More info: http://koji.fedoraproject.org/koji/buildinfo?buildID=794433
Build fixes starting VM in enforcing mode and using confined users in F25
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --refresh --advisory=FEDORA-2016-cbdde50ec4
Please login to add feedback.
This update has been submitted for testing by lvrabec.
This update has obsoleted selinux-policy-3.13.1-210.fc25, and has inherited its bugs and notes.
This update has been pushed to testing.
This update does not fix bug 1367280.
Is it expected to see such messages in upgrade?
Upgrading : selinux-policy-targeted-3.13.1-211.fc25.noarch 5/24
/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /var/lib/kubelet(/.*)? (system_u:object_r:svirt_sandbox_file_t:s0 and system_u:object_r:docker_var_lib_t:s0).
/etc/selinux/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_install_final_tmp: setfiles returned error code 1. (No such file or directory).
/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /var/lib/kubelet(/.*)? (system_u:object_r:svirt_sandbox_file_t:s0 and system_u:object_r:docker_var_lib_t:s0).
/etc/selinux/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_install_final_tmp: setfiles returned error code 1. (No such file or directory).
/usr/sbin/semodule: Failed!
Upgrading : docker-selinux-2:1.12.1-7.git49151a1.fc25.x86_64 6/24
/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /var/lib/kubelet(/.*)? (system_u:object_r:svirt_sandbox_file_t:s0 and system_u:object_r:docker_var_lib_t:s0).
/etc/selinux/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_install_final_tmp: setfiles returned error code 1. (No such file or directory).
/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /var/lib/kubelet(/.*)? (system_u:object_r:svirt_sandbox_file_t:s0 and system_u:object_r:docker_var_lib_t:s0).
/etc/selinux/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_install_final_tmp: setfiles returned error code 1. (No such file or directory).
/usr/sbin/semodule: Failed!
LGTM
[root@omiday selinux]# last -n1 reboot reboot system boot 4.8.0-0.rc4.git0 Sat Sep 3 23:09 still running
wtmp begins Mon Jul 25 17:00:39 2016 [root@omiday selinux]# ausearch -m avc -ts 23:09 | grep "{ getattr }" type=AVC msg=audit(1472965784.408:145): avc: denied { getattr } for pid=1 comm="systemd" path="/run/systemd/inaccessible/blk" dev="tmpfs" ino=11093 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0
(Possible) Related boot logs:
Sep 03 23:09:42 omiday.can.local kernel: SELinux: 32768 avtab hash slots, 105642 rules. Sep 03 23:09:42 omiday.can.local kernel: SELinux: 32768 avtab hash slots, 105642 rules. Sep 03 23:09:42 omiday.can.local kernel: SELinux: 8 users, 14 roles, 5046 types, 305 bools, 1 sens, 1024 cats Sep 03 23:09:42 omiday.can.local kernel: SELinux: 94 classes, 105642 rules Sep 03 23:09:42 omiday.can.local kernel: SELinux: Permission validate_trans in class security not defined in policy. Sep 03 23:09:42 omiday.can.local kernel: SELinux: Permission module_load in class system not defined in policy. Sep 03 23:09:42 omiday.can.local kernel: SELinux: the above unknown classes and permissions will be allowed Sep 03 23:09:42 omiday.can.local kernel: SELinux: Completing initialization. Sep 03 23:09:42 omiday.can.local kernel: SELinux: Setting up existing superblocks. Sep 03 23:09:42 omiday.can.local systemd[1]: Successfully loaded SELinux policy in 90.371ms. Sep 03 23:09:42 omiday.can.local systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/fifo: Permission denied Sep 03 23:09:42 omiday.can.local systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/blk: Permission denied Sep 03 23:09:42 omiday.can.local systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/chr: Permission denied Sep 03 23:09:42 omiday.can.local systemd[1]: Relabelled /dev and /run in 20.204ms. Sep 03 23:09:42 omiday.can.local systemd-journald[1080]: Journal started Sep 03 23:09:41 omiday.can.local audit: MAC_STATUS enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 Sep 03 23:09:42 omiday.can.local audit: MAC_POLICY_LOAD policy loaded auid=4294967295 ses=4294967295 Sep 03 23:09:42 omiday.can.local audit[1]: AVC avc: denied { relabelto } for pid=1 comm="systemd" name="fifo" dev="tmpfs" ino=11094 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=fifo_file permissive=0 Sep 03 23:09:42 omiday.can.local audit[1]: AVC avc: denied { getattr } for pid=1 comm="systemd" path="/run/systemd/inaccessible/blk" dev="tmpfs" ino=11093 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0 Sep 03 23:09:42 omiday.can.local audit[1]: AVC avc: denied { getattr } for pid=1 comm="systemd" path="/run/systemd/inaccessible/blk" dev="tmpfs" ino=11093 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0 Sep 03 23:09:42 omiday.can.local audit[1]: AVC avc: denied { relabelfrom } for pid=1 comm="systemd" name="chr" dev="tmpfs" ino=11092 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file permissive=0
Sorry about the previous messed up report and empty submissions, here's a formatted one:
Related boot logs:
WFM:
In reply to https://bodhi.fedoraproject.org/updates/selinux-policy-3.13.1-211.fc25#comment-481907:
I've just reviewed my prior feedbacks and realized that I should have submitted the comments in Bugzilla. It's done, and please don't hate me, I'll make sure to review the docs next time...
This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes
No trouble here
This update has been submitted for stable by bodhi.
works for me
This update has been pushed to stable.