obsolete

selinux-policy-36.11-1.fc36

FEDORA-2022-fd22b79a84 created by zpytela 2 years ago for Fedora 36

New F36 selinux-policy build

This update has been submitted for testing by zpytela.

2 years ago

This update's test gating status has been changed to 'waiting'.

2 years ago

This update's test gating status has been changed to 'passed'.

2 years ago
User Icon drepetto commented & provided feedback 2 years ago
karma

Works for me. I'm not 100% sure it fixes BZ#2093285, because that AVC presented itself only occasionally.

BZ#2091417 SELinux is preventing ksmctl from 'add_name' accesses on the cartella run.
BZ#2101062 firewalld was denied reading /sys/devices/system/cpu/possible when booting or restarting firewalld

This update has been pushed to testing.

2 years ago
User Icon bojan commented & provided feedback 2 years ago
karma

Works.

This update can be pushed to stable now if the maintainer wishes

2 years ago
User Icon rakuco commented & provided feedback 2 years ago

This does not fully fix BZ#2092808. Invoking smbcontrol works, but testparm is still returning an empty string.

BZ#2092808 selinux-policy prevents 30-winbind from invoking smbcontrol and testparam
User Icon andilinux commented & provided feedback 2 years ago
karma

works fine no issues

User Icon andilinux commented & provided feedback 2 years ago
karma

works

User Icon andilinux commented & provided feedback 2 years ago
karma

works for me

karma

no issues

User Icon zpytela commented & provided feedback 2 years ago

@rakuco the denials mentioned in the bz should be addressed. Please open a new bz and add some details and avc denials you see.

User Icon rakuco commented & provided feedback 2 years ago

I've added more information to bz#2092808 (the bug report already mentions the issue with testparm).

User Icon rcritten commented & provided feedback 2 years ago
karma

This is causing IPA CI to fail. I'm not completely sure why. The behavior we see is that the current principal is cifs/<fqdn> when we expect it to be something else.

The AVC we see is:

type=AVC msg=audit(1657297049.999:3709): avc: denied { sendto } for pid=13209 comm="smbcontrol" path="/var/lib/samba/private/msg.sock/13151" scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=unix_dgram_socket permissive=0

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

2 years ago
User Icon abbra commented & provided feedback 2 years ago
karma

@zpytela, it looks like smbcontrol_t lacks rights for winbind_rpcd_t, so SELinux policy needs to be extended.

User Icon frenaud commented & provided feedback 2 years ago

BZ https://bugzilla.redhat.com/show_bug.cgi?id=2106006 opened for the issue reported by rcritten

User Icon kparal commented & provided feedback 2 years ago
karma

no issues on my Workstation

User Icon frantisekz commented & provided feedback 2 years ago
karma

Didn't break anything for me on my Workstation

User Icon mhayden commented & provided feedback 2 years ago
karma

Working fine on a desktop

User Icon zpytela commented & provided feedback 2 years ago

Thanks everybody for the feedback, I am working on another build to replace this one.

This update has been obsoleted by selinux-policy-36.12-1.fc36.

2 years ago

Please login to add feedback.

Metadata
Type
bugfix
Severity
medium
Karma
5
Signed
Content Type
RPM
Test Gating
Autopush Settings
Unstable by Karma
-2
Stable by Karma
disabled
Stable by Time
disabled
Thresholds
Minimum Karma
+2
Minimum Testing
14 days
Dates
submitted
2 years ago
in testing
2 years ago
BZ#2082547 selinux-policy-targeted post install script fails when NetworkManager is not installed
0
0
BZ#2083511 samba-dcerpcd and samba rpcd programs need selinux-policy permissions
0
0
BZ#2091417 SELinux is preventing ksmctl from 'add_name' accesses on the cartella run.
0
1
BZ#2092808 selinux-policy prevents 30-winbind from invoking smbcontrol and testparam
0
0
BZ#2093155 SELinux is preventing logger from 'create' accesses on the unix_dgram_socket labeled NetworkManager_dispatcher_custom_t.
0
0
BZ#2093285 SELinux is preventing /usr/bin/bash from 'getattr' accesses on the file /run/ddclient/ddclient.pid.
0
0
BZ#2101062 firewalld was denied reading /sys/devices/system/cpu/possible when booting or restarting firewalld
0
1

Automated Test Results