On Tue, 2022-05-17 at 09:33 -0500, Richard Shaw wrote: > I don't remember seeing any change proposals around SELinux for the Fedora > 36 release but there seems to be several issues reported one way or > another... > > https://ask.fedoraproject.org/t/high-number-of-selinux-issues-after-upgrading-to-fedora-36/22381/24 > https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx/message/UYLMXFQPAQBZFAXA6GT6E7UOLHIW5V3X/ > https://bugzilla.redhat.com/show_bug.cgi?id=2083923 > > These seem to all be after upgrading and not fresh install issues. > > Anyone know what's going on? I'm afraid this is harming end user > experiences after largely positive reviews of Fedora I've seen on Youtube > and Reddit. I don't think there's any particular common thread between these three cases. The first seems to be some kind of very wacky single-install-specific thing. I've no idea what's going on there, honestly, but I don't think it's anything consistent or reproducible or else we'd be hearing a lot more about it. It feels like there must be some specific thing that person did which caused their install to get into that mess, but I've no idea what. The second and third are much more specific issues, and nothing that uncommon on upgrades. SELinux policies are changed constantly and it's not at all unusual for some new denials like this to appear on upgrades. We cannot test everything in the distro, there's just too much stuff. The second one is broadly speaking a known area: https://bugzilla.redhat.com/show_bug.cgi?id=2065940 for release we ensured that the core denials preventing NM from running dispatcher scripts at all were fixed, but the fact that SELinux is being tighter on these scripts than it was before means we basically need to allow everything that any packaged script might do. There's also discussion of a boolean to allow user-created scripts to run without being blocked, further down in that bug. This user's case appears to be that a script called 15-vpn-disp[something] is denied from doing whatever it wants to do, but since the full name of the script is cut off I can't tell if that's a distro-packaged script (in which case we should get whatever policies are needed in place to allow it to run) or a user-provided one (in which case they'll need a custom site policy, or to wait for the aforementioned boolean). The third one isn't one I knew about previously, but not an unusual kind of situation with upgrades, honestly. When I ran my own servers I'd run into something like this on just about every upgrade. The bug is properly filed. It's assigned to fail2ban because fail2ban ships its own selinux policy (fail2ban-selinux); that needs to be updated to allow whatever it's being denied here, most likely. That will be up to the fail2ban maintainer (Richard Shaw, it seems). -- Adam Williamson Fedora QA IRC: adamw | Twitter: adamw_ha https://www.happyassassin.net _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
