On 08/15/2017 01:37 AM, Adam Williamson wrote: > Hi folks! > > Just wanted to give a heads-up on this: it seems that a recent selinux- > policy update, 3.13.1-269 , introduced a new permission called 'map'. > This seems to have resulted in rather a large amount of new SELinux > denials for this permission in various cases. Some are fairly serious - > e.g. there's a denial for the systemd journal - and in some cases seem > to prevent systems from booting correctly at all. > > I've created a tracker bug for now: > https://bugzilla.redhat.com/show_bug.cgi?id=1481454 > > and intend to mark all the 'map' bugs I find as blocking that tracker. > Petr, Lukas, it'd be great if we could get as many of these cleaned up > as fast as possible; it's been hard to get a decent evaluation of > Rawhide's current state for quite a while, now, due to various > problems, and now *this* problem is making things difficult too. > > Of course, for day-to-day Rawhide users, booting with 'enforcing=0' can > work around these issues for now (or you could, I suppose, create a > local policy that just blanket allowed the 'map' permission in all > cases, so all other SELinux restrictions would remain in place). > > Thanks! >

On Tue, 2017-08-15 at 16:58 +0200, Lukas Vrabec wrote: > On 08/15/2017 01:37 AM, Adam Williamson wrote: >> Hi folks! >> >> Just wanted to give a heads-up on this: it seems that a recent selinux- >> policy update, 3.13.1-269 , introduced a new permission called 'map'. >> This seems to have resulted in rather a large amount of new SELinux >> denials for this permission in various cases. Some are fairly serious - >> e.g. there's a denial for the systemd journal - and in some cases seem >> to prevent systems from booting correctly at all. >> >> I've created a tracker bug for now: >> https://bugzilla.redhat.com/show_bug.cgi?id=1481454 >> >> and intend to mark all the 'map' bugs I find as blocking that tracker. >> Petr, Lukas, it'd be great if we could get as many of these cleaned up >> as fast as possible; it's been hard to get a decent evaluation of >> Rawhide's current state for quite a while, now, due to various >> problems, and now *this* problem is making things difficult too. >> >> Of course, for day-to-day Rawhide users, booting with 'enforcing=0' can >> work around these issues for now (or you could, I suppose, create a >> local policy that just blanket allowed the 'map' permission in all >> cases, so all other SELinux restrictions would remain in place). >> >> Thanks! >> > > Hi Adam, > > I fixed all BZs from tracker bug. selinux-policy build is in koji: > https://koji.fedoraproject.org/koji/taskinfo?taskID=21243824 Thanks a lot, we'll see how the next compose goes.

Adam Williamson kirjoitti 15.08.2017 klo 02:37: > Of course, for day-to-day Rawhide users, booting with 'enforcing=0' can > work around these issues for now (or you could, I suppose, create a > local policy that just blanket allowed the 'map' permission in all > cases, so all other SELinux restrictions would remain in place). For those less familiar with SELinux but still using it and wishing to keep things that way, it would be awesome to have a quick summary (or just pointer to documentation) on how you do this. It sounds like a fairly straightforward task to describe if you know your way around SELinux.