obsolete

selinux-policy-34.24-1.fc34

FEDORA-2022-f060667f1e created by zpytela 2 years ago for Fedora 34

New F34 selinux-policy build

This update has been submitted for testing by zpytela.

2 years ago

This update's test gating status has been changed to 'waiting'.

2 years ago

This update's test gating status has been changed to 'passed'.

2 years ago

This update has been pushed to testing.

2 years ago
karma
User Icon jonathans commented & provided feedback 2 years ago
karma

Looks like selinux type thumb_t is still denied access to sock_file bus. I have the error for gdk-pixbuf-thum and similarly for the evince-thumbnai (shown in full):


SELinux is preventing gdk-pixbuf-thum from write access on the sock_file bus.

type=AVC msg=audit(1642217383.944:3610): avc: denied { write } for pid=45515 comm="gdk-pixbuf-thum" name="bus" dev="tmpfs" ino=48 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=0

=================================

SELinux is preventing evince-thumbnai from write access on the sock_file bus.

* Plugin catchall (100. confidence) suggests ******

If you believe that evince-thumbnai should be allowed write access on the bus sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'evince-thumbnai' --raw | audit2allow -M my-evincethumbnai
# semodule -X 300 -i my-evincethumbnai.pp

Additional Information:
Source Context unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Context unconfined_u:object_r:session_dbusd_tmp_t:s0
Target Objects bus [ sock_file ]
Source evince-thumbnai
Source Path evince-thumbnai
Port <Unknown>
Host <redacted>
Source RPM Packages

Target RPM Packages

SELinux Policy RPM selinux-policy-targeted-34.23-1.fc34.noarch
Local Policy RPM selinux-policy-targeted-34.23-1.fc34.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name <redacted>
Platform Linux <redacted> 5.15.16-100.fc34.x86_64 #1 SMP
Thu Jan 20 16:34:27 UTC 2022 x86_64 x86_64
Alert Count 376
First Seen 2022-01-25 00:29:53 CET
Last Seen 2022-01-25 00:39:57 CET
Local ID b7d2af66-0438-495a-a43c-e6c0f046f864

Raw Audit Messages
type=AVC msg=audit(1643067597.34:684): avc: denied { write } for pid=11281 comm="evince-thumbnai" name="bus" dev="tmpfs" ino=37 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=0

Hash: evince-thumbnai,thumb_t,session_dbusd_tmp_t,sock_file,write

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

2 years ago
User Icon zpytela commented & provided feedback 2 years ago

@jonathans, this is still the previous build, the denial you are reporting should be addressed by the next one once this gets to stable

User Icon jonathans commented & provided feedback 2 years ago

@zpytela

OK, thanks.

This update's test gating status has been changed to 'failed'.

2 years ago

This update's test gating status has been changed to 'passed'.

2 years ago

This update has been obsoleted by selinux-policy-34.25-1.fc34.

2 years ago

Please login to add feedback.

Metadata
Type
bugfix
Severity
medium
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
2 years ago
in testing
2 years ago
BZ#1982961 avc: denied { write } for pid=570867 comm="systemd-coredum" name="core_pattern" dev="proc" ino=527591 scontext=system_u:system_r:systemd_coredump_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=1
0
0
BZ#2008369 SELinux is preventing systemd-logind from 'destroy' accesses on the pamięć współdzielona Nieznane.
0
0
BZ#2039671 Two new Selinux alerts
0
0

Automated Test Results