{"update": {"autokarma": false, "autotime": true, "stable_karma": 3, "stable_days": 0, "unstable_karma": -3, "require_bugs": false, "require_testcases": false, "display_name": "", "notes": "Automatic update for selinux-policy-41.8-1.fc41.\n\n##### **Changelog**\n\n```\n* Wed Jul 10 2024 Zdenek Pytela <zpytela@redhat.com> - 41.8-2\n- Drop the publicfile module\n* Wed Jul 10 2024 Zdenek Pytela <zpytela@redhat.com> - 41.8-1\n- Drop publicfile module\n- Remove permissive domain for systemd_nsresourced_t\n- Change fs_dontaudit_write_cgroup_files() to apply to cgroup_t\n- Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t\n- Allow to create and delete socket files created by rhsm.service\n- Allow virtnetworkd exec shell when virt_hooks_unconfined is on\n- Allow unconfined_service_t transition to passwd_t\n- Support /var is empty\n- Allow abrt-dump-journal read all non_security socket files\n- Allow timemaster write to sysfs files\n- Dontaudit domain write cgroup files\n- Label /usr/lib/node_modules/npm/bin with bin_t\n- Allow ip the setexec permission\n- Allow systemd-networkd write files in /var/lib/systemd/network\n- Fix typo in systemd_nsresourced_prog_run_bpf()\n* Fri Jun 28 2024 Zdenek Pytela <zpytela@redhat.com> - 41.7-1\n- Confine libvirt-dbus\n- Allow virtqemud the kill capability in user namespace\n- Allow rshim get options of the netlink class for KOBJECT_UEVENT family\n- Allow dhcpcd the kill capability\n- Allow systemd-networkd list /var/lib/systemd/network\n- Allow sysadm_t run systemd-nsresourced bpf programs\n- Update policy for systemd generators interactions\n- Allow create memory.pressure files with cgroup_memory_pressure_t\n- Add support for libvirt hooks\n* Wed Jun 19 2024 Zdenek Pytela <zpytela@redhat.com> - 41.6-1\n- Allow certmonger read and write tpm devices\n- Allow all domains to connect to systemd-nsresourced over a unix socket\n- Allow systemd-machined read the vsock device\n- Update policy for systemd generators\n- Allow ptp4l_t request that the kernel load a kernel module\n- Allow sbd to trace processes in user namespace\n- Allow request-key execute scripts\n- Update policy for haproxyd\n* Tue Jun 18 2024 Zdenek Pytela <zpytela@redhat.com> - 41.5-1\n- Update policy for systemd-nsresourced\n- Correct sbin-related file context entries\n* Mon Jun 17 2024 Zdenek Pytela <zpytela@redhat.com> - 41.4-1\n- Allow login_userdomain execute systemd-tmpfiles in the caller domain\n- Allow virt_driver_domain read files labeled unconfined_t\n- Allow virt_driver_domain dbus chat with policykit\n- Allow virtqemud manage nfs files when virt_use_nfs boolean is on\n- Add rules for interactions between generators\n- Label memory.pressure files with cgroup_memory_pressure_t\n- Revert \"Allow some systemd services write to cgroup files\"\n- Update policy for systemd-nsresourced\n- Label /usr/bin/ntfsck with fsadm_exec_t\n- Allow systemd_fstab_generator_t read tmpfs files\n- Update policy for systemd-nsresourced\n- Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/bin\n- Remove a few lines duplicated between {dkim,milter}.fc\n- Alias /bin \u2192 /usr/bin and remove redundant paths\n- Drop duplicate line for /usr/sbin/unix_chkpwd\n- Drop duplicate paths for /usr/sbin\n\n```\n\n----\n\nAutomatic update for selinux-policy-41.7-1.fc41.\n\n\n----\n\nAutomatic update for selinux-policy-41.6-1.fc41.\n", "type": "unspecified", "status": "stable", "request": null, "severity": "unspecified", "suggest": "unspecified", "locked": false, "pushed": true, "critpath": true, "critpath_groups": "core critical-path-compose critical-path-server", "close_bugs": true, "date_submitted": "2024-07-10 11:32:33", "date_modified": null, "date_approved": "2024-07-10 13:35:26", "date_testing": "2024-07-10 11:36:07", "date_stable": "2024-07-10 13:35:26", "alias": "FEDORA-2024-2711625691", "test_gating_status": "passed", "from_tag": null, "date_pushed": "2024-07-10 13:35:26", "meets_testing_requirements": true, "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2024-2711625691", "title": "selinux-policy-41.8-1.fc41", "version_hash": "b1d772b9088247f2042bc96470dee4b2e0b95957", "release": {"name": "F41", "long_name": "Fedora 41", "version": "41", "id_prefix": "FEDORA", "branch": "f41", "dist_tag": "f41", "stable_tag": "f41-updates", "testing_tag": "f41-updates-testing", "candidate_tag": "f41-updates-candidate", "pending_signing_tag": "f41-signing-pending", "pending_testing_tag": "f41-updates-testing-pending", "pending_stable_tag": "f41-updates-pending", "override_tag": "f41-override", "mail_template": "fedora_errata_template", "state": "current", "composed_by_bodhi": true, "create_automatic_updates": false, "package_manager": "dnf", "testing_repository": "updates-testing", "released_on": null, "eol": "2025-11-11", "critpath_mandatory_days_in_testing": 14, "mandatory_days_in_testing": 7, "critpath_min_karma": 2, "min_karma": 1, "setting_status": null}, "user": {"name": "zpytela", "email": "zpytela@redhat.com", "id": 5290, "avatar": "https://seccdn.libravatar.org/avatar/f5f39686c696f412e8ed564241807306fff38278b276da30a2d3c41583d69f2a?s=24&d=retro", "openid": "zpytela.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}, "comments": [{"karma": 0, "karma_critpath": 0, "text": "This update was automatically created", "timestamp": "2024-07-10 11:32:33", "update_id": 626486, "user_id": 91, "id": 3606098, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has obsoleted [selinux-policy-41.7-1.fc41](https://bodhi.fedoraproject.org/updates/FEDORA-2024-64134f8805), and has inherited its bugs and notes.", "timestamp": "2024-07-10 11:32:34", "update_id": 626486, "user_id": 91, "id": 3606100, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update's test gating status has been changed to 'waiting'.", "timestamp": "2024-07-10 11:32:35", "update_id": 626486, "user_id": 91, "id": 3606101, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "```\nERROR: selinux-policy is on the pipeline ignore list, skipping...\nFinished: ABORTED\n```\nReally?\n", "timestamp": "2024-07-10 12:55:15", "update_id": 626486, "user_id": 119, "id": 3606177, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "zbyszek", "email": "zbyszek@in.waw.pl", "id": 119, "avatar": "https://seccdn.libravatar.org/avatar/9e521f4e57c4a91bd8818885e1baba425894908e140a76d1c0c697e237cb3b6e?s=24&d=retro", "openid": "zbyszek.id.fedoraproject.org", "groups": [{"name": "provenpackager"}, {"name": "packager"}, {"name": "python-sig"}, {"name": "neuro-sig"}, {"name": "fedorabugs"}, {"name": "signed_fpca"}, {"name": "python-packagers-sig"}, {"name": "fesco"}, {"name": "gitinitscripts"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "scitech_sig"}, {"name": "rust-sig"}]}}, {"karma": 0, "karma_critpath": 0, "text": "`/selinux-policy/fapolicyd-and-similar` is a false positive as discussed earlier.", "timestamp": "2024-07-10 12:55:49", "update_id": 626486, "user_id": 119, "id": 3606178, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "zbyszek", "email": "zbyszek@in.waw.pl", "id": 119, "avatar": "https://seccdn.libravatar.org/avatar/9e521f4e57c4a91bd8818885e1baba425894908e140a76d1c0c697e237cb3b6e?s=24&d=retro", "openid": "zbyszek.id.fedoraproject.org", "groups": [{"name": "provenpackager"}, {"name": "packager"}, {"name": "python-sig"}, {"name": "neuro-sig"}, {"name": "fedorabugs"}, {"name": "signed_fpca"}, {"name": "python-packagers-sig"}, {"name": "fesco"}, {"name": "gitinitscripts"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "scitech_sig"}, {"name": "rust-sig"}]}}, {"karma": 0, "karma_critpath": 0, "text": "This update's test gating status has been changed to 'failed'.", "timestamp": "2024-07-10 13:12:50", "update_id": 626486, "user_id": 91, "id": 3606186, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 1, "karma_critpath": 0, "text": "The failure is a false positive:\n```\nJul 10 15:07:44 ipa001.test.openqa.fedoraproject.org systemd[1]: Starting httpd.service - The Apache HTTP Server...\nJul 10 15:07:45 ipa001.test.openqa.fedoraproject.org ipa-httpd-kdcproxy[26784]: ipa: INFO: KDC proxy enabled\nJul 10 15:07:45 ipa001.test.openqa.fedoraproject.org ipa-httpd-kdcproxy[26784]: ipa-httpd-kdcproxy: INFO     KDC proxy enabled\nJul 10 15:07:45 ipa001.test.openqa.fedoraproject.org (httpd)[26788]: httpd.service: Referenced but unset environment variable evaluates to an empty string: OPTIONS\nJul 10 15:07:45 ipa001.test.openqa.fedoraproject.org audit[26788]: AVC avc:  denied  { create } for  pid=26788 comm=\"httpd\" scontext=system_u:system_r:publicfile_t:s0 tcontext=system_u:system_r:publicfile_t:s0 tclass=netlink_route_socket permissive=0\nJul 10 15:07:45 ipa001.test.openqa.fedoraproject.org audit[26788]: SYSCALL arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=80003 a2=0 a3=7fffaedaae10 items=0 ppid=1 pid=26788 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"httpd\" exe=\"/usr/sbin/httpd\" subj=system_u:system_r:publicfile_t:s0 key=(null)\nJul 10 15:07:45 ipa001.test.openqa.fedoraproject.org audit: PROCTITLE proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44\nJul 10 15:07:45 ipa001.test.openqa.fedoraproject.org httpd[26788]: httpd: Could not open configuration file /etc/httpd/conf/httpd.conf: Permission denied\nJul 10 15:07:45 ipa001.test.openqa.fedoraproject.org audit[26788]: AVC avc:  denied  { create } for  pid=26788 comm=\"httpd\" scontext=system_u:system_r:publicfile_t:s0 tcontext=system_u:system_r:publicfile_t:s0 tclass=udp_socket permissive=0\nJul 10 15:07:45 ipa001.test.openqa.fedoraproject.org audit[26788]: SYSCALL arch=c000003e syscall=41 success=no exit=-13 a0=a a1=80002 a2=0 a3=0 items=0 ppid=1 pid=26788 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"httpd\" exe=\"/usr/sbin/httpd\" subj=system_u:system_r:publicfile_t:s0 key=(null)\nJul 10 15:07:45 ipa001.test.openqa.fedoraproject.org audit: PROCTITLE proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44\nJul 10 15:07:45 ipa001.test.openqa.fedoraproject.org audit[26788]: AVC avc:  denied  { create } for  pid=26788 comm=\"httpd\" scontext=system_u:system_r:publicfile_t:s0 tcontext=system_u:system_r:publicfile_t:s0 tclass=udp_socket permissive=0\nJul 10 15:07:45 ipa001.test.openqa.fedoraproject.org audit[26788]: SYSCALL arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=80002 a2=0 a3=0 items=0 ppid=1 pid=26788 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"httpd\" exe=\"/usr/sbin/httpd\" subj=system_u:system_r:publicfile_t:s0 key=(null)\nJul 10 15:07:45 ipa001.test.openqa.fedoraproject.org audit: PROCTITLE proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44\nJul 10 15:07:45 ipa001.test.openqa.fedoraproject.org audit[26788]: AVC avc:  denied  { search } for  pid=26788 comm=\"httpd\" name=\"httpd\" dev=\"dm-0\" ino=678848 scontext=system_u:system_r:publicfile_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir permissive=0\nJul 10 15:07:45 ipa001.test.openqa.fedoraproject.org audit[26788]: SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5652d28d7860 a2=80000 a3=0 items=0 ppid=1 pid=26788 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"httpd\" exe=\"/usr/sbin/httpd\" subj=system_u:system_r:publicfile_t:s0 key=(null)\nJul 10 15:07:45 ipa001.test.openqa.fedoraproject.org audit: PROCTITLE proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44\nJul 10 15:07:45 ipa001.test.openqa.fedoraproject.org systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE\nJul 10 15:07:45 ipa001.test.openqa.fedoraproject.org systemd[1]: httpd.service: Failed with result 'exit-code'.\nJul 10 15:07:45 ipa001.test.openqa.fedoraproject.org systemd[1]: Failed to start httpd.service - The Apache HTTP Server.\n```\n\nThis is because the system is created with the previous version of the policy and the upgraded package is installed into it, but no relabel is done. We'd need the relabel to happen for the test to pass. We should push this package and then the subsequent tests will pass after it goes stable.\n\nI installed the updated package and `/usr/sbin/httpd` has the correct context (`system_u:object_r:httpd_exec_t:s0`) after a relabel.\n", "timestamp": "2024-07-10 13:34:08", "update_id": 626486, "user_id": 119, "id": 3606194, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "zbyszek", "email": "zbyszek@in.waw.pl", "id": 119, "avatar": "https://seccdn.libravatar.org/avatar/9e521f4e57c4a91bd8818885e1baba425894908e140a76d1c0c697e237cb3b6e?s=24&d=retro", "openid": "zbyszek.id.fedoraproject.org", "groups": [{"name": "provenpackager"}, {"name": "packager"}, {"name": "python-sig"}, {"name": "neuro-sig"}, {"name": "fedorabugs"}, {"name": "signed_fpca"}, {"name": "python-packagers-sig"}, {"name": "fesco"}, {"name": "gitinitscripts"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "scitech_sig"}, {"name": "rust-sig"}]}}, {"karma": 0, "karma_critpath": 0, "text": "This update's test gating status has been changed to 'waiting'.", "timestamp": "2024-07-10 13:35:07", "update_id": 626486, "user_id": 91, "id": 3606195, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update's test gating status has been changed to 'passed'.", "timestamp": "2024-07-10 13:35:07", "update_id": 626486, "user_id": 91, "id": 3606196, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been submitted for stable by bodhi", "timestamp": "2024-07-10 13:35:30", "update_id": 626486, "user_id": 91, "id": 3606197, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": -1, "karma_critpath": 0, "text": "The openQA test does the following:\n\n* Boot a pre-built Fedora 40 Server disk image\n* Update it and install dnf system upgrade plugin\n* Reboot\n* Deploy the system as a FreeIPA server\n* Upgrade the system to Fedora Rawhide (41)\n* Log in\n* Check that FreeIPA is running (this is the check that fails)\n\nI do not understand where in that process you think the \"false positive\" is, @zbyszek . If a relabel is needed at some point during that process, it should not be openQA's (i.e. the sysadmin's) job to do it, it should be triggered by whatever update requires it.\n\nAs things stand I don't agree that this is a false positive, and indeed, now you waived this, subsequent updates are failing the same test in the same way, including https://bodhi.fedoraproject.org/updates/FEDORA-2024-3aafcac6a8 which you were trying to unblock: https://openqa.fedoraproject.org/tests/2722892", "timestamp": "2024-07-10 15:25:28", "update_id": 626486, "user_id": 302, "id": 3606282, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "adamwill", "email": "awilliam@redhat.com", "id": 302, "avatar": "https://seccdn.libravatar.org/avatar/51720fbb2ec5dfd2bc005ac374a3bfd3190cb8f45f3bb8d6bdf35fb6a051d03b?s=24&d=retro", "openid": "adamwill.id.fedoraproject.org", "groups": [{"name": "proventesters"}, {"name": "provenpackager"}, {"name": "packager"}, {"name": "qa-tools-sig"}, {"name": "fedora-contributor"}, {"name": "news"}, {"name": "gittriage"}, {"name": "sysadmin"}, {"name": "gitspin-kickstarts"}, {"name": "signed_fpca"}, {"name": "gitgeneric-release"}, {"name": "yak_farmers"}, {"name": "triagers"}, {"name": "qa"}, {"name": "sysadmin-qa"}, {"name": "fedorabugs"}, {"name": "ipausers"}, {"name": "gitmkinitrd"}, {"name": "qa-admin"}, {"name": "aws-qa"}, {"name": "change-wranglers"}, {"name": "fedora-ci-admins"}, {"name": "common-issues-triage"}, {"name": "sysadmin-main"}, {"name": "program-management"}, {"name": "gitfedora-project-schedule"}]}}, {"karma": 0, "karma_critpath": 0, "text": "The issue that causes the failure is the mislabelling caused by previous versions of selinux-policy. The problem was introduced recently (41.4-1), so to avoid the problem generally all that is needed is to skip the updates between that version and the latest update. Thus, I pushed the update with the hope that that'd actually resolve the issue once the latest update goes stable.\n\n>  If a relabel is needed at some point during that process, it should not be openQA's (i.e. the sysadmin's) job to do it, it should be triggered by whatever update requires it.\n\nI don't think it's job of the update either. If my analysis is correct, the issue should be resolved by not installing the bad selinux-policy versions.\n\n> subsequent updates are failing the same test in the same way, including FEDORA-2024-3aafcac6a8 which you were trying to unblock: https://openqa.fedoraproject.org/tests/2722892\n\nHmm, https://openqa.fedoraproject.org/tests/2722892 failed because pciutils was rebuilt again outside of the side-tag and became FTI. So I don't think the latest failure is related to selinux at all.", "timestamp": "2024-07-10 16:04:19", "update_id": 626486, "user_id": 119, "id": 3606386, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "zbyszek", "email": "zbyszek@in.waw.pl", "id": 119, "avatar": "https://seccdn.libravatar.org/avatar/9e521f4e57c4a91bd8818885e1baba425894908e140a76d1c0c697e237cb3b6e?s=24&d=retro", "openid": "zbyszek.id.fedoraproject.org", "groups": [{"name": "provenpackager"}, {"name": "packager"}, {"name": "python-sig"}, {"name": "neuro-sig"}, {"name": "fedorabugs"}, {"name": "signed_fpca"}, {"name": "python-packagers-sig"}, {"name": "fesco"}, {"name": "gitinitscripts"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "scitech_sig"}, {"name": "rust-sig"}]}}, {"karma": 0, "karma_critpath": 0, "text": "Pfff, I put the text above with quotes to which I was replying\u2026  It doesn't make sense without them. Please read my reply in the email notification in case it's not clear ;]", "timestamp": "2024-07-10 16:06:23", "update_id": 626486, "user_id": 119, "id": 3606390, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "zbyszek", "email": "zbyszek@in.waw.pl", "id": 119, "avatar": "https://seccdn.libravatar.org/avatar/9e521f4e57c4a91bd8818885e1baba425894908e140a76d1c0c697e237cb3b6e?s=24&d=retro", "openid": "zbyszek.id.fedoraproject.org", "groups": [{"name": "provenpackager"}, {"name": "packager"}, {"name": "python-sig"}, {"name": "neuro-sig"}, {"name": "fedorabugs"}, {"name": "signed_fpca"}, {"name": "python-packagers-sig"}, {"name": "fesco"}, {"name": "gitinitscripts"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "scitech_sig"}, {"name": "rust-sig"}]}}, {"karma": 0, "karma_critpath": 0, "text": "\"Hmm, https://openqa.fedoraproject.org/tests/2722892 failed because pciutils was rebuilt again outside of the side-tag and became FTI. So I don't think the latest failure is related to selinux at all.\"\n\nHuh? No it didn't. It failed exactly the same way as this: ipa.service is failed because httpd service is failed, and httpd service is failed because \"httpd: Could not open configuration file /etc/httpd/conf/httpd.conf: Permission denied\". See https://openqa.fedoraproject.org/tests/2722892/file/role_deploy_domain_controller_check-var_log.tar.gz .\n\n\"The issue that causes the failure is the mislabelling caused by previous versions of selinux-policy. The problem was introduced recently (41.4-1), so to avoid the problem generally all that is needed is to skip the updates between that version and the latest update. Thus, I pushed the update with the hope that that'd actually resolve the issue once the latest update goes stable.\"\n\nLooking at the logs from 2722892 , the only selinux policy versions that ever seem to be installed during the lifetime of that test are `selinux-policy-targeted-40.23-1.fc40.noarch` (installed OOTB on the base F40 disk image) and `selinux-policy-targeted-41.8-1.fc41.noarch` (installed during the upgrade). No intermediate version ever appears to be installed. 40.23-1.fc40 is the current stable version for F40 - https://bodhi.fedoraproject.org/updates/FEDORA-2024-2bc43119f3 - and passed all its tests.", "timestamp": "2024-07-10 16:45:02", "update_id": 626486, "user_id": 302, "id": 3606422, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "adamwill", "email": "awilliam@redhat.com", "id": 302, "avatar": "https://seccdn.libravatar.org/avatar/51720fbb2ec5dfd2bc005ac374a3bfd3190cb8f45f3bb8d6bdf35fb6a051d03b?s=24&d=retro", "openid": "adamwill.id.fedoraproject.org", "groups": [{"name": "proventesters"}, {"name": "provenpackager"}, {"name": "packager"}, {"name": "qa-tools-sig"}, {"name": "fedora-contributor"}, {"name": "news"}, {"name": "gittriage"}, {"name": "sysadmin"}, {"name": "gitspin-kickstarts"}, {"name": "signed_fpca"}, {"name": "gitgeneric-release"}, {"name": "yak_farmers"}, {"name": "triagers"}, {"name": "qa"}, {"name": "sysadmin-qa"}, {"name": "fedorabugs"}, {"name": "ipausers"}, {"name": "gitmkinitrd"}, {"name": "qa-admin"}, {"name": "aws-qa"}, {"name": "change-wranglers"}, {"name": "fedora-ci-admins"}, {"name": "common-issues-triage"}, {"name": "sysadmin-main"}, {"name": "program-management"}, {"name": "gitfedora-project-schedule"}]}}, {"karma": 0, "karma_critpath": 0, "text": "It appears httpd is upgraded before selinux-policy:\n```\n[adamw@xps13a tmp]$ egrep \"Upgraded: (httpd-2.*|selinux-policy-targeted)\" var/log/dnf.log\n2024-07-10T11:02:14-0400 DEBUG Upgraded: httpd-2.4.61-2.fc41.x86_64\n2024-07-10T11:02:14-0400 DEBUG Upgraded: selinux-policy-targeted-41.8-1.fc41.noarch\n```\nCould this be the source of the issue?", "timestamp": "2024-07-10 16:53:57", "update_id": 626486, "user_id": 302, "id": 3606429, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "adamwill", "email": "awilliam@redhat.com", "id": 302, "avatar": "https://seccdn.libravatar.org/avatar/51720fbb2ec5dfd2bc005ac374a3bfd3190cb8f45f3bb8d6bdf35fb6a051d03b?s=24&d=retro", "openid": "adamwill.id.fedoraproject.org", "groups": [{"name": "proventesters"}, {"name": "provenpackager"}, {"name": "packager"}, {"name": "qa-tools-sig"}, {"name": "fedora-contributor"}, {"name": "news"}, {"name": "gittriage"}, {"name": "sysadmin"}, {"name": "gitspin-kickstarts"}, {"name": "signed_fpca"}, {"name": "gitgeneric-release"}, {"name": "yak_farmers"}, {"name": "triagers"}, {"name": "qa"}, {"name": "sysadmin-qa"}, {"name": "fedorabugs"}, {"name": "ipausers"}, {"name": "gitmkinitrd"}, {"name": "qa-admin"}, {"name": "aws-qa"}, {"name": "change-wranglers"}, {"name": "fedora-ci-admins"}, {"name": "common-issues-triage"}, {"name": "sysadmin-main"}, {"name": "program-management"}, {"name": "gitfedora-project-schedule"}]}}, {"karma": 0, "karma_critpath": 0, "text": "Oh, no, that upgrade only happens in the test of FEDORA-2024-3aafcac6a8 , the bin-sbin merge update. In the logs of the test on this update, httpd is *down*graded, and it happens after selinux-policy is upgraded:\n```\n[adamw@xps13a tmp]$ egrep \".*graded: (httpd|selinux-policy-targeted)\" /tmp/var/log/dnf.log\n2024-07-10T09:08:08-0400 DEBUG Upgraded: selinux-policy-targeted-41.8-1.fc41.noarch\n2024-07-10T09:08:08-0400 DEBUG Downgraded: httpd-2.4.59-2.fc41.x86_64\n2024-07-10T09:08:08-0400 DEBUG Downgraded: httpd-core-2.4.59-2.fc41.x86_64\n2024-07-10T09:08:08-0400 DEBUG Downgraded: httpd-filesystem-2.4.59-2.fc41.noarch\n2024-07-10T09:08:08-0400 DEBUG Downgraded: httpd-tools-2.4.59-2.fc41.x86_64\n```", "timestamp": "2024-07-10 17:01:54", "update_id": 626486, "user_id": 302, "id": 3606439, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "adamwill", "email": "awilliam@redhat.com", "id": 302, "avatar": "https://seccdn.libravatar.org/avatar/51720fbb2ec5dfd2bc005ac374a3bfd3190cb8f45f3bb8d6bdf35fb6a051d03b?s=24&d=retro", "openid": "adamwill.id.fedoraproject.org", "groups": [{"name": "proventesters"}, {"name": "provenpackager"}, {"name": "packager"}, {"name": "qa-tools-sig"}, {"name": "fedora-contributor"}, {"name": "news"}, {"name": "gittriage"}, {"name": "sysadmin"}, {"name": "gitspin-kickstarts"}, {"name": "signed_fpca"}, {"name": "gitgeneric-release"}, {"name": "yak_farmers"}, {"name": "triagers"}, {"name": "qa"}, {"name": "sysadmin-qa"}, {"name": "fedorabugs"}, {"name": "ipausers"}, {"name": "gitmkinitrd"}, {"name": "qa-admin"}, {"name": "aws-qa"}, {"name": "change-wranglers"}, {"name": "fedora-ci-admins"}, {"name": "common-issues-triage"}, {"name": "sysadmin-main"}, {"name": "program-management"}, {"name": "gitfedora-project-schedule"}]}}, {"karma": 0, "karma_critpath": 0, "text": "Aha. I did a scratch build of selinux-policy for F40 with [\"Drop the publicfile module\"](https://src.fedoraproject.org/rpms/selinux-policy/c/1e6c28bba2e75d73f1fe735e0bf97eed2e230277?branch=rawhide) backported, ran the test again with that scratch build pulled in, and [it seems to be passing](https://openqa.stg.fedoraproject.org/tests/4024956#live). So I think perhaps we need that change on F39 and F40 too, and that should have happened before this landed.\n\nI'm going to file a ticket requesting this update be untagged for now while we work this out, I don't want to try YOLOing selinux-policy builds for F39 and F40 myself.", "timestamp": "2024-07-10 18:19:43", "update_id": 626486, "user_id": 302, "id": 3606475, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "adamwill", "email": "awilliam@redhat.com", "id": 302, "avatar": "https://seccdn.libravatar.org/avatar/51720fbb2ec5dfd2bc005ac374a3bfd3190cb8f45f3bb8d6bdf35fb6a051d03b?s=24&d=retro", "openid": "adamwill.id.fedoraproject.org", "groups": [{"name": "proventesters"}, {"name": "provenpackager"}, {"name": "packager"}, {"name": "qa-tools-sig"}, {"name": "fedora-contributor"}, {"name": "news"}, {"name": "gittriage"}, {"name": "sysadmin"}, {"name": "gitspin-kickstarts"}, {"name": "signed_fpca"}, {"name": "gitgeneric-release"}, {"name": "yak_farmers"}, {"name": "triagers"}, {"name": "qa"}, {"name": "sysadmin-qa"}, {"name": "fedorabugs"}, {"name": "ipausers"}, {"name": "gitmkinitrd"}, {"name": "qa-admin"}, {"name": "aws-qa"}, {"name": "change-wranglers"}, {"name": "fedora-ci-admins"}, {"name": "common-issues-triage"}, {"name": "sysadmin-main"}, {"name": "program-management"}, {"name": "gitfedora-project-schedule"}]}}, {"karma": 0, "karma_critpath": 0, "text": "Untag ticket: https://pagure.io/releng/issue/12197", "timestamp": "2024-07-10 18:24:05", "update_id": 626486, "user_id": 302, "id": 3606476, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "adamwill", "email": "awilliam@redhat.com", "id": 302, "avatar": "https://seccdn.libravatar.org/avatar/51720fbb2ec5dfd2bc005ac374a3bfd3190cb8f45f3bb8d6bdf35fb6a051d03b?s=24&d=retro", "openid": "adamwill.id.fedoraproject.org", "groups": [{"name": "proventesters"}, {"name": "provenpackager"}, {"name": "packager"}, {"name": "qa-tools-sig"}, {"name": "fedora-contributor"}, {"name": "news"}, {"name": "gittriage"}, {"name": "sysadmin"}, {"name": "gitspin-kickstarts"}, {"name": "signed_fpca"}, {"name": "gitgeneric-release"}, {"name": "yak_farmers"}, {"name": "triagers"}, {"name": "qa"}, {"name": "sysadmin-qa"}, {"name": "fedorabugs"}, {"name": "ipausers"}, {"name": "gitmkinitrd"}, {"name": "qa-admin"}, {"name": "aws-qa"}, {"name": "change-wranglers"}, {"name": "fedora-ci-admins"}, {"name": "common-issues-triage"}, {"name": "sysadmin-main"}, {"name": "program-management"}, {"name": "gitfedora-project-schedule"}]}}, {"karma": 0, "karma_critpath": 0, "text": "Hmm, further note: I've now noticed that in the time this was stable, several F41 FreeIPA deployment tests (non-upgrade ones) failed due to failure to start httpd, e.g. [this one](https://openqa.fedoraproject.org/tests/2723514). In the logs we see a denial:\n```\ntype=AVC msg=audit(1720634659.820:1916): avc:  denied  { execute } for  pid=9853 comm=\"(httpd)\" name=\"httpd\" dev=\"dm-0\" ino=8535579 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon=\"system_u:object_r:publicfile_exec_t:s0\"\n```\nand a corresponding httpd.service failure:\n```\nJul 10 11:04:19 ipa002.test.openqa.fedoraproject.org (httpd)[9853]: httpd.service: Unable to locate executable '/usr/sbin/httpd': Permission denied\nJul 10 11:04:19 ipa002.test.openqa.fedoraproject.org (httpd)[9853]: httpd.service: Failed at step EXEC spawning /usr/sbin/httpd: Permission denied\n```\nFrom the logs it seems selinux-policy started out as 41.3 and was updated to 41.8 during the initial update run at the start of the test, before FreeIPA server deployment is attempted. I don't know why we didn't see these failures on the tests of the selinux 41.8 update itself.", "timestamp": "2024-07-10 23:45:45", "update_id": 626486, "user_id": 302, "id": 3606692, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "adamwill", "email": "awilliam@redhat.com", "id": 302, "avatar": "https://seccdn.libravatar.org/avatar/51720fbb2ec5dfd2bc005ac374a3bfd3190cb8f45f3bb8d6bdf35fb6a051d03b?s=24&d=retro", "openid": "adamwill.id.fedoraproject.org", "groups": [{"name": "proventesters"}, {"name": "provenpackager"}, {"name": "packager"}, {"name": "qa-tools-sig"}, {"name": "fedora-contributor"}, {"name": "news"}, {"name": "gittriage"}, {"name": "sysadmin"}, {"name": "gitspin-kickstarts"}, {"name": "signed_fpca"}, {"name": "gitgeneric-release"}, {"name": "yak_farmers"}, {"name": "triagers"}, {"name": "qa"}, {"name": "sysadmin-qa"}, {"name": "fedorabugs"}, {"name": "ipausers"}, {"name": "gitmkinitrd"}, {"name": "qa-admin"}, {"name": "aws-qa"}, {"name": "change-wranglers"}, {"name": "fedora-ci-admins"}, {"name": "common-issues-triage"}, {"name": "sysadmin-main"}, {"name": "program-management"}, {"name": "gitfedora-project-schedule"}]}}, {"karma": 0, "karma_critpath": 0, "text": "I don't quite understand the updates testing workflow, but in general, the issue with publicfile_t can only manifest when httpd starts with selinux-policy 41.3 to 41.7 installed.\n\ntcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon=\"system_u:object_r:publicfile_exec_t:s0\"\n\nmay indicate the policy has been updated, so the label does not exist, but either the binary has not been relabeled or it is a deleted file. Relabeling should happen during %post phase.", "timestamp": "2024-07-11 07:13:35", "update_id": 626486, "user_id": 5290, "id": 3607119, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "zpytela", "email": "zpytela@redhat.com", "id": 5290, "avatar": "https://seccdn.libravatar.org/avatar/f5f39686c696f412e8ed564241807306fff38278b276da30a2d3c41583d69f2a?s=24&d=retro", "openid": "zpytela.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}, {"karma": 0, "karma_critpath": 0, "text": "Yeah, I don't under this either. In the images I looked into, the label is `http_exec_t`.\nhttps://src.fedoraproject.org/rpms/selinux-policy/pull-request/445 is an attempt at a workaround.\n", "timestamp": "2024-07-11 11:36:02", "update_id": 626486, "user_id": 119, "id": 3607257, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "zbyszek", "email": "zbyszek@in.waw.pl", "id": 119, "avatar": "https://seccdn.libravatar.org/avatar/9e521f4e57c4a91bd8818885e1baba425894908e140a76d1c0c697e237cb3b6e?s=24&d=retro", "openid": "zbyszek.id.fedoraproject.org", "groups": [{"name": "provenpackager"}, {"name": "packager"}, {"name": "python-sig"}, {"name": "neuro-sig"}, {"name": "fedorabugs"}, {"name": "signed_fpca"}, {"name": "python-packagers-sig"}, {"name": "fesco"}, {"name": "gitinitscripts"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "scitech_sig"}, {"name": "rust-sig"}]}}, {"karma": 0, "karma_critpath": 0, "text": "Well, I can't really comment on what \"can't possibly happen\" or whatever, but I know what *did* happen: in https://openqa.fedoraproject.org/tests/2722892 we installed FreeIPA (including httpd) with `selinux-policy-targeted-40.23-1.fc40.noarch` and it worked, then we upgraded to `selinux-policy-targeted-41.8-1.fc41.noarch` and it failed. No other version of `selinux-policy-targeted` was installed during the lifetime of the test. You can check this yourself from https://openqa.fedoraproject.org/tests/2722892/file/role_deploy_domain_controller_check-var_log.tar.gz .\n\nYou can see exactly the same in https://openqa.fedoraproject.org/tests/2723862 , the most recent run of the same test on this update. It installed FreeIPA with `selinux-policy-targeted-40.23-1.fc40.noarch` and it worked, then it upgraded directly to Fedora 41 including `selinux-policy-targeted-41.8-1.fc41.noarch` and it failed. You can see this in the dnf transaction log:\n```\n2024-07-10T19:02:35-0400 DEBUG ---> Package selinux-policy.noarch 40.23-1.fc40 will be upgraded\n2024-07-10T19:02:35-0400 DEBUG ---> Package selinux-policy.noarch 41.8-1.fc41 will be an upgrade\n2024-07-10T19:02:35-0400 DEBUG ---> Package selinux-policy-targeted.noarch 40.23-1.fc40 will be upgraded\n2024-07-10T19:02:35-0400 DEBUG ---> Package selinux-policy-targeted.noarch 41.8-1.fc41 will be an upgrade\n```\nThere is no other version there.\n\nI also verified, as I said, that if I backport the removal of `publicfile` to Fedora 40, so when we install FreeIPA (httpd) on Fedora 40 it happens with an selinux-policy package with no `publicfile` module, the test passes.", "timestamp": "2024-07-11 15:06:53", "update_id": 626486, "user_id": 302, "id": 3607565, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "adamwill", "email": "awilliam@redhat.com", "id": 302, "avatar": "https://seccdn.libravatar.org/avatar/51720fbb2ec5dfd2bc005ac374a3bfd3190cb8f45f3bb8d6bdf35fb6a051d03b?s=24&d=retro", "openid": "adamwill.id.fedoraproject.org", "groups": [{"name": "proventesters"}, {"name": "provenpackager"}, {"name": "packager"}, {"name": "qa-tools-sig"}, {"name": "fedora-contributor"}, {"name": "news"}, {"name": "gittriage"}, {"name": "sysadmin"}, {"name": "gitspin-kickstarts"}, {"name": "signed_fpca"}, {"name": "gitgeneric-release"}, {"name": "yak_farmers"}, {"name": "triagers"}, {"name": "qa"}, {"name": "sysadmin-qa"}, {"name": "fedorabugs"}, {"name": "ipausers"}, {"name": "gitmkinitrd"}, {"name": "qa-admin"}, {"name": "aws-qa"}, {"name": "change-wranglers"}, {"name": "fedora-ci-admins"}, {"name": "common-issues-triage"}, {"name": "sysadmin-main"}, {"name": "program-management"}, {"name": "gitfedora-project-schedule"}]}}], "builds": [{"nvr": "selinux-policy-41.8-1.fc41", "signed": true, "release_id": 80, "type": "rpm", "epoch": 0}], "bugs": [], "updateid": "FEDORA-2024-2711625691", "karma": 0, "content_type": "rpm", "test_cases": []}, "can_edit": false, "ci_allowed": false}