BZ#1824196 SELinux is preventing /usr/lib/systemd/systemd-resolved from 'read' accesses on the file /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
@bojan, flatpak has its own policy, please open a bugzilla on the flatpak component.
Regarding tpm abrmd, open a bz on selinux-policy.
In both cases share the reproducing steps and the results, I cannot see any issue on my vms.
I have problems! During dnf-installation, scriptlet selinux-policy-targeted hangs up with "restore" process. I have to kill the "restore" process so that dnf runs through.
I cannot reproduce neither of the issues reported, so it depends on package set installed or on customizations made to the system. More information is required to resolve these issues, please consider opening bugzillas.
Since multiple people have reported serious problems with this, I've unpushed it to ensure no-one else hits those problems till we know what's going on.
As neither of the problems appear on a default installation, more information is needed to help with resolving the issues. What changes on the system? What additional possibly clashing packages were installed? What exactly is on the screen or in audit logs?
Additional steps to enable full auditing in audit daemon:
1) Open /etc/audit/rules.d/audit.rules file in an editor.
2) Remove following line if it exists:
-a task,never
3) Add following line at the end of the file:
-w /etc/shadow -p w
4) Restart the audit daemon:
# service auditd restart
5) Re-run the scenario - install, update, start a service; since this point, full auditing is enabled
6) Collect AVC denials:
# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
The steps will persist reboot.
https://bodhi.fedoraproject.org/updates/FEDORA-2020-a6cd8de2ed solved the problems having been reported.
Although the scripts needed more than five minutes to complete, no error was reported.
After rebooting the system, no SELinux alerts appeared, so this version seems to be okay.
BZ#1811407 SELinux is preventing accounts-daemon from 'sys_nice' accesses
0
3
BZ#1824087 SELinux is preventing (sd-worker) from 'sendto' accesses on the unix_dgram_socket /run/systemd/journal/socket.
0
0
BZ#1824196 SELinux is preventing /usr/lib/systemd/systemd-resolved from 'read' accesses on the file /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
This update has been submitted for testing by zpytela.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'ignored'.
Fixes the issues I've seen.
This update doesn't seem to resolve #1824196 (and some others) -- all denial AVCs on an F32 system since boot.
Solves the accounts-daemon sys_nice problem. Machine is not EFI so can't comment on BZ#1824196
This update has been pushed to testing.
This update can be pushed to stable now if the maintainer wishes
@amessina, you're right, the patch got stuck halfway. Will be fixed in the next package build, sorry for that.
Works fine.
1823162 - Indeed no more AVC after upgrade to boinc-client-7.16.6-3.fc32.x86_64.rpm
This update has been submitted for stable by bodhi.
Works
New denials related to flatpak helper and tpm abrmd. Relabeling also complaining about types related to both of those not existing. Not giving karma.
Auto relabelling broke the whole thing. No boot.
@bojan, flatpak has its own policy, please open a bugzilla on the flatpak component. Regarding tpm abrmd, open a bz on selinux-policy. In both cases share the reproducing steps and the results, I cannot see any issue on my vms.
I have problems! During dnf-installation, scriptlet selinux-policy-targeted hangs up with "restore" process. I have to kill the "restore" process so that dnf runs through.
Reverting to 32 and relabelling brought boot back in enforcing mode. 37 definitely broken here.
@zpytela: Reproduction is pretty straightforward. Touch /.autorelabel. Reboot. Broken laptop.
Installation of the package(s) hangs and freeze the system ... hard to "hard shutdown" by pressing the power button.
I cannot reproduce neither of the issues reported, so it depends on package set installed or on customizations made to the system. More information is required to resolve these issues, please consider opening bugzillas.
Done -> https://bugzilla.redhat.com/show_bug.cgi?id=1811407
Warning : Please do not apply this update if you don't have a current system backup !
Read what happens on -> https://bugzilla.redhat.com/show_bug.cgi?id=1811407#c44
Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.
Bug #1830157 (not boot after relabelling on T450s).
Works
This update has been unpushed.
Since multiple people have reported serious problems with this, I've unpushed it to ensure no-one else hits those problems till we know what's going on.
Horribly broken. Unable to login after relabelling.
As neither of the problems appear on a default installation, more information is needed to help with resolving the issues. What changes on the system? What additional possibly clashing packages were installed? What exactly is on the screen or in audit logs?
These commands can give a hint:
rpm -qa "selinux" semanage export ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
Additional steps to enable full auditing in audit daemon: 1) Open /etc/audit/rules.d/audit.rules file in an editor. 2) Remove following line if it exists: -a task,never 3) Add following line at the end of the file: -w /etc/shadow -p w 4) Restart the audit daemon: # service auditd restart 5) Re-run the scenario - install, update, start a service; since this point, full auditing is enabled 6) Collect AVC denials: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today The steps will persist reboot.
A new build is on the way: https://bodhi.fedoraproject.org/updates/FEDORA-2020-a6cd8de2ed
https://bodhi.fedoraproject.org/updates/FEDORA-2020-a6cd8de2ed solved the problems having been reported.
Although the scripts needed more than five minutes to complete, no error was reported.
After rebooting the system, no SELinux alerts appeared, so this version seems to be okay.