BZ 533427
Daniel J Walsh
dwalsh at redhat.com
Tue Nov 17 22:57:14 UTC 2009
On 11/17/2009 03:14 PM, Gene Czarcinski wrote:
> On Tuesday 17 November 2009 12:43:58 Jason L Tibbitts III wrote:
>>>>>>> "GC" == Gene Czarcinski <gene at czarc.net> writes:
>>
>> GC> Quickly?? Ten days to get a package pushed??
>>
>> Wow. If you really really want it right this instant and aren't willing
>> to wait for the volunteers that provide this operating system to you to
>> work through everything they have to do to get Fedora 12 out the door in
>> addition to the work of getting updates and such out for Fedora 11 and
>> 10, why don't you:
>>
>> Check the source out of CVS and build it yourself?
>>
>> Download the build from koji?
>> http://koji.fedoraproject.org/koji/packageinfo?packageID=32 and pick a
>> build for the OS version you want. Probably
>> http://koji.fedoraproject.org/koji/buildinfo?buildID=140508
>>
>> It's all made available to you, all the source, the buildsystem,
>> everything. If you simply can't wait for the updates process to catch
>> up, you have plenty of other means to get the software.
>>
>
> Unfortunately, you have missed the entire point of my email!
>
> Yes, I can go get an update from koji, or get the source and do it myself, or
> simply apply the "fix" suggested by audit2allow, or set permissive mode, or
> disable selinux. Any of these would get around the problem. But, this would
> not be the "official" selinux-policy package update.
>
> The problem in https://bugzilla.redhat.com/show_bug.cgi?id=533427 impacts the
> abrt package's ability to function properly. The abrt package is a really
> good new feature in Fedora 12 and should help resolve problems more quickly
> since it provides a lot more information than many users include in the
> handcrafted reports (myself included).
No it should not. abrt_t is a permissive domain.
node=(removed) type=SYSCALL msg=audit(1257529975.949:596): arch=40000003
syscall=39 success=yes exit=0 a0=9779660 a1=1ed a2=38f6868 a3=9259050 items=0
ppid=17113 pid=17114 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=2 comm="yum" exe="/usr/bin/python"
subj=unconfined_u:system_r:abrt_t:s0 key=(null)
If you look at the AVC you will see success=yes. Which indicates that the AVC did not block anything.
So if abrt is not working properly for some reason, it is not SELinux causing the problem.
>
> The problem was reported on 6 November 2009 at 13:33 EDT and Dan Walsh
> responded on 6 November 2008 at 14:38 EDT (a bit over an hour) that the
> problem was fixed in selinux-policy-3.6.32-42.fc12.noarch and the BZ report was
> closed as fixed in rawhide (perhaps closing this problem so quickly was an
> error).
>
No the problem was we were frozen while F12 was moving to the Mirrors. I held off on posting an updated selinux-policy package til the last second, so I can fix as many bugs in F12 policy as possible soon after F12 ships (Today). I waited to request the package until I got Mondays AVC's in. Monday is the busiest day of the week for AVC/Bugzillas. Since I do not review them over the weekend.
I posted to updates-testing at 2009-11-16 19:36:03 And it now says it is moving to the mirrors.
> Today is 17 November 2009 and Fedora 12 is GA but there is no "day zero" fix
> for the problem ... not even in updates-testing (last I checked around 1400
> EST). I claim that something in the process of getting fixes out (at least
> selinux-policy fixes) is broken. This is what I am trying to get fixed so
> users do not set permissive mode or simply disable selinux.
>
> Gene
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list