stable

selinux-policy-40.18-2.fc40

FEDORA-2024-759c80369d created by zpytela 5 months ago for Fedora 40

New F40 selinux-policy build. It is expected to fix most problems with libvirt, but still not some of them which require additional troubleshooting.

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2024-759c80369d

This update has been submitted for testing by zpytela.

5 months ago

This update's test gating status has been changed to 'waiting'.

5 months ago

This update's test gating status has been changed to 'waiting'.

5 months ago

This update's test gating status has been changed to 'passed'.

5 months ago
User Icon kparal commented & provided feedback 5 months ago
karma

I no longer see AVCs when working with the virt-manager

User Icon stephent98 commented & provided feedback 5 months ago
karma

No AVCs with basic usage. Tested with:

$ date ; { sleep 60 & } ; sleep 3 ; kill -ABRT %1 ; date

NB: BZ#2277658 occurs with Workstation, but not with Xfce.

BZ#2265926 SELinux is preventing /usr/bin/abrt-dump-journal-core from 'connectto' accesses on the unix_stream_socket /run/systemd/userdb/io.systemd.Home.
BZ#2277658 SELinux is preventing abrt-dump-journ from 'connectto' accesses on the unix_stream_socket /run/systemd/userdb/io.systemd.Machine.
User Icon zpytela commented & provided feedback 5 months ago

@stephent98: please share the denial, permissions is allowed regardless which spin is used; i cannot reproduce it anyway

This update has been pushed to testing.

5 months ago

This update can be pushed to stable now if the maintainer wishes

5 months ago
User Icon bojan commented & provided feedback 5 months ago
karma

Works.

karma
karma

This update has been submitted for stable by bodhi.

5 months ago
User Icon py0xc3 commented & provided feedback 5 months ago
karma

Seems to work fine on my F40 KDE x86_64 with sysadm_u confined user. Up to date as of now, plus the selinux-policy-40.18-2.fc40 package.

I still have denials with virt-manager and cockpit when using KVM/QEMU VMs (virtiofsd_backe , wireplumber , gst-plugin-scan , virtuifsd , rpm-virtqemud , cockpit-bridge), but these can be related to the SELinux confinement settings on my system with sysadm_u on my working user and user_u at __default__.

I have not tested without confinement so I leave the BZ# neutral. However, everything works fine, as before the impact of the F40 issues, despite the persisting "confinement" denials (I have not compared if the denials are the very same as before the F40 occurrences, but there have been denials before F40 when SELinux confinement was imposed - so that's not new). I hope I have soon time to file a report against github about the denials in confined environments.

This update has been pushed to stable.

5 months ago

Please login to add feedback.

Metadata
Type
bugfix
Severity
medium
Karma
6
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-2
Stable by Karma
5
Stable by Time
14 days
Dates
submitted
5 months ago
in testing
5 months ago
in stable
5 months ago
approved
5 months ago
BZ#2265926 SELinux is preventing /usr/bin/abrt-dump-journal-core from 'connectto' accesses on the unix_stream_socket /run/systemd/userdb/io.systemd.Home.
0
1
BZ#2270668 SELinux is preventing rpc-virtqemud from 'getattr' accesses on the système de fichiers /.
0
0
BZ#2271831 SELinux is preventing rpc-virtqemud from 'getattr' accesses on the filesystem /.
0
0
BZ#2276768 SELinux is preventing lvs from 'unlink' accesses on the file V_vm-pool:aux.
0
0
BZ#2276779 SELinux is preventing daemon-init from 'map' accesses on the file /var/lib/flatpak/exports/share/mime/mime.cache.
0
0
BZ#2276937 SELinux: AVC avc: denied { create } for pid=868 comm="nsupdate" anonclass=[io_uring] scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=0
0
0
BZ#2277028 Errors happened with the container-selinux-2:2.231.0-1.fc40.noarch postinstall scriplet
0
0
BZ#2277658 SELinux is preventing abrt-dump-journ from 'connectto' accesses on the unix_stream_socket /run/systemd/userdb/io.systemd.Machine.
0
1
BZ#2278803 SELinux is preventing qemu-system-x86 from read, write access on the chr_file 005.
0
0

Automated Test Results