FEDORA-2025-1a9b66e130 — enhancement update for audit

stable

audit-4.1.2-2.fc43

FEDORA-2025-1a9b66e130 created by sgrubb 6 months ago for Fedora 43

New upstream release with optimized earching and reporting.

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2025-1a9b66e130

This update has been submitted for testing by sgrubb.

6 months ago

This update's test gating status has been changed to 'waiting'.

6 months ago

This update's test gating status has been changed to 'waiting'.

6 months ago

sgrubb edited this update.

6 months ago

This update's test gating status has been changed to 'failed'.

6 months ago

This update has been pushed to testing.

6 months ago

adamwill commented & provided feedback 6 months ago

karma

SELinux issues:

Sep 21 16:51:28 localhost systemd[1]: Starting auditd.service - Security Audit Logging Service...
Sep 21 16:51:28 localhost audit[681]: AVC avc:  denied  { create } for  pid=681 comm="auditd" name="audit" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=dir permissive=0
Sep 21 16:51:28 localhost audit[681]: SYSCALL arch=c000003e syscall=83 success=no exit=-13 a0=55bd72e3936f a1=1ed a2=ffffffffffffffa0 a3=0 items=0 ppid=680 pid=681 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="auditd" exe="/usr/bin/auditd" subj=system_u:system_r:auditd_t:s0 key=(null)
Sep 21 16:51:28 localhost audit: PROCTITLE proctitle="/usr/bin/auditd"
Sep 21 16:51:28 localhost auditd[681]: Cannot create run directory /run/audit (Permission denied)
Sep 21 16:51:28 localhost audit: CONFIG_CHANGE op=set audit_pid=0 old=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=1
Sep 21 16:51:28 localhost audit[681]: SYSCALL arch=c000003e syscall=44 success=yes exit=60 a0=3 a1=7ffe341cfbd0 a2=3c a3=0 items=0 ppid=680 pid=681 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="auditd" exe="/usr/bin/auditd" subj=system_u:system_r:auditd_t:s0 key=(null)
Sep 21 16:51:28 localhost audit: PROCTITLE proctitle="/usr/bin/auditd"
Sep 21 16:51:28 localhost auditd[681]: The audit daemon is exiting.
Sep 21 16:51:28 localhost auditd[680]: Cannot daemonize (Success)
Sep 21 16:51:28 localhost auditd[680]: The audit daemon is exiting.
Sep 21 16:51:28 localhost systemd[1]: auditd.service: Control process exited, code=exited, status=1/FAILURE
Sep 21 16:51:28 localhost systemd[1]: auditd.service: Failed with result 'exit-code'.
Sep 21 16:51:28 localhost systemd[1]: Failed to start auditd.service - Security Audit Logging Service.

I think maybe we fixed this in Rawhide but not F43?

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

6 months ago

adamwill commented & provided feedback 6 months ago

yeah, F43 is on selinux-policy-42.8-1 . F42 is on 42.9-1, Rawhide is on 42.10-1.

@zpytela @lvrabec PTAL

adamwill commented & provided feedback 6 months ago

specifically, 42.9 included "- Allow auditd manage its private run dirs" which is what we need here.

adamwill commented & provided feedback 6 months ago

if someone does a 42.10-1 build for f43 we can edit it into this update.

zpytela commented & provided feedback 6 months ago

I guess this update is not critical so it can wait to GA but I will create a new selinux-policy build addressing one blocker and fix for this will be included

kparal commented & provided feedback 6 months ago

If this is waiting for GA, I prefer to unpush this update now, and reintroduce it once selinux-policy is ready. We don't want users running with updates-testing enabled to have broken system parts for long. Unless auditd.service is not that important and useful (haha, I have no idea what it is used for - I still see audit messages in journal even without this service running). Thoughts?

sgrubb commented & provided feedback 6 months ago

This was part of the python mini rebuild. If we wait until GA, there might be problems with the python bindings.

zpytela commented & provided feedback 6 months ago

I created the policy build in the meantime https://koji.fedoraproject.org/koji/taskinfo?taskID=137405431, not an update, so you can try to add it here @adamwill

There will be another build+update later this week

zpytela commented & provided feedback 6 months ago

@kparal updates-testing are enabled by default and I think it is not a good idea at this phase when updates are frozen

adamwill edited this update.

New build(s):

selinux-policy-42.9-1.fc43

Karma has been reset.

6 months ago

This update has been submitted for testing by adamwill.

6 months ago

adamwill commented & provided feedback 6 months ago

we're not in a freeze currently.

This update's test gating status has been changed to 'waiting'.

6 months ago

This update's test gating status has been changed to 'passed'.

6 months ago

geraldosimiao commented & provided feedback 6 months ago

karma

with the new selinux -policy I finally get no more sealerts from my VMs

sixpack13 commented & provided feedback 6 months ago

karma

with the new selinux -policy auditd starts again

thanks

imabug provided feedback 6 months ago

karma

This update has been pushed to testing.

6 months ago

This update can be pushed to stable now if the maintainer wishes

6 months ago

derekenz commented & provided feedback 6 months ago

karma

Works

clnetbox commented & provided feedback 6 months ago

When shutting down a VM the following SELinux warning (directory number varies) appears :

SELinux is preventing systemd-machine from search access on the directory 15069.

Additional Information:
Source Context system_u:system_r:systemd_machined_t:s0
Target Context system_u:system_r:svirt_t:s0:c715,c889
Target Objects 15069 [ dir ]
Source systemd-machine
Source Path systemd-machine
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-42.9-1.fc43.noarch
Local Policy RPM selinux-policy-targeted-42.9-1.fc43.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name XXXXXXXX
Platform Linux XXXXXXXX 6.17.0-0.rc7.56.fc43.x86_64 #1 SMP
PREEMPT_DYNAMIC Fri Sep 26 10:30:30 UTC 2025 x86_64

clnetbox commented & provided feedback 6 months ago

When connecting to a remote F43 system via RDP, this warning appears on the remote host :

SELinux is preventing RDP socket thre from read access on the directory /var/lib/sss/pubconf/krb5.include.d.

Additional Information:
Source Context system_u:system_r:gnome_remote_desktop_t:s0
Target Context system_u:object_r:sssd_public_t:s0
Target Objects /var/lib/sss/pubconf/krb5.include.d [ dir ]
Source RDP socket thre
Source Path RDP socket thre
Source RPM Packages
Target RPM Packages sssd-krb5-common-2.11.1-3.fc43.x86_64
SELinux Policy RPM selinux-policy-targeted-42.9-1.fc43.noarch
Local Policy RPM selinux-policy-targeted-42.9-1.fc43.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name XXXXXXXX
Platform Linux XXXXXXXX 6.17.0-0.rc7.56.fc43.x86_64 #1 SMP
PREEMPT_DYNAMIC Mon Sep 22 14:29:30 UTC 2025 x86_64

besser82 commented & provided feedback 5 months ago

karma

Works great! LGTM! =)

bojan commented & provided feedback 5 months ago

karma

Works.

adamwill edited this update.

Removed build(s):

selinux-policy-42.9-1.fc43

Karma has been reset.

4 months ago

This update has been submitted for testing by adamwill.

4 months ago

adamwill commented & provided feedback 4 months ago

edited to remove the selinux-policy build as there is a newer one in stable now, at request of @dustymabe . we'll see if that resolves the test failures.