obsolete

FEDORA-2022-f060667f1e created by zpytela 11 months ago for Fedora 34

New F34 selinux-policy build

This update has been submitted for testing by zpytela.

11 months ago

This update's test gating status has been changed to 'waiting'.

11 months ago

This update's test gating status has been changed to 'passed'.

11 months ago

This update has been pushed to testing.

11 months ago
karma
User Icon jonathans commented & provided feedback 11 months ago
karma

Looks like selinux type thumb_t is still denied access to sock_file bus. I have the error for gdk-pixbuf-thum and similarly for the evince-thumbnai (shown in full):


SELinux is preventing gdk-pixbuf-thum from write access on the sock_file bus.

type=AVC msg=audit(1642217383.944:3610): avc: denied { write } for pid=45515 comm="gdk-pixbuf-thum" name="bus" dev="tmpfs" ino=48 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=0

=================================

SELinux is preventing evince-thumbnai from write access on the sock_file bus.

* Plugin catchall (100. confidence) suggests ******

If you believe that evince-thumbnai should be allowed write access on the bus sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'evince-thumbnai' --raw | audit2allow -M my-evincethumbnai
# semodule -X 300 -i my-evincethumbnai.pp

Additional Information:
Source Context unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Context unconfined_u:object_r:session_dbusd_tmp_t:s0
Target Objects bus [ sock_file ]
Source evince-thumbnai
Source Path evince-thumbnai
Port <Unknown>
Host <redacted>
Source RPM Packages

Target RPM Packages

SELinux Policy RPM selinux-policy-targeted-34.23-1.fc34.noarch
Local Policy RPM selinux-policy-targeted-34.23-1.fc34.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name <redacted>
Platform Linux <redacted> 5.15.16-100.fc34.x86_64 #1 SMP
Thu Jan 20 16:34:27 UTC 2022 x86_64 x86_64
Alert Count 376
First Seen 2022-01-25 00:29:53 CET
Last Seen 2022-01-25 00:39:57 CET
Local ID b7d2af66-0438-495a-a43c-e6c0f046f864

Raw Audit Messages
type=AVC msg=audit(1643067597.34:684): avc: denied { write } for pid=11281 comm="evince-thumbnai" name="bus" dev="tmpfs" ino=37 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=0

Hash: evince-thumbnai,thumb_t,session_dbusd_tmp_t,sock_file,write

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

11 months ago
User Icon zpytela commented & provided feedback 11 months ago

@jonathans, this is still the previous build, the denial you are reporting should be addressed by the next one once this gets to stable

User Icon jonathans commented & provided feedback 11 months ago

@zpytela

OK, thanks.

This update's test gating status has been changed to 'failed'.

11 months ago

This update's test gating status has been changed to 'passed'.

10 months ago

This update has been obsoleted by selinux-policy-34.25-1.fc34.

10 months ago

Please login to add feedback.

Metadata
Type
bugfix
Severity
medium
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
11 months ago
in testing
11 months ago
BZ#1982961 avc: denied { write } for pid=570867 comm="systemd-coredum" name="core_pattern" dev="proc" ino=527591 scontext=system_u:system_r:systemd_coredump_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=1
0
0
BZ#2008369 SELinux is preventing systemd-logind from 'destroy' accesses on the pamięć współdzielona Nieznane.
0
0
BZ#2039671 Two new Selinux alerts
0
0

Automated Test Results