 3506, "id": 2657331, "testcase_feedback": [], "user": {"name": "martinpitt", "email": "mpitt@redhat.com", "id": 3506, "avatar": "https://seccdn.libravatar.org/avatar/a6a00790fadaca10623f4464437e482d4ec110fe331397506ea9fe2664bec740?s=24&d=retro", "openid": "martinpitt.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "cockpitteam"}, {"name": "ocp-cico-cockpit"}]}}}, {"karma": 0, "comment_id": 2657341, "bug_id": 2092808, "comment": {"karma": 0, "karma_critpath": 0, "text": "@zpytela: I created https://bugzilla.redhat.com/show_bug.cgi?id=2111834 so we can discuss there.", "timestamp": "2022-07-28 09:33:05", "update_id": 426909, "user_id": 411, "id": 2657341, "testcase_feedback": [], "user": {"name": "kparal", "email": "kparal@redhat.com", "id": 411, "avatar": "https://seccdn.libravatar.org/avatar/5da027c64997c654044c3d0fdefea4cde1b5cea73f8ecfca77af48e2ba5ed772?s=24&d=retro", "openid": "kparal.id.fedoraproject.org", "groups": [{"name": "qa-tools-sig"}, {"name": "proventesters"}, {"name": "qa"}, {"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "qa-admin"}]}}}, {"karma": 1, "comment_id": 2667508, "bug_id": 2092808, "comment": {"karma": 1, "karma_critpath": 0, "text": "Works fine, and BZ#2092808 does seem to be fixed.", "timestamp": "2022-08-04 09:35:09", "update_id": 437222, "user_id": 6865, "id": 2667508, "testcase_feedback": [], "user": {"name": "rakuco", "email": "raphael.kubo.da.costa@intel.com", "id": 6865, "avatar": "https://seccdn.libravatar.org/avatar/ef8a1b6db40d4057d6789aac352e9795b3951e5bc5a3aa895b2214cc05dcd579?s=24&d=retro", "openid": "rakuco.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 2668804, "bug_id": 2092808, "comment": {"karma": 1, "karma_critpath": 0, "text": "I tested this new version [with cockpit's tests](https://github.com/cockpit-project/bots/pull/3703). My [previously reported regression](https://bodhi.fedoraproject.org/updates/FEDORA-2022-320775eb9a#comment-2621218) (dispatcher denials for `mv`) does not happen any more. Thanks!", "timestamp": "2022-08-05 09:53:46", "update_id": 437222, "user_id": 3506, "id": 2668804, "testcase_feedback": [], "user": {"name": "martinpitt", "email": "mpitt@redhat.com", "id": 3506, "avatar": "https://seccdn.libravatar.org/avatar/a6a00790fadaca10623f4464437e482d4ec110fe331397506ea9fe2664bec740?s=24&d=retro", "openid": "martinpitt.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "cockpitteam"}, {"name": "ocp-cico-cockpit"}]}}}]}, {"bug_id": 2093155, "title": "SELinux is preventing logger from 'create' accesses on the unix_dgram_socket labeled NetworkManager_dispatcher_custom_t.", "security": false, "parent": false, "feedback": [{"karma": 0, "comment_id": 2600845, "bug_id": 2093155, "comment": {"karma": 1, "karma_critpath": 0, "text": "Works for me.\nI'm not 100% sure it fixes BZ#2093285, because that AVC presented itself only occasionally.\n\n", "timestamp": "2022-06-30 21:55:49", "update_id": 422899, "user_id": 1582, "id": 2600845, "testcase_feedback": [], "user": {"name": "drepetto", "email": "drepetto@fedoraproject.org", "id": 1582, "avatar": "https://seccdn.libravatar.org/avatar/2684d7c401ddf615a3d154e0ee3662e8611df4825c112a7e264fcddde7b6f93a?s=24&d=retro", "openid": "drepetto.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}}, {"karma": 0, "comment_id": 2602450, "bug_id": 2093155, "comment": {"karma": 0, "karma_critpath": 0, "text": "This does not fully fix BZ#2092808. Invoking smbcontrol works, but testparm is still returning an empty string.", "timestamp": "2022-07-01 08:03:48", "update_id": 422899, "user_id": 6865, "id": 2602450, "testcase_feedback": [], "user": {"name": "rakuco", "email": "raphael.kubo.da.costa@intel.com", "id": 6865, "avatar": "https://seccdn.libravatar.org/avatar/ef8a1b6db40d4057d6789aac352e9795b3951e5bc5a3aa895b2214cc05dcd579?s=24&d=retro", "openid": "rakuco.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 2618899, "bug_id": 2093155, "comment": {"karma": 0, "karma_critpath": 0, "text": "Thanks everybody for the feedback, I am working on another build to replace this one.", "timestamp": "2022-07-15 14:39:55", "update_id": 422899, "user_id": 5290, "id": 2618899, "testcase_feedback": [], "user": {"name": "zpytela", "email": "zpytela@redhat.com", "id": 5290, "avatar": "https://seccdn.libravatar.org/avatar/f5f39686c696f412e8ed564241807306fff38278b276da30a2d3c41583d69f2a?s=24&d=retro", "openid": "zpytela.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}}, {"karma": 0, "comment_id": 2621102, "bug_id": 2093155, "comment": {"karma": 0, "karma_critpath": 0, "text": "Works for me.", "timestamp": "2022-07-17 14:26:20", "update_id": 426909, "user_id": 1582, "id": 2621102, "testcase_feedback": [], "user": {"name": "drepetto", "email": "drepetto@fedoraproject.org", "id": 1582, "avatar": "https://seccdn.libravatar.org/avatar/2684d7c401ddf615a3d154e0ee3662e8611df4825c112a7e264fcddde7b6f93a?s=24&d=retro", "openid": "drepetto.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}}, {"karma": 0, "comment_id": 2621103, "bug_id": 2093155, "comment": {"karma": 1, "karma_critpath": 0, "text": "", "timestamp": "2022-07-17 14:26:59", "update_id": 426909, "user_id": 1582, "id": 2621103, "testcase_feedback": [], "user": {"name": "drepetto", "email": "drepetto@fedoraproject.org", "id": 1582, "avatar": "https://seccdn.libravatar.org/avatar/2684d7c401ddf615a3d154e0ee3662e8611df4825c112a7e264fcddde7b6f93a?s=24&d=retro", "openid": "drepetto.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}}, {"karma": 0, "comment_id": 2608055, "bug_id": 2093155, "comment": {"karma": 0, "karma_critpath": 0, "text": "@rakuco the denials mentioned in the bz should be addressed. Please open a new bz and add some details and avc denials you see.", "timestamp": "2022-07-07 09:37:28", "update_id": 422899, "user_id": 5290, "id": 2608055, "testcase_feedback": [], "user": {"name": "zpytela", "email": "zpytela@redhat.com", "id": 5290, "avatar": "https://seccdn.libravatar.org/avatar/f5f39686c696f412e8ed564241807306fff38278b276da30a2d3c41583d69f2a?s=24&d=retro", "openid": "zpytela.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}}, {"karma": 0, "comment_id": 2609302, "bug_id": 2093155, "comment": {"karma": 0, "karma_critpath": 0, "text": "I've added more information to bz#2092808 (the bug report already mentions the issue with testparm).", "timestamp": "2022-07-08 09:33:51", "update_id": 422899, "user_id": 6865, "id": 2609302, "testcase_feedback": [], "user": {"name": "rakuco", "email": "raphael.kubo.da.costa@intel.com", "id": 6865, "avatar": "https://seccdn.libravatar.org/avatar/ef8a1b6db40d4057d6789aac352e9795b3951e5bc5a3aa895b2214cc05dcd579?s=24&d=retro", "openid": "rakuco.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 2610615, "bug_id": 2093155, "comment": {"karma": -1, "karma_critpath": 0, "text": "This is causing IPA CI to fail. I'm not completely sure why. The behavior we see is that the current principal is cifs/<fqdn> when we expect it to be something else.\n\nThe AVC we see is:\n\ntype=AVC msg=audit(1657297049.999:3709): avc:  denied  { sendto } for  pid=13209 comm=\"smbcontrol\" path=\"/var/lib/samba/private/msg.sock/13151\" scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=unix_dgram_socket permissive=0", "timestamp": "2022-07-08 16:54:30", "update_id": 422899, "user_id": 1255, "id": 2610615, "testcase_feedback": [], "user": {"name": "rcritten", "email": "rcritten@redhat.com", "id": 1255, "avatar": "https://seccdn.libravatar.org/avatar/170a44090c681a8b42a8cb53b0952228413f629b4696953d22ea19a847fd4b4a?s=24&d=retro", "openid": "rcritten.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "gitfreeipa-docs"}, {"name": "gitfreeipa"}, {"name": "cvsdirsec"}, {"name": "svnpki"}, {"name": "gitipsilon"}, {"name": "gitnsspem"}, {"name": "git389"}, {"name": "svnidmcommon"}, {"name": "fedorabugs"}, {"name": "gitfreeipa-foreman-smartproxy"}, {"name": "signed_fpca"}, {"name": "gitmod_nss"}, {"name": "fedora-contributor"}, {"name": "gitcertmonger"}, {"name": "ipausers"}, {"name": "gitmod_revocator"}, {"name": "trust admins"}]}}}, {"karma": 0, "comment_id": 2613378, "bug_id": 2093155, "comment": {"karma": -1, "karma_critpath": 0, "text": "@zpytela, it looks like smbcontrol_t lacks rights for winbind_rpcd_t, so SELinux policy needs to be extended.", "timestamp": "2022-07-11 10:41:08", "update_id": 422899, "user_id": 1242, "id": 2613378, "testcase_feedback": [], "user": {"name": "abbra", "email": "abokovoy@redhat.com", "id": 1242, "avatar": "https://seccdn.libravatar.org/avatar/3f3c51cb81fb43e685e65ff696d895ac268ff71949128c02b81dec65a4405a0a?s=24&d=retro", "openid": "abbra.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "bind-dyndb-ldap"}, {"name": "gitfreeipa"}, {"name": "gitslapi-nis"}, {"name": "gitfreeipa-docs"}]}}}, {"karma": 0, "comment_id": 2613599, "bug_id": 2093155, "comment": {"karma": 0, "karma_critpath": 0, "text": "BZ https://bugzilla.redhat.com/show_bug.cgi?id=2106006 opened for the issue reported by rcritten", "timestamp": "2022-07-11 14:04:06", "update_id": 422899, "user_id": 3071, "id": 2613599, "testcase_feedback": [], "user": {"name": "frenaud", "email": "frenaud@redhat.com", "id": 3071, "avatar": "https://seccdn.libravatar.org/avatar/1e52aaae9646f0f890f5f6c771cd060c66898d5fdf78e8a6021eb2b75e27ffe2?s=24&d=retro", "openid": "frenaud.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "gitfreeipa"}]}}}, {"karma": 0, "comment_id": 2621218, "bug_id": 2093155, "comment": {"karma": -1, "karma_critpath": 0, "text": "See here: https://github.com/cockpit-project/bots/pull/3627 Lots of tests fail with\n```\naudit: type=1400 audit(2114380829.764:191): avc:  denied  { search } for  pid=813 comm=\"mv\" name=\"contexts\" dev=\"vda5\" ino=16829 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir permissive=0\naudit: type=1400 audit(2114380829.770:192): avc:  denied  { sys_admin } for  pid=813 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\naudit: type=1400 audit(2114380829.770:193): avc:  denied  { sys_admin } for  pid=813 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\n```\n\nNetworkManager did *not* change in this image, just\n\n- selinux-policy (36.11-1.fc36 -> 36.12-1.fc36)\n- kernel-core (5.18.10-200.fc36 -> 5.18.11-200.fc36)\n\nand [some others](https://logs.cockpit-project.org/logs/image-refresh-3627-20220716-224141/log) which sound less relevant.\n", "timestamp": "2022-07-17 18:47:16", "update_id": 426909, "user_id": 3506, "id": 2621218, "testcase_feedback": [], "user": {"name": "martinpitt", "email": "mpitt@redhat.com", "id": 3506, "avatar": "https://seccdn.libravatar.org/avatar/a6a00790fadaca10623f4464437e482d4ec110fe331397506ea9fe2664bec740?s=24&d=retro", "openid": "martinpitt.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "cockpitteam"}, {"name": "ocp-cico-cockpit"}]}}}, {"karma": 0, "comment_id": 2623810, "bug_id": 2093155, "comment": {"karma": 1, "karma_critpath": 0, "text": "no problems here", "timestamp": "2022-07-19 05:16:49", "update_id": 426909, "user_id": 5881, "id": 2623810, "testcase_feedback": [], "user": {"name": "geraldosimiao", "email": "geraldo.simiao.kutz@gmail.com", "id": 5881, "avatar": "https://seccdn.libravatar.org/avatar/03fa5b58e8ac78544bf41ad8ecf9ee1920f2ebedb86542c2f4cdf7ef15813168?s=24&d=retro", "openid": "geraldosimiao.id.fedoraproject.org", "groups": [{"name": "qa"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "ambassadors"}, {"name": "fedora-br"}, {"name": "advocates"}, {"name": "respins-sig"}]}}}, {"karma": 0, "comment_id": 2625365, "bug_id": 2093155, "comment": {"karma": 0, "karma_critpath": 0, "text": "This does appear to fix BZ#2080043. I do see some other denials, though (as @martinpitt mentioned): \n\n```\n$ sudo journalctl | grep -i avc \nJul 19 19:28:40 cosa-devsh audit[1556]: AVC avc:  denied  { sys_admin } for  pid=1556 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\nJul 19 19:28:40 cosa-devsh audit[1556]: AVC avc:  denied  { sys_admin } for  pid=1556 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\n```\n\nThey don't seem to be harming my system. ", "timestamp": "2022-07-19 19:33:30", "update_id": 426909, "user_id": 659, "id": 2625365, "testcase_feedback": [], "user": {"name": "dustymabe", "email": "dusty@dustymabe.com", "id": 659, "avatar": "https://seccdn.libravatar.org/avatar/9ec855a28fe61a7fe3d6788882c87ee4c95b38da423234fbb70673a977552c4c?s=24&d=retro", "openid": "dustymabe.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "sysadmin-badges"}, {"name": "aws"}, {"name": "qa-beaker-user"}, {"name": "gitfedora-web"}, {"name": "centosproject-email-aliases"}, {"name": "fi-apprentice"}, {"name": "sysadmin-veteran"}, {"name": "web"}, {"name": "sig-paas"}, {"name": "atomic-wg"}, {"name": "qa"}, {"name": "fedorabugs"}, {"name": "msftazure"}, {"name": "pungi-devel"}, {"name": "qa-automation-shell"}, {"name": "sysadmin-fedimg"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "coreos"}, {"name": "sysadmin"}, {"name": "communishift"}, {"name": "aws-fcos-mgmt"}, {"name": "sysadmin-bodhi"}, {"name": "sysadmin-releng"}, {"name": "sysadmin-coreos"}, {"name": "ipausers"}, {"name": "ibmcloud"}, {"name": "discussion-mods-project"}, {"name": "discussion-mods-ask"}, {"name": "hetznercloud"}, {"name": "trust admins"}, {"name": "coreos-sig"}]}}}, {"karma": 0, "comment_id": 2626048, "bug_id": 2093155, "comment": {"karma": 0, "karma_critpath": 0, "text": "I see:\n```\nsystemd[1655]: selinux: avc:  denied  { status } for auid=1000 uid=1000 gid=1000 path=\"/proc/self/mountinfo\" cmdline=\"/usr/bin/gnome-shell\" function=\"mac_selinux_filter\" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=service permissive=0\n```\nrepeated in journal over and over again. Quite interestingly, it's not shown in \"selinux alert browser\".", "timestamp": "2022-07-20 07:30:55", "update_id": 426909, "user_id": 411, "id": 2626048, "testcase_feedback": [], "user": {"name": "kparal", "email": "kparal@redhat.com", "id": 411, "avatar": "https://seccdn.libravatar.org/avatar/5da027c64997c654044c3d0fdefea4cde1b5cea73f8ecfca77af48e2ba5ed772?s=24&d=retro", "openid": "kparal.id.fedoraproject.org", "groups": [{"name": "qa-tools-sig"}, {"name": "proventesters"}, {"name": "qa"}, {"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "qa-admin"}]}}}, {"karma": 0, "comment_id": 2627353, "bug_id": 2093155, "comment": {"karma": 1, "karma_critpath": 0, "text": "BZ#2092808 seems to have been fixed. The first connection to the VPN causes winbind to go offline for some reason, but I don't think it's related to SELinux.", "timestamp": "2022-07-21 12:58:44", "update_id": 426909, "user_id": 6865, "id": 2627353, "testcase_feedback": [], "user": {"name": "rakuco", "email": "raphael.kubo.da.costa@intel.com", "id": 6865, "avatar": "https://seccdn.libravatar.org/avatar/ef8a1b6db40d4057d6789aac352e9795b3951e5bc5a3aa895b2214cc05dcd579?s=24&d=retro", "openid": "rakuco.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 2657330, "bug_id": 2093155, "comment": {"karma": 0, "karma_critpath": 0, "text": "@dustymabe I think it is needed to backport https://github.com/coreos/console-login-helper-messages/pull/110 to F36, will it be?\n@martinpitt did you notice any actual failure apart from the avcs?\n@kparal do you happen to know how this denial is triggered? This one definitely is new, but likely a result of updating other packages.\nI don't think this build brings any regression.", "timestamp": "2022-07-28 09:10:49", "update_id": 426909, "user_id": 5290, "id": 2657330, "testcase_feedback": [], "user": {"name": "zpytela", "email": "zpytela@redhat.com", "id": 5290, "avatar": "https://seccdn.libravatar.org/avatar/f5f39686c696f412e8ed564241807306fff38278b276da30a2d3c41583d69f2a?s=24&d=retro", "openid": "zpytela.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}}, {"karma": 0, "comment_id": 2657331, "bug_id": 2093155, "comment": {"karma": 0, "karma_critpath": 0, "text": "@zpytela: No, the tests themselves were okay. Just the many avcs.", "timestamp": "2022-07-28 09:21:00", "update_id": 426909, "user_id": 3506, "id": 2657331, "testcase_feedback": [], "user": {"name": "martinpitt", "email": "mpitt@redhat.com", "id": 3506, "avatar": "https://seccdn.libravatar.org/avatar/a6a00790fadaca10623f4464437e482d4ec110fe331397506ea9fe2664bec740?s=24&d=retro", "openid": "martinpitt.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "cockpitteam"}, {"name": "ocp-cico-cockpit"}]}}}, {"karma": 0, "comment_id": 2657341, "bug_id": 2093155, "comment": {"karma": 0, "karma_critpath": 0, "text": "@zpytela: I created https://bugzilla.redhat.com/show_bug.cgi?id=2111834 so we can discuss there.", "timestamp": "2022-07-28 09:33:05", "update_id": 426909, "user_id": 411, "id": 2657341, "testcase_feedback": [], "user": {"name": "kparal", "email": "kparal@redhat.com", "id": 411, "avatar": "https://seccdn.libravatar.org/avatar/5da027c64997c654044c3d0fdefea4cde1b5cea73f8ecfca77af48e2ba5ed772?s=24&d=retro", "openid": "kparal.id.fedoraproject.org", "groups": [{"name": "qa-tools-sig"}, {"name": "proventesters"}, {"name": "qa"}, {"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "qa-admin"}]}}}, {"karma": 0, "comment_id": 2667508, "bug_id": 2093155, "comment": {"karma": 1, "karma_critpath": 0, "text": "Works fine, and BZ#2092808 does seem to be fixed.", "timestamp": "2022-08-04 09:35:09", "update_id": 437222, "user_id": 6865, "id": 2667508, "testcase_feedback": [], "user": {"name": "rakuco", "email": "raphael.kubo.da.costa@intel.com", "id": 6865, "avatar": "https://seccdn.libravatar.org/avatar/ef8a1b6db40d4057d6789aac352e9795b3951e5bc5a3aa895b2214cc05dcd579?s=24&d=retro", "openid": "rakuco.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 2668804, "bug_id": 2093155, "comment": {"karma": 1, "karma_critpath": 0, "text": "I tested this new version [with cockpit's tests](https://github.com/cockpit-project/bots/pull/3703). My [previously reported regression](https://bodhi.fedoraproject.org/updates/FEDORA-2022-320775eb9a#comment-2621218) (dispatcher denials for `mv`) does not happen any more. Thanks!", "timestamp": "2022-08-05 09:53:46", "update_id": 437222, "user_id": 3506, "id": 2668804, "testcase_feedback": [], "user": {"name": "martinpitt", "email": "mpitt@redhat.com", "id": 3506, "avatar": "https://seccdn.libravatar.org/avatar/a6a00790fadaca10623f4464437e482d4ec110fe331397506ea9fe2664bec740?s=24&d=retro", "openid": "martinpitt.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "cockpitteam"}, {"name": "ocp-cico-cockpit"}]}}}]}, {"bug_id": 2093285, "title": "SELinux is preventing /usr/bin/bash from 'getattr' accesses on the file /run/ddclient/ddclient.pid.", "security": false, "parent": false, "feedback": [{"karma": 0, "comment_id": 2600845, "bug_id": 2093285, "comment": {"karma": 1, "karma_critpath": 0, "text": "Works for me.\nI'm not 100% sure it fixes BZ#2093285, because that AVC presented itself only occasionally.\n\n", "timestamp": "2022-06-30 21:55:49", "update_id": 422899, "user_id": 1582, "id": 2600845, "testcase_feedback": [], "user": {"name": "drepetto", "email": "drepetto@fedoraproject.org", "id": 1582, "avatar": "https://seccdn.libravatar.org/avatar/2684d7c401ddf615a3d154e0ee3662e8611df4825c112a7e264fcddde7b6f93a?s=24&d=retro", "openid": "drepetto.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}}, {"karma": 0, "comment_id": 2602450, "bug_id": 2093285, "comment": {"karma": 0, "karma_critpath": 0, "text": "This does not fully fix BZ#2092808. Invoking smbcontrol works, but testparm is still returning an empty string.", "timestamp": "2022-07-01 08:03:48", "update_id": 422899, "user_id": 6865, "id": 2602450, "testcase_feedback": [], "user": {"name": "rakuco", "email": "raphael.kubo.da.costa@intel.com", "id": 6865, "avatar": "https://seccdn.libravatar.org/avatar/ef8a1b6db40d4057d6789aac352e9795b3951e5bc5a3aa895b2214cc05dcd579?s=24&d=retro", "openid": "rakuco.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 2618899, "bug_id": 2093285, "comment": {"karma": 0, "karma_critpath": 0, "text": "Thanks everybody for the feedback, I am working on another build to replace this one.", "timestamp": "2022-07-15 14:39:55", "update_id": 422899, "user_id": 5290, "id": 2618899, "testcase_feedback": [], "user": {"name": "zpytela", "email": "zpytela@redhat.com", "id": 5290, "avatar": "https://seccdn.libravatar.org/avatar/f5f39686c696f412e8ed564241807306fff38278b276da30a2d3c41583d69f2a?s=24&d=retro", "openid": "zpytela.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}}, {"karma": 0, "comment_id": 2621102, "bug_id": 2093285, "comment": {"karma": 0, "karma_critpath": 0, "text": "Works for me.", "timestamp": "2022-07-17 14:26:20", "update_id": 426909, "user_id": 1582, "id": 2621102, "testcase_feedback": [], "user": {"name": "drepetto", "email": "drepetto@fedoraproject.org", "id": 1582, "avatar": "https://seccdn.libravatar.org/avatar/2684d7c401ddf615a3d154e0ee3662e8611df4825c112a7e264fcddde7b6f93a?s=24&d=retro", "openid": "drepetto.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}}, {"karma": 0, "comment_id": 2621103, "bug_id": 2093285, "comment": {"karma": 1, "karma_critpath": 0, "text": "", "timestamp": "2022-07-17 14:26:59", "update_id": 426909, "user_id": 1582, "id": 2621103, "testcase_feedback": [], "user": {"name": "drepetto", "email": "drepetto@fedoraproject.org", "id": 1582, "avatar": "https://seccdn.libravatar.org/avatar/2684d7c401ddf615a3d154e0ee3662e8611df4825c112a7e264fcddde7b6f93a?s=24&d=retro", "openid": "drepetto.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}}, {"karma": 0, "comment_id": 2608055, "bug_id": 2093285, "comment": {"karma": 0, "karma_critpath": 0, "text": "@rakuco the denials mentioned in the bz should be addressed. Please open a new bz and add some details and avc denials you see.", "timestamp": "2022-07-07 09:37:28", "update_id": 422899, "user_id": 5290, "id": 2608055, "testcase_feedback": [], "user": {"name": "zpytela", "email": "zpytela@redhat.com", "id": 5290, "avatar": "https://seccdn.libravatar.org/avatar/f5f39686c696f412e8ed564241807306fff38278b276da30a2d3c41583d69f2a?s=24&d=retro", "openid": "zpytela.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}}, {"karma": 0, "comment_id": 2609302, "bug_id": 2093285, "comment": {"karma": 0, "karma_critpath": 0, "text": "I've added more information to bz#2092808 (the bug report already mentions the issue with testparm).", "timestamp": "2022-07-08 09:33:51", "update_id": 422899, "user_id": 6865, "id": 2609302, "testcase_feedback": [], "user": {"name": "rakuco", "email": "raphael.kubo.da.costa@intel.com", "id": 6865, "avatar": "https://seccdn.libravatar.org/avatar/ef8a1b6db40d4057d6789aac352e9795b3951e5bc5a3aa895b2214cc05dcd579?s=24&d=retro", "openid": "rakuco.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 2610615, "bug_id": 2093285, "comment": {"karma": -1, "karma_critpath": 0, "text": "This is causing IPA CI to fail. I'm not completely sure why. The behavior we see is that the current principal is cifs/<fqdn> when we expect it to be something else.\n\nThe AVC we see is:\n\ntype=AVC msg=audit(1657297049.999:3709): avc:  denied  { sendto } for  pid=13209 comm=\"smbcontrol\" path=\"/var/lib/samba/private/msg.sock/13151\" scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=unix_dgram_socket permissive=0", "timestamp": "2022-07-08 16:54:30", "update_id": 422899, "user_id": 1255, "id": 2610615, "testcase_feedback": [], "user": {"name": "rcritten", "email": "rcritten@redhat.com", "id": 1255, "avatar": "https://seccdn.libravatar.org/avatar/170a44090c681a8b42a8cb53b0952228413f629b4696953d22ea19a847fd4b4a?s=24&d=retro", "openid": "rcritten.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "gitfreeipa-docs"}, {"name": "gitfreeipa"}, {"name": "cvsdirsec"}, {"name": "svnpki"}, {"name": "gitipsilon"}, {"name": "gitnsspem"}, {"name": "git389"}, {"name": "svnidmcommon"}, {"name": "fedorabugs"}, {"name": "gitfreeipa-foreman-smartproxy"}, {"name": "signed_fpca"}, {"name": "gitmod_nss"}, {"name": "fedora-contributor"}, {"name": "gitcertmonger"}, {"name": "ipausers"}, {"name": "gitmod_revocator"}, {"name": "trust admins"}]}}}, {"karma": 0, "comment_id": 2613378, "bug_id": 2093285, "comment": {"karma": -1, "karma_critpath": 0, "text": "@zpytela, it looks like smbcontrol_t lacks rights for winbind_rpcd_t, so SELinux policy needs to be extended.", "timestamp": "2022-07-11 10:41:08", "update_id": 422899, "user_id": 1242, "id": 2613378, "testcase_feedback": [], "user": {"name": "abbra", "email": "abokovoy@redhat.com", "id": 1242, "avatar": "https://seccdn.libravatar.org/avatar/3f3c51cb81fb43e685e65ff696d895ac268ff71949128c02b81dec65a4405a0a?s=24&d=retro", "openid": "abbra.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "bind-dyndb-ldap"}, {"name": "gitfreeipa"}, {"name": "gitslapi-nis"}, {"name": "gitfreeipa-docs"}]}}}, {"karma": 0, "comment_id": 2613599, "bug_id": 2093285, "comment": {"karma": 0, "karma_critpath": 0, "text": "BZ https://bugzilla.redhat.com/show_bug.cgi?id=2106006 opened for the issue reported by rcritten", "timestamp": "2022-07-11 14:04:06", "update_id": 422899, "user_id": 3071, "id": 2613599, "testcase_feedback": [], "user": {"name": "frenaud", "email": "frenaud@redhat.com", "id": 3071, "avatar": "https://seccdn.libravatar.org/avatar/1e52aaae9646f0f890f5f6c771cd060c66898d5fdf78e8a6021eb2b75e27ffe2?s=24&d=retro", "openid": "frenaud.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "gitfreeipa"}]}}}, {"karma": 0, "comment_id": 2621218, "bug_id": 2093285, "comment": {"karma": -1, "karma_critpath": 0, "text": "See here: https://github.com/cockpit-project/bots/pull/3627 Lots of tests fail with\n```\naudit: type=1400 audit(2114380829.764:191): avc:  denied  { search } for  pid=813 comm=\"mv\" name=\"contexts\" dev=\"vda5\" ino=16829 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir permissive=0\naudit: type=1400 audit(2114380829.770:192): avc:  denied  { sys_admin } for  pid=813 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\naudit: type=1400 audit(2114380829.770:193): avc:  denied  { sys_admin } for  pid=813 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\n```\n\nNetworkManager did *not* change in this image, just\n\n- selinux-policy (36.11-1.fc36 -> 36.12-1.fc36)\n- kernel-core (5.18.10-200.fc36 -> 5.18.11-200.fc36)\n\nand [some others](https://logs.cockpit-project.org/logs/image-refresh-3627-20220716-224141/log) which sound less relevant.\n", "timestamp": "2022-07-17 18:47:16", "update_id": 426909, "user_id": 3506, "id": 2621218, "testcase_feedback": [], "user": {"name": "martinpitt", "email": "mpitt@redhat.com", "id": 3506, "avatar": "https://seccdn.libravatar.org/avatar/a6a00790fadaca10623f4464437e482d4ec110fe331397506ea9fe2664bec740?s=24&d=retro", "openid": "martinpitt.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "cockpitteam"}, {"name": "ocp-cico-cockpit"}]}}}, {"karma": 0, "comment_id": 2623810, "bug_id": 2093285, "comment": {"karma": 1, "karma_critpath": 0, "text": "no problems here", "timestamp": "2022-07-19 05:16:49", "update_id": 426909, "user_id": 5881, "id": 2623810, "testcase_feedback": [], "user": {"name": "geraldosimiao", "email": "geraldo.simiao.kutz@gmail.com", "id": 5881, "avatar": "https://seccdn.libravatar.org/avatar/03fa5b58e8ac78544bf41ad8ecf9ee1920f2ebedb86542c2f4cdf7ef15813168?s=24&d=retro", "openid": "geraldosimiao.id.fedoraproject.org", "groups": [{"name": "qa"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "ambassadors"}, {"name": "fedora-br"}, {"name": "advocates"}, {"name": "respins-sig"}]}}}, {"karma": 0, "comment_id": 2625365, "bug_id": 2093285, "comment": {"karma": 0, "karma_critpath": 0, "text": "This does appear to fix BZ#2080043. I do see some other denials, though (as @martinpitt mentioned): \n\n```\n$ sudo journalctl | grep -i avc \nJul 19 19:28:40 cosa-devsh audit[1556]: AVC avc:  denied  { sys_admin } for  pid=1556 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\nJul 19 19:28:40 cosa-devsh audit[1556]: AVC avc:  denied  { sys_admin } for  pid=1556 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\n```\n\nThey don't seem to be harming my system. ", "timestamp": "2022-07-19 19:33:30", "update_id": 426909, "user_id": 659, "id": 2625365, "testcase_feedback": [], "user": {"name": "dustymabe", "email": "dusty@dustymabe.com", "id": 659, "avatar": "https://seccdn.libravatar.org/avatar/9ec855a28fe61a7fe3d6788882c87ee4c95b38da423234fbb70673a977552c4c?s=24&d=retro", "openid": "dustymabe.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "sysadmin-badges"}, {"name": "aws"}, {"name": "qa-beaker-user"}, {"name": "gitfedora-web"}, {"name": "centosproject-email-aliases"}, {"name": "fi-apprentice"}, {"name": "sysadmin-veteran"}, {"name": "web"}, {"name": "sig-paas"}, {"name": "atomic-wg"}, {"name": "qa"}, {"name": "fedorabugs"}, {"name": "msftazure"}, {"name": "pungi-devel"}, {"name": "qa-automation-shell"}, {"name": "sysadmin-fedimg"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "coreos"}, {"name": "sysadmin"}, {"name": "communishift"}, {"name": "aws-fcos-mgmt"}, {"name": "sysadmin-bodhi"}, {"name": "sysadmin-releng"}, {"name": "sysadmin-coreos"}, {"name": "ipausers"}, {"name": "ibmcloud"}, {"name": "discussion-mods-project"}, {"name": "discussion-mods-ask"}, {"name": "hetznercloud"}, {"name": "trust admins"}, {"name": "coreos-sig"}]}}}, {"karma": 0, "comment_id": 2626048, "bug_id": 2093285, "comment": {"karma": 0, "karma_critpath": 0, "text": "I see:\n```\nsystemd[1655]: selinux: avc:  denied  { status } for auid=1000 uid=1000 gid=1000 path=\"/proc/self/mountinfo\" cmdline=\"/usr/bin/gnome-shell\" function=\"mac_selinux_filter\" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=service permissive=0\n```\nrepeated in journal over and over again. Quite interestingly, it's not shown in \"selinux alert browser\".", "timestamp": "2022-07-20 07:30:55", "update_id": 426909, "user_id": 411, "id": 2626048, "testcase_feedback": [], "user": {"name": "kparal", "email": "kparal@redhat.com", "id": 411, "avatar": "https://seccdn.libravatar.org/avatar/5da027c64997c654044c3d0fdefea4cde1b5cea73f8ecfca77af48e2ba5ed772?s=24&d=retro", "openid": "kparal.id.fedoraproject.org", "groups": [{"name": "qa-tools-sig"}, {"name": "proventesters"}, {"name": "qa"}, {"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "qa-admin"}]}}}, {"karma": 0, "comment_id": 2627353, "bug_id": 2093285, "comment": {"karma": 1, "karma_critpath": 0, "text": "BZ#2092808 seems to have been fixed. The first connection to the VPN causes winbind to go offline for some reason, but I don't think it's related to SELinux.", "timestamp": "2022-07-21 12:58:44", "update_id": 426909, "user_id": 6865, "id": 2627353, "testcase_feedback": [], "user": {"name": "rakuco", "email": "raphael.kubo.da.costa@intel.com", "id": 6865, "avatar": "https://seccdn.libravatar.org/avatar/ef8a1b6db40d4057d6789aac352e9795b3951e5bc5a3aa895b2214cc05dcd579?s=24&d=retro", "openid": "rakuco.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 2657330, "bug_id": 2093285, "comment": {"karma": 0, "karma_critpath": 0, "text": "@dustymabe I think it is needed to backport https://github.com/coreos/console-login-helper-messages/pull/110 to F36, will it be?\n@martinpitt did you notice any actual failure apart from the avcs?\n@kparal do you happen to know how this denial is triggered? This one definitely is new, but likely a result of updating other packages.\nI don't think this build brings any regression.", "timestamp": "2022-07-28 09:10:49", "update_id": 426909, "user_id": 5290, "id": 2657330, "testcase_feedback": [], "user": {"name": "zpytela", "email": "zpytela@redhat.com", "id": 5290, "avatar": "https://seccdn.libravatar.org/avatar/f5f39686c696f412e8ed564241807306fff38278b276da30a2d3c41583d69f2a?s=24&d=retro", "openid": "zpytela.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}}, {"karma": 0, "comment_id": 2657331, "bug_id": 2093285, "comment": {"karma": 0, "karma_critpath": 0, "text": "@zpytela: No, the tests themselves were okay. Just the many avcs.", "timestamp": "2022-07-28 09:21:00", "update_id": 426909, "user_id": 3506, "id": 2657331, "testcase_feedback": [], "user": {"name": "martinpitt", "email": "mpitt@redhat.com", "id": 3506, "avatar": "https://seccdn.libravatar.org/avatar/a6a00790fadaca10623f4464437e482d4ec110fe331397506ea9fe2664bec740?s=24&d=retro", "openid": "martinpitt.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "cockpitteam"}, {"name": "ocp-cico-cockpit"}]}}}, {"karma": 0, "comment_id": 2657341, "bug_id": 2093285, "comment": {"karma": 0, "karma_critpath": 0, "text": "@zpytela: I created https://bugzilla.redhat.com/show_bug.cgi?id=2111834 so we can discuss there.", "timestamp": "2022-07-28 09:33:05", "update_id": 426909, "user_id": 411, "id": 2657341, "testcase_feedback": [], "user": {"name": "kparal", "email": "kparal@redhat.com", "id": 411, "avatar": "https://seccdn.libravatar.org/avatar/5da027c64997c654044c3d0fdefea4cde1b5cea73f8ecfca77af48e2ba5ed772?s=24&d=retro", "openid": "kparal.id.fedoraproject.org", "groups": [{"name": "qa-tools-sig"}, {"name": "proventesters"}, {"name": "qa"}, {"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "qa-admin"}]}}}, {"karma": 0, "comment_id": 2667508, "bug_id": 2093285, "comment": {"karma": 1, "karma_critpath": 0, "text": "Works fine, and BZ#2092808 does seem to be fixed.", "timestamp": "2022-08-04 09:35:09", "update_id": 437222, "user_id": 6865, "id": 2667508, "testcase_feedback": [], "user": {"name": "rakuco", "email": "raphael.kubo.da.costa@intel.com", "id": 6865, "avatar": "https://seccdn.libravatar.org/avatar/ef8a1b6db40d4057d6789aac352e9795b3951e5bc5a3aa895b2214cc05dcd579?s=24&d=retro", "openid": "rakuco.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 2668804, "bug_id": 2093285, "comment": {"karma": 1, "karma_critpath": 0, "text": "I tested this new version [with cockpit's tests](https://github.com/cockpit-project/bots/pull/3703). My [previously reported regression](https://bodhi.fedoraproject.org/updates/FEDORA-2022-320775eb9a#comment-2621218) (dispatcher denials for `mv`) does not happen any more. Thanks!", "timestamp": "2022-08-05 09:53:46", "update_id": 437222, "user_id": 3506, "id": 2668804, "testcase_feedback": [], "user": {"name": "martinpitt", "email": "mpitt@redhat.com", "id": 3506, "avatar": "https://seccdn.libravatar.org/avatar/a6a00790fadaca10623f4464437e482d4ec110fe331397506ea9fe2664bec740?s=24&d=retro", "openid": "martinpitt.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "cockpitteam"}, {"name": "ocp-cico-cockpit"}]}}}]}, {"bug_id": 2101062, "title": "firewalld was denied reading /sys/devices/system/cpu/possible when booting or restarting firewalld", "security": false, "parent": false, "feedback": [{"karma": 1, "comment_id": 2600845, "bug_id": 2101062, "comment": {"karma": 1, "karma_critpath": 0, "text": "Works for me.\nI'm not 100% sure it fixes BZ#2093285, because that AVC presented itself only occasionally.\n\n", "timestamp": "2022-06-30 21:55:49", "update_id": 422899, "user_id": 1582, "id": 2600845, "testcase_feedback": [], "user": {"name": "drepetto", "email": "drepetto@fedoraproject.org", "id": 1582, "avatar": "https://seccdn.libravatar.org/avatar/2684d7c401ddf615a3d154e0ee3662e8611df4825c112a7e264fcddde7b6f93a?s=24&d=retro", "openid": "drepetto.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}}, {"karma": 0, "comment_id": 2602450, "bug_id": 2101062, "comment": {"karma": 0, "karma_critpath": 0, "text": "This does not fully fix BZ#2092808. Invoking smbcontrol works, but testparm is still returning an empty string.", "timestamp": "2022-07-01 08:03:48", "update_id": 422899, "user_id": 6865, "id": 2602450, "testcase_feedback": [], "user": {"name": "rakuco", "email": "raphael.kubo.da.costa@intel.com", "id": 6865, "avatar": "https://seccdn.libravatar.org/avatar/ef8a1b6db40d4057d6789aac352e9795b3951e5bc5a3aa895b2214cc05dcd579?s=24&d=retro", "openid": "rakuco.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 2618899, "bug_id": 2101062, "comment": {"karma": 0, "karma_critpath": 0, "text": "Thanks everybody for the feedback, I am working on another build to replace this one.", "timestamp": "2022-07-15 14:39:55", "update_id": 422899, "user_id": 5290, "id": 2618899, "testcase_feedback": [], "user": {"name": "zpytela", "email": "zpytela@redhat.com", "id": 5290, "avatar": "https://seccdn.libravatar.org/avatar/f5f39686c696f412e8ed564241807306fff38278b276da30a2d3c41583d69f2a?s=24&d=retro", "openid": "zpytela.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}}, {"karma": 0, "comment_id": 2621102, "bug_id": 2101062, "comment": {"karma": 0, "karma_critpath": 0, "text": "Works for me.", "timestamp": "2022-07-17 14:26:20", "update_id": 426909, "user_id": 1582, "id": 2621102, "testcase_feedback": [], "user": {"name": "drepetto", "email": "drepetto@fedoraproject.org", "id": 1582, "avatar": "https://seccdn.libravatar.org/avatar/2684d7c401ddf615a3d154e0ee3662e8611df4825c112a7e264fcddde7b6f93a?s=24&d=retro", "openid": "drepetto.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}}, {"karma": 0, "comment_id": 2621103, "bug_id": 2101062, "comment": {"karma": 1, "karma_critpath": 0, "text": "", "timestamp": "2022-07-17 14:26:59", "update_id": 426909, "user_id": 1582, "id": 2621103, "testcase_feedback": [], "user": {"name": "drepetto", "email": "drepetto@fedoraproject.org", "id": 1582, "avatar": "https://seccdn.libravatar.org/avatar/2684d7c401ddf615a3d154e0ee3662e8611df4825c112a7e264fcddde7b6f93a?s=24&d=retro", "openid": "drepetto.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}}, {"karma": 0, "comment_id": 2608055, "bug_id": 2101062, "comment": {"karma": 0, "karma_critpath": 0, "text": "@rakuco the denials mentioned in the bz should be addressed. Please open a new bz and add some details and avc denials you see.", "timestamp": "2022-07-07 09:37:28", "update_id": 422899, "user_id": 5290, "id": 2608055, "testcase_feedback": [], "user": {"name": "zpytela", "email": "zpytela@redhat.com", "id": 5290, "avatar": "https://seccdn.libravatar.org/avatar/f5f39686c696f412e8ed564241807306fff38278b276da30a2d3c41583d69f2a?s=24&d=retro", "openid": "zpytela.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}}, {"karma": 0, "comment_id": 2609302, "bug_id": 2101062, "comment": {"karma": 0, "karma_critpath": 0, "text": "I've added more information to bz#2092808 (the bug report already mentions the issue with testparm).", "timestamp": "2022-07-08 09:33:51", "update_id": 422899, "user_id": 6865, "id": 2609302, "testcase_feedback": [], "user": {"name": "rakuco", "email": "raphael.kubo.da.costa@intel.com", "id": 6865, "avatar": "https://seccdn.libravatar.org/avatar/ef8a1b6db40d4057d6789aac352e9795b3951e5bc5a3aa895b2214cc05dcd579?s=24&d=retro", "openid": "rakuco.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 2610615, "bug_id": 2101062, "comment": {"karma": -1, "karma_critpath": 0, "text": "This is causing IPA CI to fail. I'm not completely sure why. The behavior we see is that the current principal is cifs/<fqdn> when we expect it to be something else.\n\nThe AVC we see is:\n\ntype=AVC msg=audit(1657297049.999:3709): avc:  denied  { sendto } for  pid=13209 comm=\"smbcontrol\" path=\"/var/lib/samba/private/msg.sock/13151\" scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=unix_dgram_socket permissive=0", "timestamp": "2022-07-08 16:54:30", "update_id": 422899, "user_id": 1255, "id": 2610615, "testcase_feedback": [], "user": {"name": "rcritten", "email": "rcritten@redhat.com", "id": 1255, "avatar": "https://seccdn.libravatar.org/avatar/170a44090c681a8b42a8cb53b0952228413f629b4696953d22ea19a847fd4b4a?s=24&d=retro", "openid": "rcritten.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "gitfreeipa-docs"}, {"name": "gitfreeipa"}, {"name": "cvsdirsec"}, {"name": "svnpki"}, {"name": "gitipsilon"}, {"name": "gitnsspem"}, {"name": "git389"}, {"name": "svnidmcommon"}, {"name": "fedorabugs"}, {"name": "gitfreeipa-foreman-smartproxy"}, {"name": "signed_fpca"}, {"name": "gitmod_nss"}, {"name": "fedora-contributor"}, {"name": "gitcertmonger"}, {"name": "ipausers"}, {"name": "gitmod_revocator"}, {"name": "trust admins"}]}}}, {"karma": 0, "comment_id": 2613378, "bug_id": 2101062, "comment": {"karma": -1, "karma_critpath": 0, "text": "@zpytela, it looks like smbcontrol_t lacks rights for winbind_rpcd_t, so SELinux policy needs to be extended.", "timestamp": "2022-07-11 10:41:08", "update_id": 422899, "user_id": 1242, "id": 2613378, "testcase_feedback": [], "user": {"name": "abbra", "email": "abokovoy@redhat.com", "id": 1242, "avatar": "https://seccdn.libravatar.org/avatar/3f3c51cb81fb43e685e65ff696d895ac268ff71949128c02b81dec65a4405a0a?s=24&d=retro", "openid": "abbra.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "bind-dyndb-ldap"}, {"name": "gitfreeipa"}, {"name": "gitslapi-nis"}, {"name": "gitfreeipa-docs"}]}}}, {"karma": 0, "comment_id": 2613599, "bug_id": 2101062, "comment": {"karma": 0, "karma_critpath": 0, "text": "BZ https://bugzilla.redhat.com/show_bug.cgi?id=2106006 opened for the issue reported by rcritten", "timestamp": "2022-07-11 14:04:06", "update_id": 422899, "user_id": 3071, "id": 2613599, "testcase_feedback": [], "user": {"name": "frenaud", "email": "frenaud@redhat.com", "id": 3071, "avatar": "https://seccdn.libravatar.org/avatar/1e52aaae9646f0f890f5f6c771cd060c66898d5fdf78e8a6021eb2b75e27ffe2?s=24&d=retro", "openid": "frenaud.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "gitfreeipa"}]}}}, {"karma": 0, "comment_id": 2621218, "bug_id": 2101062, "comment": {"karma": -1, "karma_critpath": 0, "text": "See here: https://github.com/cockpit-project/bots/pull/3627 Lots of tests fail with\n```\naudit: type=1400 audit(2114380829.764:191): avc:  denied  { search } for  pid=813 comm=\"mv\" name=\"contexts\" dev=\"vda5\" ino=16829 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir permissive=0\naudit: type=1400 audit(2114380829.770:192): avc:  denied  { sys_admin } for  pid=813 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\naudit: type=1400 audit(2114380829.770:193): avc:  denied  { sys_admin } for  pid=813 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\n```\n\nNetworkManager did *not* change in this image, just\n\n- selinux-policy (36.11-1.fc36 -> 36.12-1.fc36)\n- kernel-core (5.18.10-200.fc36 -> 5.18.11-200.fc36)\n\nand [some others](https://logs.cockpit-project.org/logs/image-refresh-3627-20220716-224141/log) which sound less relevant.\n", "timestamp": "2022-07-17 18:47:16", "update_id": 426909, "user_id": 3506, "id": 2621218, "testcase_feedback": [], "user": {"name": "martinpitt", "email": "mpitt@redhat.com", "id": 3506, "avatar": "https://seccdn.libravatar.org/avatar/a6a00790fadaca10623f4464437e482d4ec110fe331397506ea9fe2664bec740?s=24&d=retro", "openid": "martinpitt.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "cockpitteam"}, {"name": "ocp-cico-cockpit"}]}}}, {"karma": 0, "comment_id": 2623810, "bug_id": 2101062, "comment": {"karma": 1, "karma_critpath": 0, "text": "no problems here", "timestamp": "2022-07-19 05:16:49", "update_id": 426909, "user_id": 5881, "id": 2623810, "testcase_feedback": [], "user": {"name": "geraldosimiao", "email": "geraldo.simiao.kutz@gmail.com", "id": 5881, "avatar": "https://seccdn.libravatar.org/avatar/03fa5b58e8ac78544bf41ad8ecf9ee1920f2ebedb86542c2f4cdf7ef15813168?s=24&d=retro", "openid": "geraldosimiao.id.fedoraproject.org", "groups": [{"name": "qa"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "ambassadors"}, {"name": "fedora-br"}, {"name": "advocates"}, {"name": "respins-sig"}]}}}, {"karma": 0, "comment_id": 2625365, "bug_id": 2101062, "comment": {"karma": 0, "karma_critpath": 0, "text": "This does appear to fix BZ#2080043. I do see some other denials, though (as @martinpitt mentioned): \n\n```\n$ sudo journalctl | grep -i avc \nJul 19 19:28:40 cosa-devsh audit[1556]: AVC avc:  denied  { sys_admin } for  pid=1556 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\nJul 19 19:28:40 cosa-devsh audit[1556]: AVC avc:  denied  { sys_admin } for  pid=1556 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\n```\n\nThey don't seem to be harming my system. ", "timestamp": "2022-07-19 19:33:30", "update_id": 426909, "user_id": 659, "id": 2625365, "testcase_feedback": [], "user": {"name": "dustymabe", "email": "dusty@dustymabe.com", "id": 659, "avatar": "https://seccdn.libravatar.org/avatar/9ec855a28fe61a7fe3d6788882c87ee4c95b38da423234fbb70673a977552c4c?s=24&d=retro", "openid": "dustymabe.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "sysadmin-badges"}, {"name": "aws"}, {"name": "qa-beaker-user"}, {"name": "gitfedora-web"}, {"name": "centosproject-email-aliases"}, {"name": "fi-apprentice"}, {"name": "sysadmin-veteran"}, {"name": "web"}, {"name": "sig-paas"}, {"name": "atomic-wg"}, {"name": "qa"}, {"name": "fedorabugs"}, {"name": "msftazure"}, {"name": "pungi-devel"}, {"name": "qa-automation-shell"}, {"name": "sysadmin-fedimg"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "coreos"}, {"name": "sysadmin"}, {"name": "communishift"}, {"name": "aws-fcos-mgmt"}, {"name": "sysadmin-bodhi"}, {"name": "sysadmin-releng"}, {"name": "sysadmin-coreos"}, {"name": "ipausers"}, {"name": "ibmcloud"}, {"name": "discussion-mods-project"}, {"name": "discussion-mods-ask"}, {"name": "hetznercloud"}, {"name": "trust admins"}, {"name": "coreos-sig"}]}}}, {"karma": 0, "comment_id": 2626048, "bug_id": 2101062, "comment": {"karma": 0, "karma_critpath": 0, "text": "I see:\n```\nsystemd[1655]: selinux: avc:  denied  { status } for auid=1000 uid=1000 gid=1000 path=\"/proc/self/mountinfo\" cmdline=\"/usr/bin/gnome-shell\" function=\"mac_selinux_filter\" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=service permissive=0\n```\nrepeated in journal over and over again. Quite interestingly, it's not shown in \"selinux alert browser\".", "timestamp": "2022-07-20 07:30:55", "update_id": 426909, "user_id": 411, "id": 2626048, "testcase_feedback": [], "user": {"name": "kparal", "email": "kparal@redhat.com", "id": 411, "avatar": "https://seccdn.libravatar.org/avatar/5da027c64997c654044c3d0fdefea4cde1b5cea73f8ecfca77af48e2ba5ed772?s=24&d=retro", "openid": "kparal.id.fedoraproject.org", "groups": [{"name": "qa-tools-sig"}, {"name": "proventesters"}, {"name": "qa"}, {"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "qa-admin"}]}}}, {"karma": 0, "comment_id": 2627353, "bug_id": 2101062, "comment": {"karma": 1, "karma_critpath": 0, "text": "BZ#2092808 seems to have been fixed. The first connection to the VPN causes winbind to go offline for some reason, but I don't think it's related to SELinux.", "timestamp": "2022-07-21 12:58:44", "update_id": 426909, "user_id": 6865, "id": 2627353, "testcase_feedback": [], "user": {"name": "rakuco", "email": "raphael.kubo.da.costa@intel.com", "id": 6865, "avatar": "https://seccdn.libravatar.org/avatar/ef8a1b6db40d4057d6789aac352e9795b3951e5bc5a3aa895b2214cc05dcd579?s=24&d=retro", "openid": "rakuco.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 2657330, "bug_id": 2101062, "comment": {"karma": 0, "karma_critpath": 0, "text": "@dustymabe I think it is needed to backport https://github.com/coreos/console-login-helper-messages/pull/110 to F36, will it be?\n@martinpitt did you notice any actual failure apart from the avcs?\n@kparal do you happen to know how this denial is triggered? This one definitely is new, but likely a result of updating other packages.\nI don't think this build brings any regression.", "timestamp": "2022-07-28 09:10:49", "update_id": 426909, "user_id": 5290, "id": 2657330, "testcase_feedback": [], "user": {"name": "zpytela", "email": "zpytela@redhat.com", "id": 5290, "avatar": "https://seccdn.libravatar.org/avatar/f5f39686c696f412e8ed564241807306fff38278b276da30a2d3c41583d69f2a?s=24&d=retro", "openid": "zpytela.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}}, {"karma": 0, "comment_id": 2657331, "bug_id": 2101062, "comment": {"karma": 0, "karma_critpath": 0, "text": "@zpytela: No, the tests themselves were okay. Just the many avcs.", "timestamp": "2022-07-28 09:21:00", "update_id": 426909, "user_id": 3506, "id": 2657331, "testcase_feedback": [], "user": {"name": "martinpitt", "email": "mpitt@redhat.com", "id": 3506, "avatar": "https://seccdn.libravatar.org/avatar/a6a00790fadaca10623f4464437e482d4ec110fe331397506ea9fe2664bec740?s=24&d=retro", "openid": "martinpitt.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "cockpitteam"}, {"name": "ocp-cico-cockpit"}]}}}, {"karma": 0, "comment_id": 2657341, "bug_id": 2101062, "comment": {"karma": 0, "karma_critpath": 0, "text": "@zpytela: I created https://bugzilla.redhat.com/show_bug.cgi?id=2111834 so we can discuss there.", "timestamp": "2022-07-28 09:33:05", "update_id": 426909, "user_id": 411, "id": 2657341, "testcase_feedback": [], "user": {"name": "kparal", "email": "kparal@redhat.com", "id": 411, "avatar": "https://seccdn.libravatar.org/avatar/5da027c64997c654044c3d0fdefea4cde1b5cea73f8ecfca77af48e2ba5ed772?s=24&d=retro", "openid": "kparal.id.fedoraproject.org", "groups": [{"name": "qa-tools-sig"}, {"name": "proventesters"}, {"name": "qa"}, {"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "qa-admin"}]}}}, {"karma": 0, "comment_id": 2667508, "bug_id": 2101062, "comment": {"karma": 1, "karma_critpath": 0, "text": "Works fine, and BZ#2092808 does seem to be fixed.", "timestamp": "2022-08-04 09:35:09", "update_id": 437222, "user_id": 6865, "id": 2667508, "testcase_feedback": [], "user": {"name": "rakuco", "email": "raphael.kubo.da.costa@intel.com", "id": 6865, "avatar": "https://seccdn.libravatar.org/avatar/ef8a1b6db40d4057d6789aac352e9795b3951e5bc5a3aa895b2214cc05dcd579?s=24&d=retro", "openid": "rakuco.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 2668804, "bug_id": 2101062, "comment": {"karma": 1, "karma_critpath": 0, "text": "I tested this new version [with cockpit's tests](https://github.com/cockpit-project/bots/pull/3703). My [previously reported regression](https://bodhi.fedoraproject.org/updates/FEDORA-2022-320775eb9a#comment-2621218) (dispatcher denials for `mv`) does not happen any more. Thanks!", "timestamp": "2022-08-05 09:53:46", "update_id": 437222, "user_id": 3506, "id": 2668804, "testcase_feedback": [], "user": {"name": "martinpitt", "email": "mpitt@redhat.com", "id": 3506, "avatar": "https://seccdn.libravatar.org/avatar/a6a00790fadaca10623f4464437e482d4ec110fe331397506ea9fe2664bec740?s=24&d=retro", "openid": "martinpitt.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "cockpitteam"}, {"name": "ocp-cico-cockpit"}]}}}]}, {"bug_id": 2106006, "title": "selinux-policy AVC during ipa trust-add", "security": false, "parent": false, "feedback": [{"karma": 0, "comment_id": 2621102, "bug_id": 2106006, "comment": {"karma": 0, "karma_critpath": 0, "text": "Works for me.", "timestamp": "2022-07-17 14:26:20", "update_id": 426909, "user_id": 1582, "id": 2621102, "testcase_feedback": [], "user": {"name": "drepetto", "email": "drepetto@fedoraproject.org", "id": 1582, "avatar": "https://seccdn.libravatar.org/avatar/2684d7c401ddf615a3d154e0ee3662e8611df4825c112a7e264fcddde7b6f93a?s=24&d=retro", "openid": "drepetto.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}}, {"karma": 0, "comment_id": 2621103, "bug_id": 2106006, "comment": {"karma": 1, "karma_critpath": 0, "text": "", "timestamp": "2022-07-17 14:26:59", "update_id": 426909, "user_id": 1582, "id": 2621103, "testcase_feedback": [], "user": {"name": "drepetto", "email": "drepetto@fedoraproject.org", "id": 1582, "avatar": "https://seccdn.libravatar.org/avatar/2684d7c401ddf615a3d154e0ee3662e8611df4825c112a7e264fcddde7b6f93a?s=24&d=retro", "openid": "drepetto.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}}, {"karma": 0, "comment_id": 2621218, "bug_id": 2106006, "comment": {"karma": -1, "karma_critpath": 0, "text": "See here: https://github.com/cockpit-project/bots/pull/3627 Lots of tests fail with\n```\naudit: type=1400 audit(2114380829.764:191): avc:  denied  { search } for  pid=813 comm=\"mv\" name=\"contexts\" dev=\"vda5\" ino=16829 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir permissive=0\naudit: type=1400 audit(2114380829.770:192): avc:  denied  { sys_admin } for  pid=813 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\naudit: type=1400 audit(2114380829.770:193): avc:  denied  { sys_admin } for  pid=813 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\n```\n\nNetworkManager did *not* change in this image, just\n\n- selinux-policy (36.11-1.fc36 -> 36.12-1.fc36)\n- kernel-core (5.18.10-200.fc36 -> 5.18.11-200.fc36)\n\nand [some others](https://logs.cockpit-project.org/logs/image-refresh-3627-20220716-224141/log) which sound less relevant.\n", "timestamp": "2022-07-17 18:47:16", "update_id": 426909, "user_id": 3506, "id": 2621218, "testcase_feedback": [], "user": {"name": "martinpitt", "email": "mpitt@redhat.com", "id": 3506, "avatar": "https://seccdn.libravatar.org/avatar/a6a00790fadaca10623f4464437e482d4ec110fe331397506ea9fe2664bec740?s=24&d=retro", "openid": "martinpitt.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "cockpitteam"}, {"name": "ocp-cico-cockpit"}]}}}, {"karma": 0, "comment_id": 2623810, "bug_id": 2106006, "comment": {"karma": 1, "karma_critpath": 0, "text": "no problems here", "timestamp": "2022-07-19 05:16:49", "update_id": 426909, "user_id": 5881, "id": 2623810, "testcase_feedback": [], "user": {"name": "geraldosimiao", "email": "geraldo.simiao.kutz@gmail.com", "id": 5881, "avatar": "https://seccdn.libravatar.org/avatar/03fa5b58e8ac78544bf41ad8ecf9ee1920f2ebedb86542c2f4cdf7ef15813168?s=24&d=retro", "openid": "geraldosimiao.id.fedoraproject.org", "groups": [{"name": "qa"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "ambassadors"}, {"name": "fedora-br"}, {"name": "advocates"}, {"name": "respins-sig"}]}}}, {"karma": 0, "comment_id": 2625365, "bug_id": 2106006, "comment": {"karma": 0, "karma_critpath": 0, "text": "This does appear to fix BZ#2080043. I do see some other denials, though (as @martinpitt mentioned): \n\n```\n$ sudo journalctl | grep -i avc \nJul 19 19:28:40 cosa-devsh audit[1556]: AVC avc:  denied  { sys_admin } for  pid=1556 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\nJul 19 19:28:40 cosa-devsh audit[1556]: AVC avc:  denied  { sys_admin } for  pid=1556 comm=\"mv\" capability=21  scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0\n```\n\nThey don't seem to be harming my system. ", "timestamp": "2022-07-19 19:33:30", "update_id": 426909, "user_id": 659, "id": 2625365, "testcase_feedback": [], "user": {"name": "dustymabe", "email": "dusty@dustymabe.com", "id": 659, "avatar": "https://seccdn.libravatar.org/avatar/9ec855a28fe61a7fe3d6788882c87ee4c95b38da423234fbb70673a977552c4c?s=24&d=retro", "openid": "dustymabe.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "sysadmin-badges"}, {"name": "aws"}, {"name": "qa-beaker-user"}, {"name": "gitfedora-web"}, {"name": "centosproject-email-aliases"}, {"name": "fi-apprentice"}, {"name": "sysadmin-veteran"}, {"name": "web"}, {"name": "sig-paas"}, {"name": "atomic-wg"}, {"name": "qa"}, {"name": "fedorabugs"}, {"name": "msftazure"}, {"name": "pungi-devel"}, {"name": "qa-automation-shell"}, {"name": "sysadmin-fedimg"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "coreos"}, {"name": "sysadmin"}, {"name": "communishift"}, {"name": "aws-fcos-mgmt"}, {"name": "sysadmin-bodhi"}, {"name": "sysadmin-releng"}, {"name": "sysadmin-coreos"}, {"name": "ipausers"}, {"name": "ibmcloud"}, {"name": "discussion-mods-project"}, {"name": "discussion-mods-ask"}, {"name": "hetznercloud"}, {"name": "trust admins"}, {"name": "coreos-sig"}]}}}, {"karma": 0, "comment_id": 2626048, "bug_id": 2106006, "comment": {"karma": 0, "karma_critpath": 0, "text": "I see:\n```\nsystemd[1655]: selinux: avc:  denied  { status } for auid=1000 uid=1000 gid=1000 path=\"/proc/self/mountinfo\" cmdline=\"/usr/bin/gnome-shell\" function=\"mac_selinux_filter\" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=service permissive=0\n```\nrepeated in journal over and over again. Quite interestingly, it's not shown in \"selinux alert browser\".", "timestamp": "2022-07-20 07:30:55", "update_id": 426909, "user_id": 411, "id": 2626048, "testcase_feedback": [], "user": {"name": "kparal", "email": "kparal@redhat.com", "id": 411, "avatar": "https://seccdn.libravatar.org/avatar/5da027c64997c654044c3d0fdefea4cde1b5cea73f8ecfca77af48e2ba5ed772?s=24&d=retro", "openid": "kparal.id.fedoraproject.org", "groups": [{"name": "qa-tools-sig"}, {"name": "proventesters"}, {"name": "qa"}, {"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "qa-admin"}]}}}, {"karma": 0, "comment_id": 2627353, "bug_id": 2106006, "comment": {"karma": 1, "karma_critpath": 0, "text": "BZ#2092808 seems to have been fixed. The first connection to the VPN causes winbind to go offline for some reason, but I don't think it's related to SELinux.", "timestamp": "2022-07-21 12:58:44", "update_id": 426909, "user_id": 6865, "id": 2627353, "testcase_feedback": [], "user": {"name": "rakuco", "email": "raphael.kubo.da.costa@intel.com", "id": 6865, "avatar": "https://seccdn.libravatar.org/avatar/ef8a1b6db40d4057d6789aac352e9795b3951e5bc5a3aa895b2214cc05dcd579?s=24&d=retro", "openid": "rakuco.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 2657330, "bug_id": 2106006, "comment": {"karma": 0, "karma_critpath": 0, "text": "@dustymabe I think it is needed to backport https://github.com/coreos/console-login-helper-messages/pull/110 to F36, will it be?\n@martinpitt did you notice any actual failure apart from the avcs?\n@kparal do you happen to know how this denial is triggered? This one definitely is new, but likely a result of updating other packages.\nI don't think this build brings any regression.", "timestamp": "2022-07-28 09:10:49", "update_id": 426909, "user_id": 5290, "id": 2657330, "testcase_feedback": [], "user": {"name": "zpytela", "email": "zpytela@redhat.com", "id": 5290, "avatar": "https://seccdn.libravatar.org/avatar/f5f39686c696f412e8ed564241807306fff38278b276da30a2d3c41583d69f2a?s=24&d=retro", "openid": "zpytela.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}}, {"karma": 0, "comment_id": 2657331, "bug_id": 2106006, "comment": {"karma": 0, "karma_critpath": 0, "text": "@zpytela: No, the tests themselves were okay. Just the many avcs.", "timestamp": "2022-07-28 09:21:00", "update_id": 426909, "user_id": 3506, "id": 2657331, "testcase_feedback": [], "user": {"name": "martinpitt", "email": "mpitt@redhat.com", "id": 3506, "avatar": "https://seccdn.libravatar.org/avatar/a6a00790fadaca10623f4464437e482d4ec110fe331397506ea9fe2664bec740?s=24&d=retro", "openid": "martinpitt.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "cockpitteam"}, {"name": "ocp-cico-cockpit"}]}}}, {"karma": 0, "comment_id": 2657341, "bug_id": 2106006, "comment": {"karma": 0, "karma_critpath": 0, "text": "@zpytela: I created https://bugzilla.redhat.com/show_bug.cgi?id=2111834 so we can discuss there.", "timestamp": "2022-07-28 09:33:05", "update_id": 426909, "user_id": 411, "id": 2657341, "testcase_feedback": [], "user": {"name": "kparal", "email": "kparal@redhat.com", "id": 411, "avatar": "https://seccdn.libravatar.org/avatar/5da027c64997c654044c3d0fdefea4cde1b5cea73f8ecfca77af48e2ba5ed772?s=24&d=retro", "openid": "kparal.id.fedoraproject.org", "groups": [{"name": "qa-tools-sig"}, {"name": "proventesters"}, {"name": "qa"}, {"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "qa-admin"}]}}}, {"karma": 0, "comment_id": 2667508, "bug_id": 2106006, "comment": {"karma": 1, "karma_critpath": 0, "text": "Works fine, and BZ#2092808 does seem to be fixed.", "timestamp": "2022-08-04 09:35:09", "update_id": 437222, "user_id": 6865, "id": 2667508, "testcase_feedback": [], "user": {"name": "rakuco", "email": "raphael.kubo.da.costa@intel.com", "id": 6865, "avatar": "https://seccdn.libravatar.org/avatar/ef8a1b6db40d4057d6789aac352e9795b3951e5bc5a3aa895b2214cc05dcd579?s=24&d=retro", "openid": "rakuco.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 2668804, "bug_id": 2106006, "comment": {"karma": 1, "karma_critpath": 0, "text": "I tested this new version [with cockpit's tests](https://github.com/cockpit-project/bots/pull/3703). My [previously reported regression](https://bodhi.fedoraproject.org/updates/FEDORA-2022-320775eb9a#comment-2621218) (dispatcher denials for `mv`) does not happen any more. Thanks!", "timestamp": "2022-08-05 09:53:46", "update_id": 437222, "user_id": 3506, "id": 2668804, "testcase_feedback": [], "user": {"name": "martinpitt", "email": "mpitt@redhat.com", "id": 3506, "avatar": "https://seccdn.libravatar.org/avatar/a6a00790fadaca10623f4464437e482d4ec110fe331397506ea9fe2664bec740?s=24&d=retro", "openid": "martinpitt.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "cockpitteam"}, {"name": "ocp-cico-cockpit"}]}}}]}], "updateid": "FEDORA-2022-320775eb9a", "karma": 6, "content_type": "rpm", "test_cases": []}, "can_edit": false, "ci_allowed": false}