obsolete

selinux-policy-41.21-1.fc41

FEDORA-2024-8707c24571 created by zpytela a month ago for Fedora 41

New F41 selinux-policy build

This update has been submitted for testing by zpytela.

a month ago

This update's test gating status has been changed to 'waiting'.

a month ago

This update's test gating status has been changed to 'waiting'.

a month ago

This update's test gating status has been changed to 'failed'.

a month ago
User Icon g6avk commented & provided feedback a month ago
karma

Works for me..

User Icon dustymabe commented & provided feedback a month ago
karma

With this update the CoreOS test fails because the systemd-homed service fails to start.

This also fails in rawhide with the F42 version of this update.

Not sure if this is related, but I see this:

systemd-homed[5072]: Failed to open /var/cache/systemd/home/: Permission denied

although:

$ ll /var/cache/systemd/ total 0 drwxr-xr-x. 1 root root 0 Sep 14 17:28 home

and:

$ ps aux | grep homed root 5072 0.0 0.0 16304 8148 ? Ss 18:11 0:00 /usr/lib/systemd/systemd-homed

Seems a bit odd

This update's test gating status has been changed to 'waiting'.

a month ago

This update's test gating status has been changed to 'passed'.

a month ago

I missed this, sorry. I do not have systemd-homed running.

This update has been pushed to testing.

a month ago

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

a month ago
User Icon bojan commented & provided feedback a month ago
karma

Works.

User Icon nixuser commented & provided feedback a month ago
karma

Seems OK here.

This update can be pushed to stable now if the maintainer wishes

a month ago

@tyrbiter @dustymabe can you please include some details? avc, syscall, path record new build can be done right away, but this feature does not have full functional testing so it did not manifest in our tests

User Icon clnetbox commented & provided feedback a month ago
karma

SELinux is preventing /usr/lib/systemd/systemd-executor from add_name access on the directory home.

Source Context : system_u:system_r:init_t:s0
Target Context : system_u:object_r:systemd_cache_t:s0
Target Objects : home [ dir ]
Source : (md-homed)
Source Path : /usr/lib/systemd/systemd-executor
Source RPM Packages : systemd-256.7-1.fc41.x86_64
Target RPM Packages
SELinux Policy RPM : selinux-policy-targeted-41.21-1.fc41.noarch
Local Policy RPM : selinux-policy-targeted-41.21-1.fc41.noarch
Selinux Enabled : True
Policy Type : targeted
Enforcing Mode : Enforcing
Platform : Linux XXXXXXXX 6.11.3-300.fc41.x86_64 #1 SMP

Raw Audit Messages
type=AVC msg=audit(1728980205.16:210): avc: denied { add_name } for pid=2369 comm="(md-homed)" name="home" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_cache_t:s0 tclass=dir permissive=0

type=SYSCALL msg=audit(1728980205.16:210): arch=x86_64 syscall=mkdirat success=no exit=EACCES a0=ffffff9c a1=55fcac4f5600 a2=1ed a3=55fcac5ac3a0 items=0 ppid=1 pid=2369 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=(md-homed) exe=/usr/lib/systemd/systemd-executor subj=system_u:system_r:init_t:s0 key=(null)

Hash: (md-homed),init_t,systemd_cache_t,dir,add_name

Workaround : sudo systemctl disable systemd-homed.service

systemd needs to be allowed to create /var/cache/systemd/home at least on some installations, so I've updated selinux-policy

please try a scratchbuild from https://github.com/fedora-selinux/selinux-policy/pull/2390/checks if you can, I want to merge it soon and create a new build

you may need to rmdir /var/cache/systemd/home first as the issue manifests or not depending on the order of updates

rmdir /var/cache/systemd/home/
systemctl restart systemd-homed; sleep 1; systemctl status systemd-homed
ls -lZ /var/cache/systemd/
total 4
drwxr-xr-x. 2 root root system_u:object_r:systemd_homed_cache_t:s0 4096 Oct 15 13:43 home
User Icon derekenz commented & provided feedback a month ago
karma

Works

@Zdenek : That's exactly what I did yesterday ... I've removed the directory and then applied the update.
Just a moment ago I did what you suggested, I started the service, the SELinux message appeared again.
SELinux is preventing /usr/lib/systemd/systemd-executor from add_name access on the directory home.

ls -lZ /var/cache/systemd
total 0
drwxr-xr-x. 2 root root 6 15. Okt 10:16 .
drwxr-xr-x. 20 root root 4096 15. Okt 10:16 ..
sudo systemctl start systemd-homed.service
Job for systemd-homed.service failed because the control process exited with error code.
See "systemctl status systemd-homed.service" and "journalctl -xeu systemd-homed.service" for details.
ls -lZ /var/cache/systemd
total 0

systemctl status systemd-homed.service
...
systemd[1]: Starting systemd-homed.service - Home Area Manager...
(md-homed)[5404]: systemd-homed.service: Failed to set up special execution directory in /var/cache: Permission denied
(md-homed)[5404]: systemd-homed.service: Failed at step CACHE_DIRECTORY spawning /usr/lib/systemd/systemd-homed: Permission denied
systemd[1]: systemd-homed.service: Main process exited, code=exited, status=239/CACHE_DIRECTORY
systemd[1]: systemd-homed.service: Failed with result 'exit-code'.
systemd[1]: Failed to start systemd-homed.service - Home Area Manager.

@Zdenek : I have tested the copr build ... now it seems to work as expected.

sudo dnf copr enable packit/fedora-selinux-selinux-policy-2390 fedora-rawhide-x86_64
sudo dnf upgrade selinux*
sudo systemctl start systemd-homed.service
ls -lZ /var/cache/systemd
total 0
drwxr-xr-x. 2 root root system_u:object_r:systemd_homed_cache_t:s0 6 16. Okt 12:23 home

systemctl status systemd-homed.service
...
systemd[1]: Starting systemd-homed.service - Home Area Manager...
Okt 16 12:23:25 cl-fs-01 systemd-homed[7999]: Watching /home.
Okt 16 12:23:25 cl-fs-01 systemd[1]: Started systemd-homed.service - Home Area Manager.

User Icon filiperosset commented & provided feedback a month ago
karma

no regressions noted

something is preventing me to relabel my machine

systemd[1]: selinux-autorelabel-mark.service - Mark the need to relabel after reboot was skipped because of an unmet condition check (ConditionSecurity=!selinux).
User Icon kparal commented & provided feedback a month ago
karma

There are at least 2 regressions in this build. The systemd-homed one, and also in the power-profiles-daemon: https://bugzilla.redhat.com/show_bug.cgi?id=2319354 https://bugzilla.redhat.com/show_bug.cgi?id=2319355

@kparal : Just FYI - power-profiles-daemon will be replaced with tuned-ppd in f41 !
If you upgraded from f40, run sudo dnf swap power-profiles-daemon tuned-ppd.

Thanks for info, @clnetbox! I don't want to go off-topic here, but it's a quite bummer that it wasn't handled automatically during the upgrade. I'll need to look into it.

User Icon aleasto commented & provided feedback a month ago
karma

This seems to also be causing https://bugzilla.redhat.com/show_bug.cgi?id=2319823

SELinux: security_context_str_to_sid (system_u:object_r:waydroid_rootfs_t:s0) failed with errno=-22

While I cannot reproduce that bug, I tried installing snapd and I experience the same bug with snappy's context:

SELinux: security_context_str_to_sid (system_u:object_r:snappy_snap_t:s0) failed with errno=-22

This update has been obsoleted by selinux-policy-41.23-1.fc41.

a month ago

Please login to add feedback.

Metadata
Type
bugfix
Severity
medium
Karma
3
Signed
Content Type
RPM
Test Gating
Autopush Settings
Unstable by Karma
-2
Stable by Karma
disabled
Stable by Time
disabled
Thresholds
Minimum Karma
+2
Minimum Testing
14 days
Dates
submitted
a month ago
in testing
a month ago
approved
a month ago

Automated Test Results