Re: F32 selinux denials
On Wed, Mar 25, 2020 at 6:30 PM Adam Williamson wrote: > On Wed, 2020-03-25 at 18:17 +0100, Zdenek Pytela wrote: > > > > > SELinux is preventing pcscd from using the sys_nice capability. > > > > > > SELinux is preventing accounts-daemon from using the sys_nice > > > capability. > > > > > Denials like this are under investigation, most likely they are harmless > > and can be safely ignored. > > I'd appreciate it if you would do something about them, though, as they > cause the openQA tests that check for AVCs to *always* trigger. This > makes it harder to identify when a *new* AVC shows up. > > I could set up a 'whitelist' system for that test but I'd really prefer > not to have to... > Adam, definitely they need to be addressed before GA, if possible in the update following the current one. -- > Adam Williamson > Fedora QA Community Monkey > IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net > http://www.happyassassin.net > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > -- Zdenek Pytela Security controls team, sst_platform_security ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: F32 selinux denials
On Wed, 2020-03-25 at 18:17 +0100, Zdenek Pytela wrote: > > > SELinux is preventing pcscd from using the sys_nice capability. > > > > SELinux is preventing accounts-daemon from using the sys_nice > > capability. > > > Denials like this are under investigation, most likely they are harmless > and can be safely ignored. I'd appreciate it if you would do something about them, though, as they cause the openQA tests that check for AVCs to *always* trigger. This makes it harder to identify when a *new* AVC shows up. I could set up a 'whitelist' system for that test but I'd really prefer not to have to... -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net http://www.happyassassin.net ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: F32 selinux denials
On Wed, Mar 25, 2020 at 4:49 PM Nathanael D. Noblet wrote: > Hello, > > I upgraded to F32 yesterday and everything seems to have gone > smoothly except I'm getting many selinux denials (I'm in permissive so > functionality is ok at the moment). What should I report them against? > I've done a relabel to try to resolve them. > Hi, They should be reported for the selinux-policy component. No need this time though, answers inline. > A sample of the most common: > > SELinux is preventing /usr/lib/systemd/systemd-journald from read > access on the lnk_file /run/user/1000/systemd/units/invocation:dbus-: > 1.2-org.fedoraproject.Setroubleshootd@1.service. > This one will be fixed with the next selinux-package update, probably tomorrow. > SELinux is preventing pcscd from using the sys_nice capability. > > SELinux is preventing accounts-daemon from using the sys_nice > capability. > Denials like this are under investigation, most likely they are harmless and can be safely ignored. Cheers, > > Sincerely, > -- > Nathanael > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > -- Zdenek Pytela Security controls team, ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: F32 selinux denials
On Wed, Mar 25, 2020 09:48:05 -0600, Nathanael D. Noblet wrote: > Hello, > > I upgraded to F32 yesterday and everything seems to have gone > smoothly except I'm getting many selinux denials (I'm in permissive so > functionality is ok at the moment). What should I report them against? > I've done a relabel to try to resolve them. > > A sample of the most common: > > SELinux is preventing /usr/lib/systemd/systemd-journald from read > access on the lnk_file /run/user/1000/systemd/units/invocation:dbus-: > 1.2-org.fedoraproject.Setroubleshootd@1.service. > > SELinux is preventing pcscd from using the sys_nice capability. > > SELinux is preventing accounts-daemon from using the sys_nice > capability. I find it easiest to install `setroubleshoot` and report bugs using it. If they're already reported, it will add you to the bug etc. -- Thanks, Regards, Ankur Sinha "FranciscoD" (He / Him / His) | https://fedoraproject.org/wiki/User:Ankursinha Time zone: Europe/London signature.asc Description: PGP signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org