On Fri, May 04, 2018 at 09:36:12AM -0400, Stephen Smalley wrote: > On 05/04/2018 09:26 AM, Dominick Grift wrote: > > On Fri, May 04, 2018 at 09:08:36AM -0400, Stephen Smalley wrote: > >> On 05/04/2018 03:55 AM, Jason Zaman wrote: > >>> On Thu, May 03, 2018 at 10:52:24AM -0400, Stephen Smalley wrote: > >>>> Hi, > >>>> > >>>> If you have encountered any unreported problems with the 2.8-rcX > >>>> releases or have any > >>>> pending patches you believe should be included in the 2.8 release, > >>>> please post them soon. > >>> > >>> the rc2 release has been fine for me for several days now. And I havent > >>> heard any issues from any gentoo users either so we're probably good to > >>> go. -rc1 failed to boot properly for me because some important things in > >>> /run or /dev didnt get labeled but that was fixed in rc2. > >> > >> Hmm...I'd like to understand that better. The change was verifying > >> file_contexts when using restorecon, > >> which was reverted in -rc2. But the fact that it prevented labeling files > >> in -rc1 means that either > >> you have a bug in your file_contexts configuration or there is some other > >> bug there. > > > > If it cannot validate_context then it will be unhappy: > > > > [root@julius ~]# dnf history info last > > Transaction ID : 364 > > Begin time : Fri 04 May 2018 01:12:36 PM CEST > > Begin rpmdb : 1404:e739a03c49fec80ed41a1ea4c599d8f877b01d76 > > End time : Fri 04 May 2018 01:14:01 PM CEST (85 seconds) > > End rpmdb : 1404:27bd40dce7edbf226ffad80f482cd75231f1b6ab ** > > User : kcinimod <kcinimod> > > Return-Code : Success > > Command Line : update --exclude efi-filesystem > > Transaction performed with: > > Installed dnf-2.7.5-12.fc29.noarch @rawhide > > Installed rpm-4.14.1-8.fc28.x86_64 @tmp-rawhide > > Packages Altered: > > Upgraded cockpit-166-1.fc29.x86_64 @rawhide > > ... snip ... > > Scriptlet output: > > 1 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: > > has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0 > > 2 restorecon: > > /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid > > context sys.id:sys.role:files.generic_boot.boot_file:s0 > > 3 restorecon: > > /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid > > context sys.id:sys.role:files.generic_boot.boot_file:s0 > > 4 restorecon: > > /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid > > context sys.id:sys.role:files.generic_boot.boot_file:s0 > > 5 restorecon: > > /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid > > context sys.id:sys.role:files.generic_boot.boot_file:s0 > > So, just to be clear: these contexts are in fact valid but the lack of > permission to use the /sys/fs/selinux/context interface (for > security_check_context) causes it to think the context is invalid and > therefore fails? If so, then > that makes sense and would be another reason for reverting that change. In > any case, -rc2 should have the fix.
Yes contexts are valid but since validate_context was blocked this happened. By allowing validate_context this works fine -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
signature.asc
Description: PGP signature
