FEDORA-2024-64134f8805 — unspecified update for selinux-policy

obsolete

selinux-policy-41.7-1.fc41

FEDORA-2024-64134f8805 created by zpytela 9 months ago for Fedora 41

Automatic update for selinux-policy-41.7-1.fc41.

Changelog

* Fri Jun 28 2024 Zdenek Pytela <zpytela@redhat.com> - 41.7-1
- Confine libvirt-dbus
- Allow virtqemud the kill capability in user namespace
- Allow rshim get options of the netlink class for KOBJECT_UEVENT family
- Allow dhcpcd the kill capability
- Allow systemd-networkd list /var/lib/systemd/network
- Allow sysadm_t run systemd-nsresourced bpf programs
- Update policy for systemd generators interactions
- Allow create memory.pressure files with cgroup_memory_pressure_t
- Add support for libvirt hooks
* Wed Jun 19 2024 Zdenek Pytela <zpytela@redhat.com> - 41.6-1
- Allow certmonger read and write tpm devices
- Allow all domains to connect to systemd-nsresourced over a unix socket
- Allow systemd-machined read the vsock device
- Update policy for systemd generators
- Allow ptp4l_t request that the kernel load a kernel module
- Allow sbd to trace processes in user namespace
- Allow request-key execute scripts
- Update policy for haproxyd
* Tue Jun 18 2024 Zdenek Pytela <zpytela@redhat.com> - 41.5-1
- Update policy for systemd-nsresourced
- Correct sbin-related file context entries
* Mon Jun 17 2024 Zdenek Pytela <zpytela@redhat.com> - 41.4-1
- Allow login_userdomain execute systemd-tmpfiles in the caller domain
- Allow virt_driver_domain read files labeled unconfined_t
- Allow virt_driver_domain dbus chat with policykit
- Allow virtqemud manage nfs files when virt_use_nfs boolean is on
- Add rules for interactions between generators
- Label memory.pressure files with cgroup_memory_pressure_t
- Revert "Allow some systemd services write to cgroup files"
- Update policy for systemd-nsresourced
- Label /usr/bin/ntfsck with fsadm_exec_t
- Allow systemd_fstab_generator_t read tmpfs files
- Update policy for systemd-nsresourced
- Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/bin
- Remove a few lines duplicated between {dkim,milter}.fc
- Alias /bin → /usr/bin and remove redundant paths
- Drop duplicate line for /usr/sbin/unix_chkpwd
- Drop duplicate paths for /usr/sbin

Automatic update for selinux-policy-41.6-1.fc41.

This update was automatically created

9 months ago

This update has obsoleted selinux-policy-41.6-1.fc41, and has inherited its bugs and notes.

9 months ago

This update's test gating status has been changed to 'waiting'.

9 months ago

This update's test gating status has been changed to 'failed'.

9 months ago

adamwill commented & provided feedback 8 months ago

karma

@zpytela sorry, I somehow missed this update failing tests (it was during a long weekend here). It looks like the publicfile_t denials are still around and are enough to break FreeIPA server deployment, which makes the tests fail. The remaining denials:

Jun 29 14:07:33 ipa001.test.openqa.fedoraproject.org audit[9984]: AVC avc:  denied  { create } for  pid=9984 comm="httpd" scontext=system_u:system_r:publicfile_t:s0 tcontext=system_u:system_r:publicfile_t:s0 tclass=netlink_route_socket permissive=0
Jun 29 14:07:33 ipa001.test.openqa.fedoraproject.org audit[9984]: AVC avc:  denied  { create } for  pid=9984 comm="httpd" scontext=system_u:system_r:publicfile_t:s0 tcontext=system_u:system_r:publicfile_t:s0 tclass=udp_socket permissive=0
Jun 29 14:07:33 ipa001.test.openqa.fedoraproject.org audit[9984]: AVC avc:  denied  { create } for  pid=9984 comm="httpd" scontext=system_u:system_r:publicfile_t:s0 tcontext=system_u:system_r:publicfile_t:s0 tclass=udp_socket permissive=0
Jun 29 14:07:33 ipa001.test.openqa.fedoraproject.org audit[9984]: AVC avc:  denied  { search } for  pid=9984 comm="httpd" name="httpd" dev="dm-0" ino=353970 scontext=system_u:system_r:publicfile_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir permissive=0

httpd.service log:

Jun 29 14:07:33 ipa001.test.openqa.fedoraproject.org systemd[1]: Starting httpd.service - The Apache HTTP Server...
Jun 29 14:07:33 ipa001.test.openqa.fedoraproject.org ipa-httpd-kdcproxy[9981]: ipa: INFO: KDC proxy enabled
Jun 29 14:07:33 ipa001.test.openqa.fedoraproject.org ipa-httpd-kdcproxy[9981]: ipa-httpd-kdcproxy: INFO     KDC proxy enabled
Jun 29 14:07:33 ipa001.test.openqa.fedoraproject.org (httpd)[9984]: httpd.service: Referenced but unset environment variable evaluates to an empty string: OPTIONS
Jun 29 14:07:33 ipa001.test.openqa.fedoraproject.org httpd[9984]: httpd: Could not open configuration file /etc/httpd/conf/httpd.conf: Permission denied
Jun 29 14:07:33 ipa001.test.openqa.fedoraproject.org systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Jun 29 14:07:33 ipa001.test.openqa.fedoraproject.org systemd[1]: httpd.service: Failed with result 'exit-code'.
Jun 29 14:07:33 ipa001.test.openqa.fedoraproject.org systemd[1]: Failed to start httpd.service - The Apache HTTP Server.

and from the IPA server deployment log, confirming it fails because httpd.service fails:

2024-06-29T14:07:33Z DEBUG The ipa-server-install command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'httpd.service'] returned non-zero exit status 1: 'Job for httpd.service failed because the control process exited with error code.\nSee "systemctl status httpd.service" and "journalctl -xeu httpd.service" for details.\n')
2024-06-29T14:07:33Z ERROR CalledProcessError(Command ['/bin/systemctl', 'start', 'httpd.service'] returned non-zero exit status 1: 'Job for httpd.service failed because the control process exited with error code.\nSee "systemctl status httpd.service" and "journalctl -xeu httpd.service" for details.\n')

This update's test gating status has been changed to 'waiting'.

8 months ago

This update's test gating status has been changed to 'failed'.

8 months ago

zbyszek commented 8 months ago

This blocks FEDORA-2024-3aafcac6a8 :(

zbyszek commented 8 months ago

Maybe https://github.com/fedora-selinux/selinux-policy/pull/2225 would solve the issue? Can we test it without making a bodhi update?

zpytela commented 8 months ago

I think now I finally understand why publicfile_t started to appear after the first update which contained the bin-sbin merge. https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/publicfile.fc#L2 https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/apache.fc#L68

zbyszek commented 8 months ago

Great find! I assume that the correct fix is to drop the publicfile_t mapping? Will you prep a patch?

This update has been obsoleted by selinux-policy-41.8-1.fc41.

8 months ago

Please login to add feedback.

Metadata

Type

unspecified

Karma

-1

Signed

Content Type

RPM

Test Gating

failed

Autopush Settings

Unstable by Karma

-3

Stable by Karma

disabled

Stable by Time

0 days

Thresholds

Minimum Karma

Minimum Testing

14 days

Dates

submitted

9 months ago

in testing

9 months ago

Builds

selinux-policy-41.7-1.fc41

Automated Test Results

For help debugging failed Fedora CI tests (fedora-ci.*), contact the Fedora CI team.
For help debugging failed Fedora CoreOS tests (coreos.*), contact the Fedora CoreOS team.
For help debugging failed openQA tests (update.*), contact the Fedora Quality team, who will usually investigate and diagnose all failures within 24 hours.

failed