Drawing lessons from fatal SELinux bug #1054350

Michael Schwendt mschwendt at gmail.com
Fri Jan 24 21:54:27 UTC 2014

On Fri, 24 Jan 2014 22:17:20 +0100, Dominick Grift wrote:

> >   https://admin.fedoraproject.org/updates/FEDORA-2014-0806/selinux-policy-3.12.1-116.fc20
> > 

> Because you would need to run RPM to notice it, 

Or Yum, DNF, Yumex, PackageKit, all tools on top of RPM would run into the
scriptlet errors. ;)  Provided that you get a chance to evaluate the
installed test update for some time and the vote won't be too late.

> > That has been easy once the update arrived here on the nearby mirror.
> > "setenforce 0 && repeat previous command that caused strange behaviour"
> > is a very common troubleshooting thing, even if there haven't been any
> > AVC denied messages.
> If it was as common as you make it sound then maybe it might not have
> come this far. 

Well, as mentioned before, this test update had been marked stable and
pushed into the updates repo already before appearing in updates-testing
on more mirrors. Worse if some testers fetch packages from koji and vote
in bodhi too early. By the time the first testers noticed the scriptlet
errors it was too late, since stable updates cannot be withdrawn.

> It did. Again, one would have first had to identify the
> issue (e.g. run RPM). There was no indication of any change related to
> RPM (no change log entry).

Unconvincing. A similar thing has been prevented in a Yum Test Update some
weegs ago only because some _more_ testers have _not_ voted +1 before
actually using the updated Yum for some time. That is a lesson to
learn. Watch the votes:

More information about the devel mailing list