On Fri, May 04, 2018 at 09:08:36AM -0400, Stephen Smalley wrote: > On 05/04/2018 03:55 AM, Jason Zaman wrote: > > On Thu, May 03, 2018 at 10:52:24AM -0400, Stephen Smalley wrote: > >> Hi, > >> > >> If you have encountered any unreported problems with the 2.8-rcX releases > >> or have any > >> pending patches you believe should be included in the 2.8 release, please > >> post them soon. > > > > the rc2 release has been fine for me for several days now. And I havent > > heard any issues from any gentoo users either so we're probably good to > > go. -rc1 failed to boot properly for me because some important things in > > /run or /dev didnt get labeled but that was fixed in rc2. > > Hmm...I'd like to understand that better. The change was verifying > file_contexts when using restorecon, > which was reverted in -rc2. But the fact that it prevented labeling files in > -rc1 means that either > you have a bug in your file_contexts configuration or there is some other bug > there.
If it cannot validate_context then it will be unhappy:
[root@julius ~]# dnf history info last
Transaction ID : 364
Begin time : Fri 04 May 2018 01:12:36 PM CEST
Begin rpmdb : 1404:e739a03c49fec80ed41a1ea4c599d8f877b01d76
End time : Fri 04 May 2018 01:14:01 PM CEST (85 seconds)
End rpmdb : 1404:27bd40dce7edbf226ffad80f482cd75231f1b6ab **
User : kcinimod <kcinimod>
Return-Code : Success
Command Line : update --exclude efi-filesystem
Transaction performed with:
Installed dnf-2.7.5-12.fc29.noarch @rawhide
Installed rpm-4.14.1-8.fc28.x86_64 @tmp-rawhide
Packages Altered:
Upgraded cockpit-166-1.fc29.x86_64 @rawhide
... snip ...
Scriptlet output:
1 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: has
invalid context sys.id:sys.role:files.generic_boot.boot_file:s0
2 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts:
has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0
3 restorecon:
/etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context
sys.id:sys.role:files.generic_boot.boot_file:s0
4 restorecon:
/etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context
sys.id:sys.role:files.generic_boot.boot_file:s0
5 restorecon:
/etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context
sys.id:sys.role:files.generic_boot.boot_file:s0
>
> >
> >> Also, let us know of any additions or changes that should be made to the
> >> release notes;
> >> the current draft is as follows.
> >>
> >> User-visible changes:
> >>
> >> * semanage fcontext -l now also lists home directory entries from
> >> file_contexts.homedirs.
> >>
> >> * semodule can now enable or disable multiple modules in the same
> >> operation by specifying a list of modules after -e or -d, making them
> >> consistent with the -i/u/r/E options.
> >>
> >> * CIL now supports multiple declarations of types, attributes, and
> >> (non-conflicting) object contexts (e.g. genfscon), enabled via the -m
> >> or --multiple-decls option to secilc.
> >>
> >> * libsemanage no longer deletes the tmp directory if there is an error
> >> while committing the policy transaction, so that any temporary files
> >> can be further inspected for debugging purposes (e.g. to examine a
> >> particular line of the generated CIL module). The tmp directory will
> >> be deleted upon the next transaction, so no manual removal is needed.
> >>
> >> * Support was added for SCTP portcon statements. The corresponding
> >> kernel support was introduced in Linux 4.17, and is only active if the
> >> extended_socket_class policy capability is enabled in the policy.
> >
> > Perhaps also note that the sctp stuff is in refpolicy and this 2.8
> > release is required to compile it.
> >
> > I tried doing a release of the gentoo policy (we merge from HEAD fairly
> > frequently not only the big releases) and it fails to compile. I will
> > add the sctp stuff back into gentoo's policy later then make the
> > policies require >=2.8.
> >
> > -- Jason
> >
> >> * sepol_polcap_getnum/name() were exported as part of the shared libsepol
> >> interface, initially for use by setools4.
> >>
> >> * semodule_deps was removed since it has long been broken and is not useful
> >> for CIL modules.
> >>
> >> Packaging-relevant changes:
> >>
> >> * When overriding PREFIX, BINDIR, SBINDIR, SHLIBDIR, LIBEXECDIR, etc.,
> >> DESTDIR has to be removed from the definition. For example on Arch
> >> Linux, SBINDIR="${pkgdir}/usr/bin" was changed to SBINDIR="/usr/bin".
> >>
> >> * Defining variable LIBSEPOLA (to /usr/lib/libsepol.a, for example) is
> >> no longer mandatory (thanks to the switch to "-l:libsepol.a" in
> >> Makefiles).
> >>
> >> * PYSITEDIR has been renamed PYTHONLIBDIR (and its definition changed).
> >>
> >> * selinux-gui (i.e. system-config-selinux GUI application) is now
> >> compatible with Python 3. Doing this required migrating away from
> >> PyGTK to the supported PyGI library. This means that selinux-gui now
> >> depends on python-gobject, Gtk+ 3 and selinux-python. It no longer
> >> requires PyGtk or Python 2.
> >
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP signature
