stable

selinux-policy-35.10-1.fc35

FEDORA-2022-41fa7610dd created by zpytela 2 years ago for Fedora 35

New F35 selinux-policy build

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2022-41fa7610dd

This update has been submitted for testing by zpytela.

2 years ago

This update's test gating status has been changed to 'waiting'.

2 years ago
User Icon xvitaly provided feedback 2 years ago
karma
BZ#2013642 udevadm warns on a new PCRE2 version: Regex version mismatch
User Icon ppisar commented & provided feedback 2 years ago
karma

I confirm that upgrading PCRE2 does not produce the "Regex version mismatch" warning any more.

User Icon clnetbox commented & provided feedback 2 years ago

SELinux is preventing gdm-wayland-ses from write access on the sock_file bus.
SELinux is preventing systemd-user-ru from unlink access on the sock_file bus.

The above warnings from version 35.9 disappeared ... The below journal entries appear with version 35.10 :

systemd-tmpfiles[980]: Failed to create directory or subvolume "/var/lib/cni/networks": Invalid argument

systemd-tmpfiles[980]: Failed to set SELinux security context system_u:object_r:container_var_lib_t:s0
for /var/lib/cni/networks: Invalid argument

This update's test gating status has been changed to 'passed'.

2 years ago
User Icon drepetto provided feedback 2 years ago
karma
BZ#2024489 SELinux is preventing (o-bridge) from 'ioctl' accesses on the unix_stream_socket unix_stream_socket.

This update has been submitted for stable by bodhi.

2 years ago

This update has been pushed to stable.

2 years ago
User Icon martinpitt commented & provided feedback 2 years ago
karma

Please, please pleeeease don't fast-pace selinux updates through updates-testing like that. This has broken the world for cockpit (again!), always takes us hours to sort through the fallout, and 10 hours is simply not enough time for us to even run tests -- even the mirrors are not that fast.

User Icon pghmcfc commented & provided feedback 2 years ago

This update broke a local policy module I have:

# semodule -i smfs.pp
Problems processing filecon rules
Failed post db handling
Post process failed
semodule:  Failed!

Module:

# more smfs.fc smfs.if smfs.te
::::::::::::::
smfs.fc
::::::::::::::
/usr/sbin/smf-sav   --  gen_context(system_u:object_r:smf_sav_milter_exec_t,s0)
/usr/sbin/smf-spf   --  gen_context(system_u:object_r:smf_spf_milter_exec_t,s0)

/var/run/smfs(/.*)?     gen_context(system_u:object_r:smfs_milter_data_t,s0)
::::::::::::::
smfs.if
::::::::::::::
## <summary>Smart Mail Filter milters</summary>

########################################
## <summary>
##  "Smart Mail Filter" suite variant of milter template.
## </summary>
## <param name="milter_name">
##  <summary>
##  The name to be used for deriving type names.
##  </summary>
## </param>
#
template(`smf_milter_template',`

    milter_template(smf_$1)

    # Milters remove any existing socket (not owned by root) whilst running as root
    # and then call setgid() and setuid() to drop privileges
    allow smf_$1_milter_t self:capability { setuid setgid dac_override };

    # Look up username for dropping privs
    auth_use_nsswitch(smf_$1_milter_t)

    # Allow communication with MTA over a unix-domain socket
    # Note: usage with TCP sockets requires additional policy
    manage_sock_files_pattern(smf_$1_milter_t, smfs_milter_data_t, smfs_milter_data_t)

    # Config is in /etc/mail/smfs/smf-*.conf
    mta_read_config(smf_$1_milter_t)

    # Create other data files and directories in the data directory
    manage_files_pattern(smf_$1_milter_t, smfs_milter_data_t, smfs_milter_data_t)
')
::::::::::::::
smfs.te
::::::::::::::
policy_module(smfs, 0.0.9)

########################################
#
# Declarations
#

smf_milter_template(sav)
smf_milter_template(spf)

# /var/run/smfs is shared by smf milters
type smfs_milter_data_t, milter_data_type;
files_pid_file(smfs_milter_data_t)

########################################
#
# smf-sav local policy
#

allow smf_sav_milter_t self:netlink_route_socket rw_netlink_socket_perms;
allow smf_sav_milter_t self:tcp_socket create_stream_socket_perms;
allow smf_sav_milter_t self:udp_socket create_socket_perms;

# It makes outbound SMTP connections to verify addresses
corenet_tcp_connect_smtp_port(smf_sav_milter_t)

sysnet_read_config(smf_sav_milter_t)

########################################
#
# smf-spf local policy
#

# (no additional policy needed - template is sufficient)

Module had been unchanged for years. Downgrading selinux-policy back to selinux-policy-35.9-1.fc35 and reinstalling the module fixed it.

User Icon clnetbox commented & provided feedback 2 years ago
karma

Why has this been pushed to stable ? That's what happens when I try to upgrade flatpak :

Running transaction
  Preparing        :                                                                                                                                                                       1/1 
  Running scriptlet: flatpak-1.12.4-1.fc35.x86_64                                                                                                                                          1/2 
  Upgrading        : flatpak-1.12.4-1.fc35.x86_64                                                                                                                                          1/2 
error: lsetfilecon: (/usr/libexec/flatpak-system-helper;61e7d5cb, system_u:object_r:flatpak_helper_exec_t:s0) Invalid argument
error: Plugin selinux: hook fsm_file_prepare failed

Error unpacking rpm package flatpak-1.12.4-1.fc35.x86_64
  Verifying        : flatpak-1.12.4-1.fc35.x86_64                                                                                                                                          1/2 
  Verifying        : flatpak-1.12.3-1.fc35.x86_64                                                                                                                                          2/2 

Failed:
  flatpak-1.12.3-1.fc35.x86_64                                                                   flatpak-1.12.4-1.fc35.x86_64  

SELinux warnings :

SELinux is preventing restorecon from using the mac_admin capability.
SELinux is preventing dnf from using the mac_admin capability.  
User Icon imabug commented & provided feedback 2 years ago
karma

started getting a bunch of SELinux warnings after this update, and trying to install local policies with semodule gives this error

Problems processing filecon rules
Failed post db handling
Post process failed
/usr/sbin/semodule:  Failed!

semodule seems to work fine after downgrading to the previous version of selinux-policy

User Icon zpytela commented & provided feedback 2 years ago

I am trying to figure out what could possibly go wrong and create a new build as soon as I find the root cause.

User Icon zpytela commented & provided feedback 2 years ago

@clnetbox, I managed to sucessfully update flatpak to flatpak-1.12.4-1.fc35.x86_64.

User Icon clnetbox commented & provided feedback 2 years ago

@zpytela I tried it again after rebooting the system - same results - didn't work. What I didn't mention before,
the upgrade process to 35.10 took a way longer time as usual, and also a lot of SELinux warnings popped up.
The last version that worked properly without any noticeable issues was 35.8 ... at least for me. To sum it up :

New issues after upgrading to version 35.9 ->

SELinux is preventing gdm-wayland-ses from write access on the sock_file bus.
SELinux is preventing systemd-user-ru from unlink access on the sock_file bus.  

New issues after upgrading to version 35.10 ->

SELinux is preventing dnf from using the mac_admin capability.
SELinux is preventing restorecon from using the mac_admin capability.

systemd-tmpfiles: Failed to create directory or subvolume "/var/lib/cni/networks": Invalid argument
systemd-tmpfiles: Failed to set SELinux security context system_u:object_r:container_var_lib_t:s0 for /var/lib/cni/networks: Invalid argument  

The update took longer because of recompiling the policy files because there was an accidental upgrade of pcre2 in the same RPM transaction.

User Icon marinmo commented & provided feedback 2 years ago
karma

Yeah this update is really, really bad. I can confirm comments from cinetbox and imabug and suspect this also broke cockpit for me as per martinpitt:s comment. It also broke pretty much all of rootless podman for me which now stops with a SIGTRAP. This needs to be reversed urgently before it breaks more installs.

User Icon xvitaly commented & provided feedback 2 years ago

This needs to be reversed urgently before it breaks more installs.

It can't. Already in stable.

User Icon mhayden commented & provided feedback 2 years ago
karma

I couldn't log into an X session after applying this update and my nvidia kmod installation fails.

User Icon clnetbox commented & provided feedback 2 years ago

@zpytela I suggest you remove versions 3.9 and 3.10 from stable until all issues are finally fixed in the new version.
flatpak-1.12.4-1.fc35.x86_64 (testing) depends on selinux-policy 3.9 being installed, that should be reverted as well.

User Icon zpytela commented & provided feedback 2 years ago

A new selinux-policy package is being worked on and will be ready soon.

User Icon dhcpme commented & provided feedback 2 years ago
karma

Thank you @zpytela for the quick turnaround!

Hope this doesn't happen to anyone else but I made the mistake of performing an autorelabel which locked me out but I was able to recover via chroot/rescue using the netinstall image. Had to remove the linked /etc/sysroot/etc/resolv.conf and replace it with the functional copy of /etc/resolv.conf before chroot for DNS so I could perform the yum downgrade. Created a new autorelabel file before exiting the chroot environment and now I'm back working.

User Icon rudi3 commented & provided feedback 2 years ago
karma

This seems to have broken snapd as well

Also, I'm still getting Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26 when running su

BZ#2013642 udevadm warns on a new PCRE2 version: Regex version mismatch
User Icon rudi3 commented & provided feedback 2 years ago

Also tried semodule -nB:

# semodule -nB
Problems processing filecon rules
Failed post db handling
Post process failed
semodule:  Failed!
User Icon rudi3 commented & provided feedback 2 years ago
# semodule -nBv
Committing changes:
Found conflicting filecon rules
  at /var/lib/selinux/targeted/tmp/modules/100/miscfiles/cil:46
  at /var/lib/selinux/targeted/tmp/modules/200/cockpit/cil:919
Problems processing filecon rules
Failed post db handling
Post process failed
semodule:  Failed!
User Icon adamwill commented & provided feedback 2 years ago

@clnetbox the update was pushed stable because it had an autopush threshold of +3 feedback (the default). It got 3 positive feedbacks with no negatives (from xvitaly, ppisar and drepetto), so it was pushed. Now it's pushed it cannot be "removed from stable", that's just not a thing in Fedora; it has to be replaced with a higher-versioned update that works.

@zpytela it might be a good idea in future to set a threshold of +5 or higher for selinux-policy updates. Just about everyone has it installed, so you shouldn't have a problem with getting enough feedback on a working update, but it would help avoid situations like this where there's a bug that may not be obvious to the first three people who test.

Also, the update did actually cause a couple of openQA tests to fail, but it seems neither of those tests is in the greenwave policy so they didn't cause the update to be gated. At least one of them definitely should be in the gating policy, so I'll update that.

User Icon zpytela commented & provided feedback 2 years ago

A new update is available now: https://bodhi.fedoraproject.org/updates/FEDORA-2022-87a0b7e8d0

Sorry for all the troubles.

User Icon zpytela commented & provided feedback 2 years ago

@adamwill, this is what I usually set: +5 and -2, unfortunately forgot to change it this time. I am also about to take some measures to prevent from big problems like this, but as you see neither I nor other users nor our CI tests found any problem.

User Icon clnetbox commented & provided feedback 2 years ago

Thanks for the information @adamwill ! The new version 35.11 seems to work without issues.
If I understand you correctly, all users who update their systems will run into heavy problems
until version 35.11 will be pushed to stable. Hope we get enough positive feedback very soon.

User Icon zpytela commented & provided feedback 2 years ago

@clnetbox, more accurately it should rather be all users with the cockpit-ws package installed who installed v35.10

User Icon adamwill commented & provided feedback 2 years ago

@zpytela the update seemed to cause problems not related to cockpit as well. the openQA tests that failed were related to podman and FreeIPA. the cockpit tests all passed. I'll see if 35.11 passes the tests that failed on 35.10.

User Icon zpytela commented & provided feedback 2 years ago

selinux-policy-35.10 contains a rule which duplicates one in cockpit-ws, after the update none of the custom modules is active, causing the software not work

so it should not happen on systems without cockpit-ws, but affects many services

User Icon pghmcfc commented & provided feedback 2 years ago

Ah, I have cockpit-ws installed since I'm using Fedora Server, and that's what broke things even though I'm not actually using cockpit myself?

User Icon zpytela commented & provided feedback 2 years ago

@pghmcfc exactly, the unfortunate selinux-policy clashed with the installed cockpit selinux module, either cockpit was active or not


Please login to add feedback.

Metadata
Type
bugfix
Severity
medium
Karma
-4
Signed
Content Type
RPM
Test Gating
Autopush Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
14 days
Dates
submitted
2 years ago
in stable
2 years ago
BZ#2013642 udevadm warns on a new PCRE2 version: Regex version mismatch
0
0
BZ#2024489 SELinux is preventing (o-bridge) from 'ioctl' accesses on the unix_stream_socket unix_stream_socket.
0
1
BZ#2031356 SELinux is preventing systemd-coredum from 'sys_admin' accesses on the cap_userns labeled systemd_coredump_t.
0
0

Automated Test Results