stable

pam-1.3.1-24.fc32

FEDORA-2020-d0986e01cd created by ipedrosa 4 years ago for Fedora 32

pam_selinux: check unknown object classes or permissions in current policy

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2020-d0986e01cd

This update has been submitted for testing by ipedrosa.

4 years ago

This update's test gating status has been changed to 'waiting'.

4 years ago

This update's test gating status has been changed to 'ignored'.

4 years ago
User Icon adamwill commented & provided feedback 4 years ago
karma

This seems to break Cockpit. The Cockpit login screen just shows "Internal error in login process". System journal shows several AVCs, these seem most likely related:

Mar 11 13:45:41 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1044]: AVC avc:  denied  { setsched } for  pid=1044 comm="cockpit-ws" scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=process permissive=0
Mar 11 13:46:23 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1170]: AVC avc:  denied  { create } for  pid=1170 comm="cockpit-session" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=netlink_selinux_socket permissive=0
Mar 11 13:46:23 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com cockpit-ws[1170]: avc:  can't open netlink socket: 13 (Permission denied)
Mar 11 13:46:23 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com cockpit-ws[1170]: cockpit-session: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running' failed.

I don't think it's related to this update. Is it the only package you updated when this problem appeared? There were issues related to { setsched } based on some glib2 update, and creating a socket seems to be completely unrelated.

@adamwill setsched issue should be covered by https://bugzilla.redhat.com/show_bug.cgi?id=1795524#c75 - https://bodhi.fedoraproject.org/updates/FEDORA-2020-fe9ad43e72

The second AVC needs to reported on selinux-policy

I already filled a bug for selinux-policy: https://bugzilla.redhat.com/show_bug.cgi?id=1812901

This update has been pushed to testing.

4 years ago

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

4 years ago

tmraz edited this update.

New build(s):

  • selinux-policy-3.14.5-30.fc32

Karma has been reset.

4 years ago

This update has been submitted for testing by tmraz.

4 years ago

tmraz edited this update.

4 years ago

This update has been pushed to testing.

4 years ago

This update has obsoleted selinux-policy-3.14.5-29.fc32, and has inherited its bugs and notes.

4 years ago
User Icon adamwill commented & provided feedback 4 years ago

@plautrba for the record, yes, it is definitely this update. The openQA tests isolate the packages from a specific update, they do not test all of updates-testing. And the same test is passing on other 32 updates, it only failed on this update. Those facts combined mean this update definitely causes the failure.

User Icon adamwill commented & provided feedback 4 years ago

BTW, the tests when the update was edited because of this bodhi bug :(. I will re-trigger manually.

User Icon adamwill commented & provided feedback 4 years ago
karma

openQA tests look good now.

This update can be pushed to stable now if the maintainer wishes

4 years ago
User Icon kparal commented & provided feedback 4 years ago
karma
BZ#1795524 SELinux denials for 'setsched' force glib down a fallback path with performance implications
User Icon frantisekz commented & provided feedback 4 years ago
karma

All seems good

User Icon pwalter commented & provided feedback 4 years ago
karma

Works

User Icon cairo provided feedback 4 years ago
karma
User Icon smithp commented & provided feedback 4 years ago
karma

+1

pwalter edited this update.

Removed build(s):

  • selinux-policy-3.14.5-30.fc32

Karma has been reset.

4 years ago

This update has been submitted for testing by pwalter.

4 years ago
User Icon pwalter commented & provided feedback 4 years ago
karma

I've edited the update to remove selinux-policy as a newer selinux-policy build already got pushed to stable.

User Icon tmraz provided feedback 4 years ago
karma
BZ#1680961 pam_selinux - check whether undefined object classes or permissions are allowed or denied in the current policy
BZ#1813023 selinux-policy-3.14.6-7 with pam-1.3.1-24 blocks SSH logins
User Icon plautrba provided feedback 4 years ago
karma
BZ#1680961 pam_selinux - check whether undefined object classes or permissions are allowed or denied in the current policy
BZ#1813023 selinux-policy-3.14.6-7 with pam-1.3.1-24 blocks SSH logins

This update has been submitted for stable by bodhi.

4 years ago

This update has been pushed to stable.

4 years ago

Please login to add feedback.

Metadata
Type
bugfix
Severity
low
Karma
3
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
14 days
Dates
submitted
4 years ago
in testing
4 years ago
in stable
4 years ago
modified
4 years ago
BZ#1680961 pam_selinux - check whether undefined object classes or permissions are allowed or denied in the current policy
0
2
BZ#1813023 selinux-policy-3.14.6-7 with pam-1.3.1-24 blocks SSH logins
0
2

Automated Test Results