Description of problem: This is a variant of #2013642 but for f38 and selinux. Giving this error: Regex version mismatch, expected: 10.42 2022-12-11 actual: 10.40 2022-04-14 Version-Release number of selected component (if applicable): #rpm -qa|grep selinux-policy selinux-policy-38.9-1.fc38.noarch selinux-policy-targeted-38.9-1.fc38.noarch selinux-policy-devel-38.9-1.fc38.noarch selinux-policy-doc-38.9-1.fc38.noarch # rpm -qa|grep pcre2 pcre2-syntax-10.42-1.fc38.1.noarch pcre2-10.42-1.fc38.1.x86_64 pcre2-utf16-10.42-1.fc38.1.x86_64 pcre2-utf32-10.42-1.fc38.1.x86_64 pcre2-devel-10.42-1.fc38.1.x86_64 pcre2-10.42-1.fc38.1.i686
Zdenek, is this something to be concerned about, if it's not fixed in F38 before release?
(In reply to Kamil Páral from comment #1) > Zdenek, is this something to be concerned about, if it's not fixed in F38 > before release? I cannot reproduce it, so I cannot assess the impact. Kim, do you happen to know which conditions are needed to trigger this issue in F38? Were there any related configuration changes made? What is the command which shows any errors? Is your system fully updated? rpm -qa "pcre*" "*regex*" rpm -qa | grep -v fc38
Created attachment 1955085 [details] need-info-text
I will suspect that you need to upgrade from f36 or f37 to make the problem to surface. I have also attached output from a 'dnf up' run from today which shows the errors.
I did a 'semodule -B' command before filing the original bz and therefore did not expect it to continue to show, but alas.
I tried a few F36 systems update to F37, without any issue. I expect it may be related to: - system customizations - SELinux customizations - local SELinux modules in place - some outdated package but I have no direct clue. Do you? In particular, it surprises me that "semodule -B" does not help. Did the command have anything in the output?
New findings: - the mismatch errors/warnings appear on updates to *f38*, not f37, from both f36 and f37, but it is only in journal during the update - no messages after the system boots to f38, no action like package install, update, removal, SELinux policy changes trigger such an issue I don't see anything which could be done unless the triggering condition was found.
Yes i have to use extra modules And yes 'semodule -B' complains: # semodule -B libsepol.context_from_record: type cockpit_ws_exec_t is not defined (No such file or directory). libsepol.context_from_record: could not create context structure (Invalid argument). libsemanage.validate_handler: invalid context system_u:object_r:cockpit_ws_exec_t:s0 specified for /usr/libexec/cockpit-wsinstance-factory [all files] (Invalid argument). libsemanage.dbase_llist_iterate: could not iterate over records (Invalid argument). semodule: Failed!
Looks like the cockpit module is not working properly: please run semodule -lfull | grep -v ^100 ls -l /var/lib/selinux/targeted/active/modules/*/cockpit ls -lZ /usr/libexec/cockpit-* ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today for troubleshooting; this command should make all issues gone: dnf reinstall cockpit-selinux
# semodule -lfull | grep -v ^100 400 misckib pp 300 my-NetworkManager pp 300 my-rpcmountd pp 200 flatpak pp 200 mysql pp 200 smartmon pp 200 tabrmd pp # ls -l /var/lib/selinux/targeted/active/modules/*/cockpit ls: cannot access '/var/lib/selinux/targeted/active/modules/*/cockpit': No such file or directory # ls -lZ /usr/libexec/cockpit-* ls: cannot access '/usr/libexec/cockpit-*': No such file or directory # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today ---- type=USER_AVC msg=audit(04/04/2023 11:37:05.641:161) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { reload } for auid=unset uid=root gid=root path=/etc/systemd/system/iscsi.service cmdline="" function="bus_unit_method_start_generic" scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system permissive=0 exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(04/04/2023 11:37:09.233:180) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { reload } for auid=unset uid=root gid=root path=/etc/systemd/system/iscsi.service cmdline="" function="bus_unit_method_start_generic" scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system permissive=0 exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=AVC msg=audit(04/04/2023 11:37:09.459:183) : avc: denied { read } for pid=1280 comm=sddm-greeter name=.face.icon dev="0:60" ino=3568704 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=lnk_file permissive=0 ---- type=AVC msg=audit(04/04/2023 11:37:24.548:210) : avc: denied { add_name } for pid=1468 comm=sddm-helper name=.cache scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir permissive=0 ---- type=AVC msg=audit(04/04/2023 11:37:24.548:211) : avc: denied { add_name } for pid=1468 comm=sddm-helper name=xsession-errors scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir permissive=0 ---- type=AVC msg=audit(04/04/2023 11:37:24.548:212) : avc: denied { write } for pid=1468 comm=sddm-helper path=/home/kim/.cache/xsession-errors dev="0:60" ino=3416686 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file permissive=0 # rpm -qia cockpit\* (empty output)
Any custom fcontext rules? semanage export This could be the way out: dnf install cockpit-ws cockpit-selinux dnf remove cockpit-ws cockpit-selinux
# semanage export boolean -D login -D interface -D user -D port -D node -D fcontext -D module -D ibendport -D ibpkey -D permissive -D boolean -m -0 nis_enabled boolean -m -1 selinuxuser_execmod boolean -m -1 unconfined_mozilla_plugin_transition boolean -m -0 use_nfs_home_dirs boolean -m -0 xdm_write_home fcontext -a -f a -t chrome_sandbox_exec_t -r 's0' '/usr/lib/chrome-sandbox' fcontext -a -f a -t bin_t -r 's0' '/usr/lib/chromium-browser' fcontext -a -f a -t bin_t -r 's0' '/usr/lib/chromium-browser/chromium-browser.sh' fcontext -a -f a -t cockpit_ws_exec_t -r 's0' '/usr/libexec/cockpit-wsinstance-factory' fcontext -a -f a -t rpm_exec_t -r 's0' '/usr/share/dnfdaemon/dnfdaemon-system' I was a bit fast when I wrote that i use selinux-modules - on the machine in question I even forgot that I did, and why. I will wait a bit before doing the 'dnf install/remove' bit.
I did: # semanage fcontext --delete -f a -t cockpit_ws_exec_t '/usr/libexec/cockpit-wsinstance-factory' # semanage fcontext --list -C SELinux fcontext type Context /usr/lib/chrome-sandbox all files system_u:object_r:chrome_sandbox_exec_t:s0 /usr/lib/chromium-browser all files system_u:object_r:bin_t:s0 /usr/lib/chromium-browser/chromium-browser.sh all files system_u:object_r:bin_t:s0 /usr/share/dnfdaemon/dnfdaemon-system all files system_u:object_r:rpm_exec_t:s0 # semodule -B (no output) :-)
This seems to be the correct approach towards resolving the issue. I guess sometime in the stone age the fcontext rule was needed. Now the bz seems to be resolved, so closing.