SELinux is preventing systemctl from read access on the file labeled init_t. at boot time after upgrade. Journal has dozens of AVCs on systemctl. type=AVC msg=audit(1653078042.660:584): avc: denied { read } for pid=2859 comm="systemctl" scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.
This update makes the custom nm-dispatcher plugins run in a permissive domain which means denials are logged, but allowed. I believe there is no regression in the plugins functionality.
I don't know what plugin is causing the AVCs, but I see the same ones that Kamil reported. I never saw the AVCs reported before the F36 update, so I would agree there is a regression.
This update has improvements for known nm-dispatcher plugins and it makes custom plugins run in permissive domain, i. e. all actions are allowed, but at the same time audited. I can't see any regression here, at least in functionality. I agree the audited denials and sealert messages may be annoying, but it helps to catch the required permissions which will be fixed in the next build.
This update has been submitted for testing by zpytela.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'passed'.
This update has been pushed to testing.
Works for me and fixes problem with
systemd-run
.Seems to be working and it has fixed BZ#2063483 that happened on every login to cinnamon.
This update can be pushed to stable now if the maintainer wishes
SELinux is preventing systemctl from read access on the file labeled init_t. at boot time after upgrade. Journal has dozens of AVCs on systemctl. type=AVC msg=audit(1653078042.660:584): avc: denied { read } for pid=2859 comm="systemctl" scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.
Working fine.
no regressions noted
@gtwilliams do you know which plugin triggers this denial?
I assume there are only the AVCs audited and no functional problem since there is "permissive=1" which does not prevent from any action to continue.
I think this update causes the following regressions:
https://bugzilla.redhat.com/show_bug.cgi?id=2089170
https://bugzilla.redhat.com/show_bug.cgi?id=2089171
https://bugzilla.redhat.com/show_bug.cgi?id=2089172
https://bugzilla.redhat.com/show_bug.cgi?id=2089174
https://bugzilla.redhat.com/show_bug.cgi?id=2089175
https://bugzilla.redhat.com/show_bug.cgi?id=2089176
https://bugzilla.redhat.com/show_bug.cgi?id=2089177
This update makes the custom nm-dispatcher plugins run in a permissive domain which means denials are logged, but allowed. I believe there is no regression in the plugins functionality.
I don't know what plugin is causing the AVCs, but I see the same ones that Kamil reported. I never saw the AVCs reported before the F36 update, so I would agree there is a regression.
Works.
This update has improvements for known nm-dispatcher plugins and it makes custom plugins run in permissive domain, i. e. all actions are allowed, but at the same time audited. I can't see any regression here, at least in functionality. I agree the audited denials and sealert messages may be annoying, but it helps to catch the required permissions which will be fixed in the next build.
Pushing to stable due to prevailing positive feedback.
This update has been submitted for stable by zpytela.
This update has been pushed to stable.