In Fedora 37, when upgrading to passt-selinux-0^20230823.ga7e4bfb-1.fc37.noarch, two errors are reported (twice): | […] | Delta-RPMs reduzierten 0.6 MB an Aktualisierungen auf 0.4 MB (36.5% gespart) | Transaktionsüberprüfung wird ausgeführt | Transaktionsüberprüfung war erfolgreich. | Transaktion wird getestet | Transaktionstest war erfolgreich. | Transaktion wird ausgeführt | Vorbereitung läuft : 1/1 | Aktualisieren : passt-0^20230823.ga7e4bfb-1.fc37.x86_64 1/6 | Ausgeführtes Scriptlet: passt-selinux-0^20230823.ga7e4bfb-1.fc37.noarch 2/6 | Aktualisieren : passt-selinux-0^20230823.ga7e4bfb-1.fc37.noarch 2/6 | Ausgeführtes Scriptlet: passt-selinux-0^20230823.ga7e4bfb-1.fc37.noarch 2/6 | Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/passt/cil:103 | Failed to resolve AST | /usr/sbin/semodule: Failed! | Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/pasta/cil:104 | Failed to resolve AST | /usr/sbin/semodule: Failed! | Aktualisieren : kf5-solid-5.108.0-5.fc37.x86_64 3/6 | Aufräumen : passt-0^20230625.g32660ce-1.fc37.x86_64 4/6 | Aufräumen : passt-selinux-0^20230625.g32660ce-1.fc37.noarch 5/6 | Ausgeführtes Scriptlet: passt-selinux-0^20230625.g32660ce-1.fc37.noarch 5/6 | Aufräumen : kf5-solid-5.108.0-4.fc37.x86_64 6/6 | Ausgeführtes Scriptlet: passt-selinux-0^20230823.ga7e4bfb-1.fc37.noarch 6/6 | Ausgeführtes Scriptlet: kf5-solid-5.108.0-4.fc37.x86_64 6/6 | Überprüfung läuft : kf5-solid-5.108.0-5.fc37.x86_64 1/6 | Überprüfung läuft : kf5-solid-5.108.0-4.fc37.x86_64 2/6 | Überprüfung läuft : passt-0^20230823.ga7e4bfb-1.fc37.x86_64 3/6 | Überprüfung läuft : passt-0^20230625.g32660ce-1.fc37.x86_64 4/6 | Überprüfung läuft : passt-selinux-0^20230823.ga7e4bfb-1.fc37.noarch 5/6 | Überprüfung läuft : passt-selinux-0^20230625.g32660ce-1.fc37.noarch 6/6 | […] Reproducible: Didn't try
Sorry for the delay. This seems to be due to the change I introduced in: https://passt.top/passt/commit/?id=62059058cf2422e909952b26f3947df23885fd7e which gives pasta_t the "create" permission for the (relatively) new "user_namespace" class. I thought I tried this with an updated Fedora 37 kernel, but I'm not sure anymore. I couldn't find a way to add rules depending on a specific kernel version, so I'm considering a specific patch for Fedora 37. Just to be sure, what kernel version ('uname -a') are you running?
*** Bug 2240532 has been marked as a duplicate of this bug. ***
| $ uname -a | Linux […] 6.5.5-100.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Sep 23 22:53:27 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux | $
(In reply to Tim Landscheidt from comment #3) > | $ uname -a > | Linux […] 6.5.5-100.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Sep 23 22:53:27 Ouch. On my Fedora 37 test environment, I accidentally had installed my own build of the selinux-policy package from recent upstream sources. Removed, installed selinux-policy-37.22-1.fc37.noarch, and there we go. Now, the problem is that kernel-core-6.5.5-100.fc37.x86_64 includes kernel commits: 7cd4c5c2101c security, lsm: Introduce security_create_user_ns() ed5d44d42c95 selinux: Implement userns_create hook which means that passt(1) and pasta(1), to detach user namespaces (needed for sandboxing), need a rule based on the user_namespace class. At the same time, selinux-policy-37.22-1 seems to be missing selinux-policy commit: 82f7109862a6 Add the user_namespace security class and without that, of course, we can't have: allow passt_t self:user_namespace create; allow pasta_t self:user_namespace create; in the policies. Zdeněk, would you have the chance to add your selinux-policy commit 82f7109862a6 ("Add the user_namespace security class") to the selinux-policy package for Fedora 37, given that the current Fedora 37 kernel version is now 6.5.x? Do you see any other solution? Thanks.
I am afraid that would possibly make quite a lot of packages not working: f39# sesearch -A -c user_namespace|wc -l 112 The problem is that when the class is not defined in the policy, all permissions are allowed, while when it is defined, all checks are performed, so we would need to backport all other changes as well and test them. Solution I can see right now is a conditional check in pasta sources or any other way of having a different content in different Fedora releases. I will think of something else.
Oh, wait: (In reply to Zdenek Pytela from comment #5) > The problem is that when the class is not defined in the policy, all > permissions are allowed I wasn't aware of this. So: > Solution I can see right now is a conditional check in pasta sources or any > other way of having a different content in different Fedora releases. I can just drop these: allow passt_t self:user_namespace create; allow pasta_t self:user_namespace create; for Fedora 37 only, and this should be fixed. I didn't test it yet, but it would be fine by me.
(In reply to Stefano Brivio from comment #6) > > Solution I can see right now is a conditional check in pasta sources or any > > other way of having a different content in different Fedora releases. > > I can just drop these: > > allow passt_t self:user_namespace create; > allow pasta_t self:user_namespace create; > > for Fedora 37 only, and this should be fixed. I didn't test it yet, but it > would be fine by me. I believe this should address the problem. I haven't find any other solution.
FEDORA-2023-72316eb05d has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-72316eb05d
FEDORA-2023-d7f3eb64c1 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-d7f3eb64c1
FEDORA-2023-b1e79e591e has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-b1e79e591e
FEDORA-2023-d7f3eb64c1 has been pushed to the Fedora 39 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-d7f3eb64c1` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-d7f3eb64c1 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-72316eb05d has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-72316eb05d` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-72316eb05d See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-b1e79e591e has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-b1e79e591e` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-b1e79e591e See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-b1e79e591e has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2023-72316eb05d has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.
*** Bug 2244266 has been marked as a duplicate of this bug. ***
Looks good, haven't encountered any warning-/error-messages while upgrading to current passt/passt-selinux packages passt-selinux-0^20231004.gf851084-1.fc37.noarch container-selinux-2.222.0-1.fc37.noarch selinux-policy-37.23-1.fc37.noarch selinux-policy-targeted-37.23-1.fc37.noarch [root@fedora ~]# uname -a Linux fedora.fritz.box 6.5.8-100.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC [...]
FEDORA-2023-d7f3eb64c1 has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.
(In reply to christian.sam from comment #17) > Looks good, haven't encountered any warning-/error-messages while upgrading > to current passt/passt-selinux packages Thanks for double checking!