New F35 selinux-policy build
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --refresh --advisory=FEDORA-2022-41fa7610dd
Please login to add feedback.
This update has been submitted for testing by zpytela.
This update's test gating status has been changed to 'waiting'.
I confirm that upgrading PCRE2 does not produce the "Regex version mismatch" warning any more.
SELinux is preventing gdm-wayland-ses from write access on the sock_file bus.
SELinux is preventing systemd-user-ru from unlink access on the sock_file bus.
The above warnings from version 35.9 disappeared ... The below journal entries appear with version 35.10 :
systemd-tmpfiles[980]: Failed to create directory or subvolume "/var/lib/cni/networks": Invalid argument
systemd-tmpfiles[980]: Failed to set SELinux security context system_u:object_r:container_var_lib_t:s0
for /var/lib/cni/networks: Invalid argument
This update's test gating status has been changed to 'passed'.
This update has been submitted for stable by bodhi.
This update has been pushed to stable.
Please, please pleeeease don't fast-pace selinux updates through updates-testing like that. This has broken the world for cockpit (again!), always takes us hours to sort through the fallout, and 10 hours is simply not enough time for us to even run tests -- even the mirrors are not that fast.
This update broke a local policy module I have:
Module:
Module had been unchanged for years. Downgrading selinux-policy back to selinux-policy-35.9-1.fc35 and reinstalling the module fixed it.
Why has this been pushed to stable ? That's what happens when I try to upgrade flatpak :
SELinux warnings :
started getting a bunch of SELinux warnings after this update, and trying to install local policies with semodule gives this error
semodule seems to work fine after downgrading to the previous version of selinux-policy
I am trying to figure out what could possibly go wrong and create a new build as soon as I find the root cause.
@clnetbox, I managed to sucessfully update flatpak to flatpak-1.12.4-1.fc35.x86_64.
@zpytela I tried it again after rebooting the system - same results - didn't work. What I didn't mention before,
the upgrade process to 35.10 took a way longer time as usual, and also a lot of SELinux warnings popped up.
The last version that worked properly without any noticeable issues was 35.8 ... at least for me. To sum it up :
New issues after upgrading to version 35.9 ->
New issues after upgrading to version 35.10 ->
The update took longer because of recompiling the policy files because there was an accidental upgrade of pcre2 in the same RPM transaction.
Yeah this update is really, really bad. I can confirm comments from cinetbox and imabug and suspect this also broke cockpit for me as per martinpitt:s comment. It also broke pretty much all of rootless podman for me which now stops with a SIGTRAP. This needs to be reversed urgently before it breaks more installs.
It can't. Already in stable.
I couldn't log into an X session after applying this update and my nvidia kmod installation fails.
@zpytela I suggest you remove versions 3.9 and 3.10 from stable until all issues are finally fixed in the new version.
flatpak-1.12.4-1.fc35.x86_64 (testing) depends on selinux-policy 3.9 being installed, that should be reverted as well.
A new selinux-policy package is being worked on and will be ready soon.
Thank you @zpytela for the quick turnaround!
Hope this doesn't happen to anyone else but I made the mistake of performing an autorelabel which locked me out but I was able to recover via chroot/rescue using the netinstall image. Had to remove the linked /etc/sysroot/etc/resolv.conf and replace it with the functional copy of /etc/resolv.conf before chroot for DNS so I could perform the yum downgrade. Created a new autorelabel file before exiting the chroot environment and now I'm back working.
This seems to have broken
snapd
as wellAlso, I'm still getting
Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26
when runningsu
Also tried
semodule -nB
:@clnetbox the update was pushed stable because it had an autopush threshold of +3 feedback (the default). It got 3 positive feedbacks with no negatives (from xvitaly, ppisar and drepetto), so it was pushed. Now it's pushed it cannot be "removed from stable", that's just not a thing in Fedora; it has to be replaced with a higher-versioned update that works.
@zpytela it might be a good idea in future to set a threshold of +5 or higher for selinux-policy updates. Just about everyone has it installed, so you shouldn't have a problem with getting enough feedback on a working update, but it would help avoid situations like this where there's a bug that may not be obvious to the first three people who test.
Also, the update did actually cause a couple of openQA tests to fail, but it seems neither of those tests is in the greenwave policy so they didn't cause the update to be gated. At least one of them definitely should be in the gating policy, so I'll update that.
A new update is available now: FEDORA-2022-87a0b7e8d0
Sorry for all the troubles.
@adamwill, this is what I usually set: +5 and -2, unfortunately forgot to change it this time. I am also about to take some measures to prevent from big problems like this, but as you see neither I nor other users nor our CI tests found any problem.
Thanks for the information @adamwill ! The new version 35.11 seems to work without issues.
If I understand you correctly, all users who update their systems will run into heavy problems
until version 35.11 will be pushed to stable. Hope we get enough positive feedback very soon.
@clnetbox, more accurately it should rather be all users with the cockpit-ws package installed who installed v35.10
@zpytela the update seemed to cause problems not related to cockpit as well. the openQA tests that failed were related to podman and FreeIPA. the cockpit tests all passed. I'll see if 35.11 passes the tests that failed on 35.10.
selinux-policy-35.10 contains a rule which duplicates one in cockpit-ws, after the update none of the custom modules is active, causing the software not work
so it should not happen on systems without cockpit-ws, but affects many services
Ah, I have cockpit-ws installed since I'm using Fedora Server, and that's what broke things even though I'm not actually using cockpit myself?
@pghmcfc exactly, the unfortunate selinux-policy clashed with the installed cockpit selinux module, either cockpit was active or not