unpushed

selinux-policy-3.14.5-37.fc32

FEDORA-2020-3ffe9fdf42 created by zpytela 4 years ago for Fedora 32

This update has been submitted for testing by zpytela.

4 years ago

This update's test gating status has been changed to 'waiting'.

4 years ago

This update's test gating status has been changed to 'ignored'.

4 years ago
User Icon egreshko commented & provided feedback 4 years ago
karma

Fixes the issues I've seen.

BZ#1811407 SELinux is preventing accounts-daemon from 'sys_nice' accesses
User Icon amessina commented & provided feedback 4 years ago

This update doesn't seem to resolve #1824196 (and some others) -- all denial AVCs on an F32 system since boot.

AVC avc:  denied  { read } for  pid=619 comm="systemd-modules" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=15770 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
AVC avc:  denied  { open } for  pid=619 comm="systemd-modules" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=15770 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
AVC avc:  denied  { getattr } for  pid=619 comm="systemd-modules" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=15770 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
AVC avc:  denied  { read } for  pid=812 comm="sssd" name="systemd" dev="tmpfs" ino=15787 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=1
AVC avc:  denied  { read } for  pid=933 comm="systemd-resolve" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=15770 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
AVC avc:  denied  { open } for  pid=933 comm="systemd-resolve" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=15770 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
AVC avc:  denied  { getattr } for  pid=933 comm="systemd-resolve" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=15770 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
BZ#1824196 SELinux is preventing /usr/lib/systemd/systemd-resolved from 'read' accesses on the file /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
User Icon jonathans commented & provided feedback 4 years ago
karma

Solves the accounts-daemon sys_nice problem. Machine is not EFI so can't comment on BZ#1824196

BZ#1811407 SELinux is preventing accounts-daemon from 'sys_nice' accesses

This update has been pushed to testing.

4 years ago

This update can be pushed to stable now if the maintainer wishes

4 years ago
User Icon zpytela commented & provided feedback 4 years ago

@amessina, you're right, the patch got stuck halfway. Will be fixed in the next package build, sorry for that.

User Icon nicosss commented & provided feedback 4 years ago
karma

Works fine.

1823162 - Indeed no more AVC after upgrade to boinc-client-7.16.6-3.fc32.x86_64.rpm

BZ#1811407 SELinux is preventing accounts-daemon from 'sys_nice' accesses

This update has been submitted for stable by bodhi.

4 years ago
User Icon pwalter commented & provided feedback 4 years ago
karma

Works

User Icon bojan commented & provided feedback 4 years ago

New denials related to flatpak helper and tpm abrmd. Relabeling also complaining about types related to both of those not existing. Not giving karma.

User Icon bojan commented & provided feedback 4 years ago
karma

Auto relabelling broke the whole thing. No boot.

User Icon zpytela commented & provided feedback 4 years ago

@bojan, flatpak has its own policy, please open a bugzilla on the flatpak component. Regarding tpm abrmd, open a bz on selinux-policy. In both cases share the reproducing steps and the results, I cannot see any issue on my vms.

User Icon dirkk commented & provided feedback 4 years ago
karma

I have problems! During dnf-installation, scriptlet selinux-policy-targeted hangs up with "restore" process. I have to kill the "restore" process so that dnf runs through.

User Icon bojan commented & provided feedback 4 years ago
karma

Reverting to 32 and relabelling brought boot back in enforcing mode. 37 definitely broken here.

User Icon bojan commented & provided feedback 4 years ago
karma

@zpytela: Reproduction is pretty straightforward. Touch /.autorelabel. Reboot. Broken laptop.

User Icon clnetbox provided feedback 4 years ago
karma
User Icon clnetbox commented & provided feedback 4 years ago
karma

Installation of the package(s) hangs and freeze the system ... hard to "hard shutdown" by pressing the power button.

User Icon zpytela commented & provided feedback 4 years ago

I cannot reproduce neither of the issues reported, so it depends on package set installed or on customizations made to the system. More information is required to resolve these issues, please consider opening bugzillas.

User Icon clnetbox commented & provided feedback 4 years ago
karma

Warning : Please do not apply this update if you don't have a current system backup !
Read what happens on -> https://bugzilla.redhat.com/show_bug.cgi?id=1811407#c44

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

4 years ago
User Icon bojan commented & provided feedback 4 years ago
karma

Bug #1830157 (not boot after relabelling on T450s).

User Icon danniel commented & provided feedback 4 years ago
karma

Works

This update has been unpushed.

User Icon adamwill commented & provided feedback 4 years ago

Since multiple people have reported serious problems with this, I've unpushed it to ensure no-one else hits those problems till we know what's going on.

User Icon mscheiff commented & provided feedback 4 years ago
karma

Horribly broken. Unable to login after relabelling.

User Icon zpytela commented & provided feedback 4 years ago

As neither of the problems appear on a default installation, more information is needed to help with resolving the issues. What changes on the system? What additional possibly clashing packages were installed? What exactly is on the screen or in audit logs?

These commands can give a hint:

rpm -qa "selinux" semanage export ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today

Additional steps to enable full auditing in audit daemon: 1) Open /etc/audit/rules.d/audit.rules file in an editor. 2) Remove following line if it exists: -a task,never 3) Add following line at the end of the file: -w /etc/shadow -p w 4) Restart the audit daemon: # service auditd restart 5) Re-run the scenario - install, update, start a service; since this point, full auditing is enabled 6) Collect AVC denials: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today The steps will persist reboot.

User Icon zpytela commented & provided feedback 4 years ago
User Icon clnetbox commented & provided feedback 4 years ago

https://bodhi.fedoraproject.org/updates/FEDORA-2020-a6cd8de2ed solved the problems having been reported.
Although the scripts needed more than five minutes to complete, no error was reported.
After rebooting the system, no SELinux alerts appeared, so this version seems to be okay.


Please login to add feedback.

Metadata
Type
bugfix
Severity
medium
Karma
1
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
4 years ago
in testing
4 years ago
BZ#1811407 SELinux is preventing accounts-daemon from 'sys_nice' accesses
0
3
BZ#1824087 SELinux is preventing (sd-worker) from 'sendto' accesses on the unix_dgram_socket /run/systemd/journal/socket.
0
0
BZ#1824196 SELinux is preventing /usr/lib/systemd/systemd-resolved from 'read' accesses on the file /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
-1
0

Automated Test Results