Bug 1776028 - please backport to 31: https://github.com/fedora-selinux/selinux-policy-contrib/commit/49d1174326bc01742fc6b3303d228b6d2d3b570f#diff-a3b88c737403942b8bc0f67cd86a132a
Summary: please backport to 31: https://github.com/fedora-selinux/selinux-policy-contr...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 31
Hardware: x86_64
OS: Linux
low
low
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-11-24 19:44 UTC by sonik
Modified: 2020-02-01 01:30 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.14.4-45.fc31
Clone Of:
Environment:
Last Closed: 2020-02-01 01:30:47 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description sonik 2019-11-24 19:44:51 UTC
$ ls -alZ /usr/libexec/cockpit-*
-rwxr-xr-x. 1 root root               system_u:object_r:bin_t:s0                   51384 Nov 13 13:41 /usr/libexec/cockpit-askpass
-rwxr-xr-x. 1 root root               system_u:object_r:bin_t:s0                    5918 Nov 13 13:40 /usr/libexec/cockpit-desktop
-rwxr-xr-x. 1 root root               system_u:object_r:bin_t:s0                  207752 Nov 13 13:41 /usr/libexec/cockpit-pcp
-rwsr-x---. 1 root cockpit-wsinstance system_u:object_r:cockpit_session_exec_t:s0  55216 Nov 13 13:41 /usr/libexec/cockpit-session
-rwxr-xr-x. 1 root root               system_u:object_r:cockpit_session_exec_t:s0 142152 Nov 13 13:41 /usr/libexec/cockpit-ssh
-rwxr-xr-x. 1 root root               system_u:object_r:cockpit_ws_exec_t:s0       51416 Nov 13 13:41 /usr/libexec/cockpit-tls
-rwxr-xr-x. 1 root root               system_u:object_r:cockpit_ws_exec_t:s0      307832 Nov 13 13:41 /usr/libexec/cockpit-ws
-rwxr-xr-x. 1 root root               system_u:object_r:bin_t:s0                   16912 Nov 13 13:41 /usr/libexec/cockpit-wsinstance-factory

please backport to 31: https://github.com/fedora-selinux/selinux-policy-contrib/commit/49d1174326bc01742fc6b3303d228b6d2d3b570f#diff-a3b88c737403942b8bc0f67cd86a132a and make sure you restorecon /usr/libexec/cockpit-wsinstance-factory in rpm %post scriptlet

symptom: Cockpit fails to connect to socket.

time->Sun Nov 24 12:49:37 2019
type=AVC msg=audit(1574617777.942:1408): avc:  denied  { connectto } for  pid=54844 comm="cockpit-tls" path="/run/cockpit/wsinstance/https-factory.sock" scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1

reproduce:
restorecon -v /usr/libexec/cockpit-wsinstance-factory

fix:
chcon -t cockpit_ws_exec_t /usr/libexec/cockpit-wsinstance-factory

Comment 1 Zdenek Pytela 2019-11-25 09:00:03 UTC
This commit seems to have already been backported:

* Wed Nov 13 2019 Lukas Vrabec <lvrabec> - 3.14.4-41
- Fix typo bugs in rtas_errd_read_lock() interface
- Allow timedatex_t domain to systemctl chronyd domains
- Allow ipa_helper_t to read kr5_keytab_t files
- cockpit: Allow cockpit-session to read cockpit-tls state directory
- Allow stratisd_t domain to read nvme and fixed disk devices
- Update lldpad_t policy module
- Dontaudit tmpreaper_t getting attributes from sysctl_type files
- cockpit: Support https instance factory

so awaiting the latest build to be available in stable repos.

Comment 2 Zdenek Pytela 2019-11-25 10:26:56 UTC
Reopening as it may take some time till the update will is available.

https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e

Comment 3 Fedora Update System 2020-01-31 01:28:42 UTC
selinux-policy-3.14.4-45.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-bb42099a17

Comment 4 Fedora Update System 2020-02-01 01:30:47 UTC
selinux-policy-3.14.4-45.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.