Jul 28 01:16:29 kari setroubleshoot: SELinux is preventing opendmarc from execute access on the file /usr/bin/bash. For complete SELinux messages run: sealert -l 20e14de5-5d48-4353-a779-60371ad0d964<br />
Jul 28 01:16:29 kari python: SELinux is preventing opendmarc from execute access on the file /usr/bin/bash.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that opendmarc should be allowed execute access on the bash file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'opendmarc' --raw | audit2allow -M my-opendmarc#012# semodule -i my-opendmarc.pp#012
↧
0016299: opendmarc SElinux not complete
↧
0015680: SeLinux Kernel (3.10.0-957.1.3) error
I found an issue with the new kernel which block map access to /dev/zero for the pagespeed module. Here are the log :<br />
<br />
Audit.log :<br />
type=AVC msg=audit(1547031688.122:94): avc: denied { map } for pid=5257 comm="httpd" path="/dev/zero" dev="devtmpfs" ino=1030 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file permissive=0<br />
<br />
http error log :<br />
[Wed Jan 09 10:24:37.481133 2019] [pagespeed:error] [pid 5429] [mod_pagespeed 1.13.35.2-0 @5429] Failed to mkdir /var/cache/mod_pagespeed/ purge /dBBL9jpbx73YIVsEhxe2.outputlock: No such file or directory<br />
<br />
audit2allow :<br />
# src="httpd_t" tgt="zero_device_t" class="chr_file", perms="map"<br />
# comm="httpd" exe="" path="/dev/zero"<br />
allow httpd_t zero_device_t:chr_file map;<br />
<br />
I did not have this issue with the older kernel (3.10.0-862.14.4)
↧
↧
0015531: [abrt] kernel: WARNING: CPU: 1 PID: 97 at drivers/gpu/drm/nouveau/nvif/vmm.c:71 nvif_vmm_put+0x86/0x90 [nouveau]
Version-Release number of selected component:<br />
kernel<br />
<br />
Truncated backtrace:<br />
WARNING: CPU: 1 PID: 97 at drivers/gpu/drm/nouveau/nvif/vmm.c:71 nvif_vmm_put+0x86/0x90 [nouveau]<br />
Modules linked in: tcp_lp fuse devlink ip6t_rpfilter ipt_REJECT nf_reject_ipv4 ip6t_REJECT nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_nat ebtable_broute bridge stp llc ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter sunrpc iTCO_wdt iTCO_vendor_support intel_powerclamp coretemp intel_rapl snd_hda_codec_hdmi iosf_mbi kvm irqbypass crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd joydev asus_wmi sparse_keymap rfkill i2c_i801 pcspkr snd_hda_codec_realtek snd_hda_codec_generic sg snd_hda_intel snd_hda_codec<br />
snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer snd mei_me soundcore lpc_ich mei ip_tables xfs libcrc32c sd_mod sr_mod cdrom crc_t10dif crct10dif_generic nouveau crct10dif_pclmul crct10dif_common crc32c_intel mxm_wmi serio_raw ttm e1000 i2c_algo_bit drm_kms_helper ahci syscopyarea sysfillrect sysimgblt fb_sys_fops libahci drm libata video r8169 mii drm_panel_orientation_quirks wmi dm_mirror dm_region_hash dm_log dm_mod<br />
CPU: 1 PID: 97 Comm: kworker/1:1 Kdump: loaded Not tainted 3.10.0-957.1.3.el7.x86_64 #1<br />
Hardware name: System manufacturer System Product Name/P8Z77-V LX2, BIOS 2204 08/23/2013<br />
Workqueue: events nouveau_cli_work [nouveau]<br />
Call Trace:<br />
[<ffffffffb1961e41>] dump_stack+0x19/0x1b<br />
[<ffffffffb1297648>] __warn+0xd8/0x100<br />
[<ffffffffb129778d>] warn_slowpath_null+0x1d/0x20<br />
[<ffffffffc060ed46>] nvif_vmm_put+0x86/0x90 [nouveau]<br />
[<ffffffffc06d8786>] nouveau_vma_del+0x76/0xa0 [nouveau]<br />
[<ffffffffc06d525a>] nouveau_gem_object_delete_work+0x3a/0x60 [nouveau]<br />
[<ffffffffc06cf7aa>] nouveau_cli_work+0xba/0xf0 [nouveau]<br />
[<ffffffffb12b9d4f>] process_one_work+0x17f/0x440<br />
[<ffffffffb12bade6>] worker_thread+0x126/0x3c0<br />
[<ffffffffb12bacc0>] ? manage_workers.isra.25+0x2a0/0x2a0<br />
[<ffffffffb12c1c31>] kthread+0xd1/0xe0<br />
[<ffffffffb12c1b60>] ? insert_kthread_work+0x40/0x40<br />
[<ffffffffb1974c37>] ret_from_fork_nospec_begin+0x21/0x21<br />
[<ffffffffb12c1b60>] ? insert_kthread_work+0x40/0x40
↧
0016806: [abrt] PackageKit-yum: visit_decref(): python2.7 killed by SIGSEGV
Version-Release number of selected component:<br />
PackageKit-yum-1.1.10-1.el7.centos<br />
<br />
Truncated backtrace:<br />
Thread no. 0 (10 frames)<br />
#0 visit_decref at /usr/src/debug/Python-2.7.5/Modules/gcmodule.c:429<br />
#1 list_traverse at /usr/src/debug/Python-2.7.5/Objects/listobject.c:2371<br />
#2 collect at /usr/src/debug/Python-2.7.5/Modules/gcmodule.c:456<br />
#4 _PyObject_GC_Malloc at /usr/src/debug/Python-2.7.5/Modules/gcmodule.c:1124<br />
#6 _PyObject_GC_New at /usr/src/debug/Python-2.7.5/Modules/gcmodule.c:1595<br />
#7 PyDict_New at /usr/src/debug/Python-2.7.5/Objects/dictobject.c:286<br />
#8 _PyDict_NewPresized at /usr/src/debug/Python-2.7.5/Objects/dictobject.c:697<br />
#9 PyEval_EvalFrameEx at /usr/src/debug/Python-2.7.5/Python/ceval.c:2555<br />
#10 PyEval_EvalCodeEx at /usr/src/debug/Python-2.7.5/Python/ceval.c:3640<br />
#11 PyEval_EvalFrameEx at /usr/src/debug/Python-2.7.5/Python/ceval.c:4504
↧
0016862: SELinux is preventing /usr/sbin/libvirtd from using the 'transition' accesses on a process.
Description of problem:<br />
SELinux is preventing /usr/sbin/libvirtd from using the 'transition' accesses on a process.<br />
<br />
***** Plugin catchall (100. confidence) suggests **************************<br />
<br />
如果你相信 libvirtd应该允许_BASE_PATH transition 访问标记的进程 $TARGET默认为_TYPE。<br />
Then 应该将这个情况作为 bug 报告。<br />
可以生成本地策略模块以允许此访问。<br />
Do<br />
暂时允许此访问权限执行:<br />
# ausearch -c 'libvirtd' --raw | audit2allow -M my-libvirtd<br />
# semodule -i my-libvirtd.pp<br />
<br />
Additional Information:<br />
Source Context system_u:system_r:unconfined_service_t:s0<br />
Target Context system_u:system_r:svirt_t:s0:c129,c680<br />
Target Objects /usr/libexec/qemu-kvm [ process ]<br />
Source libvirtd<br />
Source Path /usr/sbin/libvirtd<br />
Port <Unknown><br />
Host (removed)<br />
Source RPM Packages libvirt-daemon-4.5.0-23.el7_7.3.x86_64<br />
Target RPM Packages qemu-kvm-1.5.3-167.el7_7.1.x86_64<br />
Policy RPM selinux-policy-3.13.1-252.el7_7.6.noarch<br />
Selinux Enabled True<br />
Policy Type targeted<br />
Enforcing Mode Enforcing<br />
Host Name (removed)<br />
Platform Linux (removed) 3.10.0-1062.9.1.el7.x86_64 #1 SMP<br />
Fri Dec 6 15:49:49 UTC 2019 x86_64 x86_64<br />
Alert Count 1<br />
First Seen 2019-12-26 16:51:54 CST<br />
Last Seen 2019-12-26 16:51:54 CST<br />
Local ID a6fa7be4-5e57-417a-8105-2622acdcf377<br />
<br />
Raw Audit Messages<br />
type=AVC msg=audit(1577350314.805:458): avc: denied { transition } for pid=10405 comm="libvirtd" path="/usr/libexec/qemu-kvm" dev="dm-0" ino=134987489 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_t:s0:c129,c680 tclass=process permissive=0<br />
<br />
<br />
type=SYSCALL msg=audit(1577350314.805:458): arch=x86_64 syscall=execve success=no exit=EACCES a0=7fe78c005f80 a1=7fe78c0194c0 a2=7fe78c0043e0 a3=8 items=0 ppid=1 pid=10405 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm=libvirtd exe=/usr/sbin/libvirtd subj=system_u:system_r:unconfined_service_t:s0 key=(null)<br />
<br />
Hash: libvirtd,unconfined_service_t,svirt_t,process,transition<br />
<br />
Version-Release number of selected component:<br />
selinux-policy-3.13.1-252.el7_7.6.noarch
↧
↧
0016553: High availbility packages missing
All of the high availability (HA) packages are missing from the 8.0 release. The HA packages were provided in 7.0 release. The Red Hat 8.0 HA packages which are missing are:<br />
awscli<br />
booth<br />
booth-arbitrator<br />
booth-core<br />
booth-site<br />
booth-test<br />
clufter-bin<br />
clufter-cli<br />
clufter-common<br />
clufter-lib-ccs<br />
clufter-lib-general<br />
clufter-lib-pcs<br />
corosync<br />
corosync-qdevice<br />
corosync-qnetd<br />
corosynclib-devel<br />
fence-agents-aliyun<br />
fence-agents-aws<br />
fence-agents-azure-arm<br />
fence-agents-gce<br />
libknet1<br />
libknet1-compress-bzip2-plugin<br />
libknet1-compress-lz4-plugin<br />
libknet1-compress-lzma-plugin<br />
libknet1-compress-lzo2-plugin<br />
libknet1-compress-plugins-all<br />
libknet1-compress-zlib-plugin<br />
libknet1-crypto-nss-plugin<br />
libknet1-crypto-openssl-plugin<br />
libknet1-crypto-plugins-all<br />
libknet1-plugins-all<br />
pacemaker<br />
pacemaker-cli<br />
pacemaker-cts<br />
pacemaker-doc<br />
pacemaker-libs-devel<br />
pacemaker-nagios-plugins-metadata<br />
pacemaker-remote<br />
pcs<br />
pcs-snmp<br />
python3-azure-sdk<br />
python3-boto3<br />
python3-botocore<br />
python3-clufter<br />
python3-fasteners<br />
python3-gflags<br />
python3-google-api-client<br />
python3-httplib2<br />
python3-oauth2client<br />
python3-s3transfer<br />
python3-uritemplate<br />
resource-agents<br />
resource-agents-aliyun<br />
resource-agents-gcp<br />
<br />
The key packages which are needed are: <br />
corosync<br />
corosynclib-devel<br />
pacemaker<br />
pacemaker-cli<br />
pacemaker-doc<br />
pacemaker-libs-devel<br />
pcs<br />
resource-agents<br />
and any dependencies.
↧
0016492: No libssh2-devel package
There seems to be no libssh2-devel package in CentOS 8 repos. I found this from upstream:<br />
<a href="https://access.redhat.com/discussions/4342891">https://access.redhat.com/discussions/4342891</a><br />
but that didn't help, 'dnf module enable virt-devel' gives 'missing groups or modules: virt-devel' error.
↧
0016863: Yum Updater
Yum software update, both command line and GUI, fail to install updates. I received the following error: Unable to download updates: failed to refresh cache: cannot update repo 'PowerTools': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried; Last error: Status code: 404 for <a href="http://mirror.centos.org/$contentdir/8/Powertools/x86_64/os/repodata/repomd.xml">http://mirror.centos.org/$contentdir/8/Powertools/x86_64/os/repodata/repomd.xml</a>
↧
0016864: CVE-2018-14645 and BDSA-2018-4400 (CVE-2018-20102) not fixed in HAProxy 1.5.18-9
Using Synopsys's blackduck hub to scan HAProxy 1.5.18-9, there are two security risks: CVE-2018-14645 and BDSA-2018-4400 (CVE-2018-20102)
↧
↧
0016865: BDSA-2015-0055 (CVE-2013-7459) and BDSA-2018-0396 (CVE-2018-6594) found in python2-crypto-2.6.1.16
Using Synopsys Blackduck Hub to scan python2-crypto-2.6.1.16, there are two security risks: BDSA-2015-0055 (CVE-2013-7459) and BDSA-2018-0396 (CVE-2018-6594) .
↧
0016866: BDSA-2018-3365 (CVE-2018-17434), BDSA-2018-3402 (CVE-2018-17436), BDSA-2018-3413 (CVE-2018-17435) found in HDF5
Using Synopsys Blackduck Hub to scan hdf5-1.8.13-7, there are several security risks: BDSA-2018-3365 (CVE-2018-17434), BDSA-2018-3402 (CVE-2018-17436), BDSA-2018-3413 (CVE-2018-17435).
↧
0016867: CVE-2016-9909 and CVE-2016-9910 not fixed in python-html5lib-0.999-7
Using Synopsys Blackduck Hub to scan python-html5lib-0.999-7, there are two security risks: CVE-2016-9909 and CVE-2016-9910
↧
0016557: [abrt] gnome-terminal: poll_for_event(): gnome-terminal-server killed by SIGABRT
Description of problem:<br />
Trying to cut and paste a abrt-cli list command reported in terminal.<br />
<br />
Version-Release number of selected component:<br />
gnome-terminal-3.28.2-2.el7<br />
<br />
Truncated backtrace:<br />
Thread no. 1 (7 frames)<br />
#4 poll_for_event at xcb_io.c:260<br />
#5 poll_for_response at xcb_io.c:278<br />
#7 XPending at Pending.c:55<br />
#8 gdk_event_source_check at gdkeventsource.c:269<br />
#10 g_main_context_check at gmain.c:3734<br />
#12 g_main_context_iteration at gmain.c:3962<br />
#13 g_application_run at gapplication.c:2470
↧
↧
0009839: [abrt] kdelibs: KCrash::defaultCrashHandler(int)(): kdeinit4 killed by SIGSEGV
Description of problem:<br />
on load icontasks plasma widget <br />
<br />
Version-Release number of selected component:<br />
kdelibs-4.14.8-4.el7<br />
<br />
Truncated backtrace:<br />
Thread no. 1 (1 frames)<br />
#1 KCrash::defaultCrashHandler(int) at /lib64/libkdeui.so.5
↧
0016868: Latest qemu from CentOS 8 CR repository removes hyperv enlightenments
qemu-kvm 15:2.12.0-88.module_el8.1.0+248+298dec18 is broken.<br />
<br />
When pre-existing VMs try to start, if they use hyperv enlightenments (e.g. hyperv clock, synic and others needed to resolve serious Windows guest performance regressions), the VM refuses to start with the error that the host doesn't support the required feature.<br />
<br />
qemu-kvm 15:2.12.0-65.module_el8.0.0+189+f9babebb.5 is the previous version that works.<br />
<br />
This is quite a serious regression that will result in guest VMs no longer starting if they use hyperv enlightenments.
↧
0016869: CR lvm 2.03.05-5.el8.x86_64 crashes if there are no LVM volumes
I noticed packages in CR today and recklessly ran update.<br />
<br />
On boot the system pauses and eventually freezes. Without "rhgb quiet" I can see on console a:<br />
lvm segfault ...<br />
and as last line:<br />
starting Monitoring of LVM2 mirrors, snapshots etc. using dmeventd or progress polling (42s / no limit)<br />
<br />
The time was going up, but I had no inclination to wait till "no limit".<br />
<br />
<br />
I have no PV/VG/LVs. Just plain GPT partitions on NVME and (Intel) fakeraid mirror on HDDs.<br />
I had thus no reason to have lvm2-monitor.service running, but the previous version, 2.03.02-6.el8,<br />
did not stall the boot.<br />
<br />
/var/log/message had:<br />
kernel: lvm[1355]: segfault at 801 ip 00007f953c0b2525 sp 00007ffc842720d8 error 4 in libc-2.28.so[7f953c013000+1ba000]<br />
systemd[1]: lvm2-monitor.service: Main process exited, code=dumped, status=11/SEGV<br />
systemd[1]: lvm2-monitor.service: Failed with result 'core-dump'.<br />
<br />
<br />
I did disable the lvm2-monitor.service and now boot succeeds.<br />
<br />
<br />
Is this for 8.1 QA or rather for upstream?
↧
0016870: Mutter update doesn't include upstream fix
CentOS 8 CR updates mutter to 3.32 from 3.28 but it doesn't include the upstream fix from here:<br />
<a href="https://bugzilla.redhat.com/show_bug.cgi?id=1776530">https://bugzilla.redhat.com/show_bug.cgi?id=1776530</a><br />
<br />
That means that desktop usage will be broken for anyone using a multi-input compisite monitor setup, e.g. Nvidia Mosaic or IBM T221, Dell 2715K, Dell 3218K and other similar very high end monitors.<br />
<br />
Worse, excluding mutter from the update still ends up resulting in a non-working system because some components that don't work with mutter 3.28 update anyway due to broken dependency version tracking. This results in a system where the GUI login screen doesn't work, (black screen with just a cursor), but the console login doesn't work either (Ctrl-Alt-F3), because the console getty is blocked until the system finishes booting - and it isn't deemed to have finished booting until GDM gets to the point where it displays a login screen.<br />
<br />
IMO the entire package set relating to the gnome update should be pulled from the CR repository until the mutter fix from upstream is incorporated.
↧
↧
0016871: NetworkManager won't assign static ipv6 at boot time
When assigning static IPv6 addresses the interface won't assign them at boot time automatically. Loading the interface manually after boot will fix the problem by executing<br />
"nmcli connection up ens3"<br />
IPv6 will be set correctly after that.
↧
0016872: [abrt] gjs: poll(): gjs-console killed by SIGSEGV
Description of problem:<br />
Ich habe versucht einen anderen Ort (der nicht auf der Liste steht) einzugeben.<br />
Dabei die wheater 3 mal beendet worden und dan kam der Crash.<br />
<br />
Version-Release number of selected component:<br />
gjs-1.52.5-1.el7_6<br />
<br />
Truncated backtrace:<br />
warning: core file may not match specified executable file.<br />
[New LWP 2551]<br />
[New LWP 2554]<br />
[New LWP 2556]<br />
[New LWP 2578]<br />
[New LWP 2553]<br />
[New LWP 2555]<br />
[New LWP 2561]<br />
[New LWP 2557]<br />
[New LWP 2560]<br />
[New LWP 2559]<br />
[New LWP 2562]<br />
[New LWP 2558]<br />
[New LWP 2563]<br />
[Thread debugging using libthread_db enabled]<br />
Using host libthread_db library "/lib/libthread_db.so.1".<br />
Core was generated by `/usr/bin/gjs /usr/share/org.gnome.Weather/org.gnome.Weather.Application --gappl'.<br />
Program terminated with signal 11, Segmentation fault.<br />
#0 ContextToPC (context=<optimized out>) at /usr/src/debug/firefox-52.9.0esr/js/src/wasm/WasmSignalHandlers.cpp:392<br />
392 /usr/src/debug/firefox-52.9.0esr/js/src/wasm/WasmSignalHandlers.cpp: No such file or directory.<br />
<br />
Thread 13 (Thread 0xad360240 (LWP 2563)):<br />
#0 0xb4af0a10 in poll () at ../sysdeps/unix/syscall-template.S:81<br />
No locals.<br />
#1 0xb6294358 in g_main_context_poll (priority=<optimized out>, n_fds=1, fds=0xaf100c70, timeout=-1, context=0x8c0a18) at gmain.c:4202<br />
ret = <optimized out><br />
errsv = <optimized out><br />
poll_func = 0xb62a4c7c <g_poll><br />
#2 g_main_context_iterate (<a href="mailto:context=context@entry">context=context@entry</a>=0x8c0a18, <a href="mailto:block=block@entry">block=block@entry</a>=1, <a href="mailto:dispatch=dispatch@entry">dispatch=dispatch@entry</a>=1, self=<optimized out>) at gmain.c:3896<br />
max_priority = 2147483647<br />
timeout = -1<br />
some_ready = <optimized out><br />
nfds = 1<br />
allocated_nfds = <optimized out><br />
fds = 0xaf100c70<br />
#3 0xb629446c in g_main_context_iteration (<a href="mailto:context=context@entry">context=context@entry</a>=0x8c0a18, <a href="mailto:may_block=may_block@entry">may_block=may_block@entry</a>=1) at gmain.c:3962<br />
retval = <optimized out><br />
#4 0xad36823c in dconf_gdbus_worker_thread (user_data=0x8c0a18) at ../gdbus/dconf-gdbus-thread.c:82<br />
context = 0x8c0a18<br />
#5 0xb62bdf08 in g_thread_proxy (data=0x940580) at gthread.c:784<br />
thread = 0x940580<br />
__FUNCTION__ = "g_thread_proxy"<br />
#6 0xb4b7cd40 in start_thread (arg=0xad360240, <a href="mailto:arg@entry">arg@entry</a>=<error reading variable: Cannot access memory at address 0x2e677266>) at pthread_create.c:309<br />
pd = 0xad360240<br />
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {-1388969304, 0, -1096586912, 338, -1096586808, -1238638952, -1388930848, -1388970628, -1388970936, -1263022836, 0 <repeats 16 times>, -2147483631, 0 <repeats 37 times>}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}<br />
not_first_call = <optimized out><br />
pagesize_m1 = <optimized out><br />
sp = <optimized out><br />
freesize = <optimized out><br />
#7 0xb4afcce8 in ?? () at ../sysdeps/unix/sysv/linux/arm/clone.S:96 from /lib/libc.so.6<br />
../../gdb/frame.c:445: internal-error: get_frame_id: Assertion `fi->this_id.p' failed.<br />
A problem internal to GDB has been detected,<br />
further debugging may prove unreliable.<br />
Quit this debugging session? (y or n) [answered Y; input not from terminal]<br />
../../gdb/frame.c:445: internal-error: get_frame_id: Assertion `fi->this_id.p' failed.<br />
A problem internal to GDB has been detected,<br />
further debugging may prove unreliable.<br />
Create a core file of GDB? (y or n) [answered Y; input not from terminal]
↧
0016606: Add swig-4.0.1 in centos 8
Currently, centos 8 repos has swig v3.0.12 while swig's latest version is v4.0.1, so this ticket is to request to add swig v4.0.1 in centos 8 repos.
↧