Re: fedora 28 (kernel 4.16.14-300) console hang after try to link up

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/02/2018 10:04 PM, Vasiliy Tolstov wrote:
> пн, 2 июл. 2018 г. в 14:42, Lukas Vrabec <lvrabec@xxxxxxxxxx>:
>>
>> On 06/30/2018 11:16 PM, Vasiliy Tolstov wrote:
>>> пт, 29 июн. 2018 г. в 20:18, Lukas Vrabec <lvrabec@xxxxxxxxxx>:
>>>>
>>>> On 06/27/2018 03:46 AM, Paul Moore wrote:
>>>>> On Tue, Jun 26, 2018 at 10:40 AM Daniel Jurgens <danielj@xxxxxxxxxxxx> wrote:
>>>>>> On 6/26/2018 3:04 AM, Vasiliy Tolstov wrote:
>>>>>>> вт, 26 июн. 2018 г. в 5:26, Jason Gunthorpe <jgg@xxxxxxxxxxxx>:
>>>>>>>> On Tue, Jun 26, 2018 at 03:24:00AM +0300, Vasiliy Tolstov wrote:
>>>>>>>>> I'm debug this and i think that this is selinux problem, after i set
>>>>>>>>> permissive selinux i have:
>>>>>>>>> type=AVC msg=audit(1529969961.770:111): avc:  denied  { access } for
>>>>>>>>> pid=932 comm="systemd-network" pkey=0xffff subnet_prefix=0:0:0:80fe::
>>>>>>>>> scontext=system_u:system_r:systemd_modules_load_t:s0
>>>>>>>>> tcontext=system_u:object_r:unlabeled_t:s0 tclass=infiniband_pkey
>>>>>>>>> permissive=0
>>>>>>
>>>>>> The upstream refpolicy doesn't define systemd_modules_load_t, I think this will require an update to the fedora selinux policy to allow access to unlabeled pkeys for that type.  I've added Paul Moore, hopefully he knows how to make that happen.
>>>>>
>>>>> Hello,
>>>>>
>>>>> I've added Lukas Vrabec to the To/CC line on this email, he maintains
>>>>> the Fedora/RHEL SELinux policy and would be the person who could get
>>>>> this into Fedora.  When in doubt you can always file a BZ against
>>>>> Fedora:
>>>>>
>>>>> * https://bugzilla.redhat.com
>>>>>
>>>>>>>> It shouldn't hang, that seems like some other kind of bug..
>>>>>
>>>>> The hang may be due to the fact that the system is running in SELinux
>>>>> enforcing mode and the policy is setup to deny the access that is
>>>>> being requested.  You can try booting the system in permissive mode, I
>>>>> expect that will fix your problem.
>>>>>
>>>>> You can put your system in permissive mode by ensuring the following
>>>>> entry is set in /etc/selinux/config and rebooting your system:
>>>>>
>>>>>   # grep "^SELINUX=" /etc/selinux/config
>>>>>   SELINUX=permissive
>>>>>
>>>>
>>>> Hi All,
>>>>
>>>> Please test your scenario with SELinux in PERMISSIVE mode, find for the
>>>> SELinux denials:
>>>> # ausearch -m AVC -ts recent
>>>>
>>>> And send me please output of the command above.
>>>>
>>>> Lukas.
>>>>
>>>
>>> Hi! I don't have new messages, because i can't reboot servers now, but
>>> i have messages after i'm set permissive selinux:
>>> time->Tue Jun 26 14:16:35 2018
>>> type=PROCTITLE msg=audit(1530011795.839:118):
>>> proctitle="/usr/lib/systemd/systemd-networkd"
>>> type=SYSCALL msg=audit(1530011795.839:118): arch=c000003e syscall=44
>>> success=yes exit=56 a0=3 a1=55b824b7d990 a2=38 a3=0 items=0 ppid=1
>>> pid=988 auid=4294967295 uid=192 gid=192 euid=192 suid=192 fsuid=192
>>> egid=192 sgid=192 fsgid=192 tty=(none) ses=4294967295
>>> comm="systemd-network" exe="/usr/lib/systemd/systemd-networkd"
>>> subj=system_u:system_r:systemd_networkd_t:s0 key=(null)
>>> type=AVC msg=audit(1530011795.839:118): avc:  denied  { access } for
>>> pid=988 comm="systemd-network" pkey=0xffff subnet_prefix=0:0:0:80fe::
>>> scontext=system_u:system_r:systemd_modules_load_t:s0
>>> tcontext=system_u:object_r:unlabeled_t:s0 tclass=infiniband_pkey
>>> permissive=1
>>>
>>>
>>>
>>
>> Hi,
>>
>> Fix will be part of the next Fedora Rawhide and Fedora 28 selinux-policy
>> build:
>> https://github.com/fedora-selinux/selinux-policy/commit/69dbac60982d28bc8515494d3278b2a886b8f039
>>
>> Lukas.
>>
>> --
>> Lukas Vrabec
>> Software Engineer, Security Technologies
>> Red Hat, Inc.
>>
> 
> Thanks, Lukas! Can you share info, when i can get new package in
> updates repo? (I'm using fedora atomic =) with custom tree, so i need
> to build updated tree for my servers). Thanks a lot!
> 

Hi,

Sorry I was on vacation last week, I'll try to do new builds later this
week.

Thanks,
Lukas.

-- 
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.

Attachment: signature.asc
Description: OpenPGP digital signature


[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Photo]     [Yosemite News]     [Yosemite Photos]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux