Automatic update for selinux-policy-41.8-2.fc41.
* Thu Jul 11 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 41.8-5
- Manually bump Release
* Thu Jul 11 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 41.8-4
- Relabel files under /usr/bin to fix stale context after sbin merge
* Wed Jul 10 2024 Zdenek Pytela <zpytela@redhat.com> - 41.8-2
- Drop the publicfile module
* Wed Jul 10 2024 Zdenek Pytela <zpytela@redhat.com> - 41.8-1
- Drop publicfile module
- Remove permissive domain for systemd_nsresourced_t
- Change fs_dontaudit_write_cgroup_files() to apply to cgroup_t
- Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t
- Allow to create and delete socket files created by rhsm.service
- Allow virtnetworkd exec shell when virt_hooks_unconfined is on
- Allow unconfined_service_t transition to passwd_t
- Support /var is empty
- Allow abrt-dump-journal read all non_security socket files
- Allow timemaster write to sysfs files
- Dontaudit domain write cgroup files
- Label /usr/lib/node_modules/npm/bin with bin_t
- Allow ip the setexec permission
- Allow systemd-networkd write files in /var/lib/systemd/network
- Fix typo in systemd_nsresourced_prog_run_bpf()
* Fri Jun 28 2024 Zdenek Pytela <zpytela@redhat.com> - 41.7-1
- Confine libvirt-dbus
- Allow virtqemud the kill capability in user namespace
- Allow rshim get options of the netlink class for KOBJECT_UEVENT family
- Allow dhcpcd the kill capability
- Allow systemd-networkd list /var/lib/systemd/network
- Allow sysadm_t run systemd-nsresourced bpf programs
- Update policy for systemd generators interactions
- Allow create memory.pressure files with cgroup_memory_pressure_t
- Add support for libvirt hooks
* Wed Jun 19 2024 Zdenek Pytela <zpytela@redhat.com> - 41.6-1
- Allow certmonger read and write tpm devices
- Allow all domains to connect to systemd-nsresourced over a unix socket
- Allow systemd-machined read the vsock device
- Update policy for systemd generators
- Allow ptp4l_t request that the kernel load a kernel module
- Allow sbd to trace processes in user namespace
- Allow request-key execute scripts
- Update policy for haproxyd
* Tue Jun 18 2024 Zdenek Pytela <zpytela@redhat.com> - 41.5-1
- Update policy for systemd-nsresourced
- Correct sbin-related file context entries
* Mon Jun 17 2024 Zdenek Pytela <zpytela@redhat.com> - 41.4-1
- Allow login_userdomain execute systemd-tmpfiles in the caller domain
- Allow virt_driver_domain read files labeled unconfined_t
- Allow virt_driver_domain dbus chat with policykit
- Allow virtqemud manage nfs files when virt_use_nfs boolean is on
- Add rules for interactions between generators
- Label memory.pressure files with cgroup_memory_pressure_t
- Revert "Allow some systemd services write to cgroup files"
- Update policy for systemd-nsresourced
- Label /usr/bin/ntfsck with fsadm_exec_t
- Allow systemd_fstab_generator_t read tmpfs files
- Update policy for systemd-nsresourced
- Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/bin
- Remove a few lines duplicated between {dkim,milter}.fc
- Alias /bin → /usr/bin and remove redundant paths
- Drop duplicate line for /usr/sbin/unix_chkpwd
- Drop duplicate paths for /usr/sbin
Please log in to add feedback.
This update was automatically created
This update's test gating status has been changed to 'waiting'.
This update has been obsoleted by selinux-policy-41.8-3.fc41.
This update's test gating status has been changed to 'failed'.
This still failed on SELinux denials on FreeIPA tests.
In the straight Fedora 41 tests like this one, this is what happens:
ipa-server-install, which causes httpd to be installed and startedWhen the IPA install process tries to start httpd, it fails because of an SELinux denial, and so the test fails:
In the Fedora 40 to 41 upgrade test, this is what happens:
ipa-server-install, which causes httpd to be installed and startedThis check fails because
ipa.serviceis not running, and so the test fails. This is because httpd failed to start:One thing I guess I should emphasize here: the bin/sbin merge has not landed because it also failed a lot of openQA tests, so it is gated. That means it is not involved in testing of this update. No packages from the bin/sbin merge are installed during the testing of this update.
I'll try to repeat the same result locally.
ls -Z /usr/sbin/httpd → system_u:object_r:httpd_exec_t:s0
sudo dnf -y group install freeipa-server
This finishes successfully. httpd.service is active.
So this seems all very straightforward. The test must be doing something strange to end up with the totally unexpected selinux context.
One thing I notice is that I see systemd-256.2-2.fc41 in my image, and 'systemd 256.1-8.fc41' in the logs from the failed CI run. But systemd-256.2-2.fc41 bodhi update went stable 2024-07-09 11:50:24 UTC.
"One thing I guess I should emphasize here: the bin/sbin merge has not landed because it also failed a lot of openQA tests, so it is gated. That means it is not involved in testing of this update. No packages from the bin/sbin merge are installed during the testing of this update."
True. But we have the conundrum that
publicfile_tis somehow activated in this update. This update includes the selinux-policy merge of sbin: /usr/sbin is an alias to /usr/bin.Anyway, let's hope that https://src.fedoraproject.org/rpms/selinux-policy/pull-request/447 fixes the issue.
What happend:
/usr/sbin = /usr/binequivalency -> /usr/sbin/httpd is translated to /usr/bin/httpd and after that selinux context is resolved to publicfile..._tAfter these steps, current built and loaded policy would resolve /usr/sbin/httpd to publicfile..._t even though selinux policy store was already updated to the new version so any subsequent run of
semodule -Bfixed it.It means that this bug was temporary and would be fixed with update from 41.8-1 (it it wasn't untagged) to anything new, or with
semodule -Bafter update.