From beta-programs at suse.com Fri May 7 08:25:48 2021 From: beta-programs at suse.com (SUSE Beta Program) Date: Fri, 07 May 2021 10:25:48 +0200 Subject: [ANNOUNCE] SUSE Linux Enterprise 15 SP3 Beta Online Update 20210507 is out! Message-ID: <6094f98c3792b_2f9b2bc-2e3@MacBouille.local.mail> We are happy to announce Online Update 20210507 for SUSE Linux Enterprise 15 Service Pack 3! We are really close to the end of our Public Beta Program since our next upcoming release will be Gold Master Candidate[1]! Download[2] What happened since Public RC We are providing updates through our online channels. Please refer to our FAQ[3] for more information on our Update Channels. Kernel Application Binary Interface (kABI) freeze Since Online Update 20210409 there won't be any changes regarding the set of in-kernel symbols used by drivers and other kernel modules (i.e kABI). Added packages - linuxrc 7.0.30.3-1.1 Updated Kernel - kernel-source: 5.3.18-56.2 => 5.3.18-57.2 Updated packages (selection) - adcli: 0.8.2-7.17 => 0.8.2-9.3.1 - apache-commons-io: 2.6-1.63 => 2.6-3.3.1 - brp-check-suse: 84.87+git20181106.224b37d-3.6.1 => 84.87+git20181106.224b37d-3.11.1 - cifs-utils: 6.9-5.9.1 => 6.9-5.12.1 - cloud-init: 20.2-8.42.1 => 20.2-8.45.1 - cups: 2.2.7-3.23.1 => 2.2.7-3.26.1 - dhcp: 4.3.5-6.3.1 => 4.3.5-6.6.1 - dracut: 049.1+suse.186.g320cc3d1-3.24.1 => 049.1+suse.187.g63c1504f-3.27.1 - e2fsprogs: 1.43.8-4.23.1 => 1.43.8-4.26.1 - go1: 1.16.2-1.8.1 => 1.16.3-1.11.1 - gpgme: 1.13.1-2.57 => 1.13.1-4.3.1 - hawk2: 2.6.3+git.1614684118.af555ad9-3.27.1 => 2.6.4+git.1618478653.7272e6b6-3.30.2 - MozillaFirefox: 78.9.0-8.35.1 => 78.10.0-8.38.1 - MozillaThunderbird: 78.9.1-8.20.1 => 78.10.0-8.23.1 - NetworkManager: 1.22.10-3.3.4 => 1.22.10-3.7.1 - ntp: 4.2.8p15-4.10.1 => 4.2.8p15-4.13.1 - openslp: 2.0.0-6.12.2 => 2.0.0-6.15.1 - openvswitch: 2.14.2-16.11 => 2.14.2-17.1 - pidentd: 3.0.19-3.3.1 => 3.0.19-3.6.1 - pipewire: 0.3.24-1.1 => 0.3.24-2.1 - plymouth: 0.9.5+git20190908+3abfab2-4.8 => 0.9.5+git20190908+3abfab2-5.2 - ppc64-diag: 2.7.6-1.53 => 2.7.6-3.3.1 - python39: 3.9.0-3.21 => 3.9.4-2.3 - rsyslog: 8.39.0-4.7.3 => 8.39.0-4.10.1 - ruby2: 2.5.8-4.14.1 => 2.5.9-4.17.1 - sapstartsrv-resource-agents: 0.9.0+git.1615189486.815e798-1.3.1 => 0.9.0+git.1617199081.815e7ba-1.6.1 - scap-security-guide: 0.1.54-1.7.2 => 0.1.55git20210323-1.10.1 - spack: 0.16.1-2.1 => 0.16.1-3.1 - strongswan: 5.8.2-11.5.1 => 5.8.2-11.8.4 - supportutils-plugin-salt: 1.1.4-1.8 => 1.1.5-3.3.1 - systemd-presets-branding-SLE: 15.1-20.5.1 => 15.1-20.8.1 - systemd-presets-common-SUSE: 15-8.3.1 => 15-8.6.1 - tcpdump: 4.9.2-3.12.1 => 4.9.2-3.15.1 - tcsh: 6.20.00-4.12.1 => 6.20.00-4.15.1 - xorg-x11-server: 1.20.3-22.5.25.1 => 1.20.3-22.5.30.1 - yast2-network: 4.3.64-1.1 => 4.3.67-1.1 - yast2-pkg-bindings: 4.3.10-1.1 => 4.3.11-1.1 openSUSE Leap 15.3 RC Since openSUSE Leap and SUSE Linux Enterprise are developed in sync, openSUSE Leap 15.3 is also entering the Release Candidate phase[4]. One more thing William Brown from our 389-ds team taped an awesome video about Migrating to 389-ds from openldap2[5] on YouTube. Please check it out and we would be happy to hear about your migration test with SLES 15 SP3. More information Schedule[6] Changelog[6] Known issues[7] Questions? If you have any questions, please contact us at beta-programs at suse.com. Your SUSE Linux Enterprise team Click here to unsubscribe[8] [1]:https://suse.com/betaprogram/sle-beta/#releases [2]:https://suse.com/betaprogram/sle-beta/#download [3]:https://suse.com/betaprogram/sle-beta/#faq-reg [4]:https://news.opensuse.org/2021/04/28/opensuse-leap-153-en ters-rc-phase/ [5]:https://youtu.be/qrbtWOXOhtA [6]:https://suse.com/betaprogram/sle-beta/#changelogs [7]:https://suse.com/betaprogram/sle-beta/#knownissues [8]:mailto:beta-programs at suse.com?subject=Unsubscribe%20from% 20SLE%20Public%20Beta%20Program&body=Unsubscribe%20from%20SLE %20Public%20Beta%20Program -------------- next part -------------- An HTML attachment was scrubbed... URL: From donald.buchholz at intel.com Sat May 8 19:21:03 2021 From: donald.buchholz at intel.com (Buchholz, Donald) Date: Sat, 8 May 2021 19:21:03 +0000 Subject: "Boot Options" not available during EFI boot Message-ID: Hi, Why is it that we can specify "Boot Options" only for 'BIOS' boot and not for 'EFI' boot? Our lab hosts are firewalled off from the Internet, so being able to specify "self_update=0" option is important to me. Thanks, - Don Installer screen when using "BIOS" boot mode: [cid:image002.png at 01D74404.9B2992F0] Installer screen when using "EFI" boot mode: [cid:image004.png at 01D74404.9B2992F0] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 29916 bytes Desc: image001.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.png Type: image/png Size: 44933 bytes Desc: image002.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.png Type: image/png Size: 21941 bytes Desc: image003.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image004.png Type: image/png Size: 35671 bytes Desc: image004.png URL: From donald.buchholz at intel.com Sat May 8 20:49:58 2021 From: donald.buchholz at intel.com (Buchholz, Donald) Date: Sat, 8 May 2021 20:49:58 +0000 Subject: "Boot Options" not available during EFI boot In-Reply-To: References: Message-ID: Doh! Of course . Thanks for the reminder. Cheers! - Don From: Chinna, Nanda Kishore Sent: Saturday, May 8, 2021 12:26 PM To: Buchholz, Donald ; sle-beta at lists.suse.com Subject: RE: "Boot Options" not available during EFI boot Hi Don, In EFI mode, You can press the Key 'e' to get the grub config editor from where you can add the boot parameters there. But I would let SuSE or some one add their thoughts on the GUI design Regards, Nanda From: sle-beta > On Behalf Of Buchholz, Donald Sent: Sunday, May 9, 2021 12:51 AM To: sle-beta at lists.suse.com Subject: "Boot Options" not available during EFI boot [EXTERNAL EMAIL] Hi, Why is it that we can specify "Boot Options" only for 'BIOS' boot and not for 'EFI' boot? Our lab hosts are firewalled off from the Internet, so being able to specify "self_update=0" option is important to me. Thanks, - Don Installer screen when using "BIOS" boot mode: [cid:image005.png at 01D74411.06623070] Installer screen when using "EFI" boot mode: [cid:image006.png at 01D74411.06623070] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 29916 bytes Desc: image001.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.png Type: image/png Size: 21941 bytes Desc: image003.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image005.png Type: image/png Size: 44924 bytes Desc: image005.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image006.png Type: image/png Size: 35678 bytes Desc: image006.png URL: From Nanda.Kishore.Chinna at dell.com Sat May 8 19:25:55 2021 From: Nanda.Kishore.Chinna at dell.com (Chinna, Nanda Kishore) Date: Sat, 8 May 2021 19:25:55 +0000 Subject: "Boot Options" not available during EFI boot In-Reply-To: References: Message-ID: Hi Don, In EFI mode, You can press the Key 'e' to get the grub config editor from where you can add the boot parameters there. But I would let SuSE or some one add their thoughts on the GUI design Regards, Nanda From: sle-beta On Behalf Of Buchholz, Donald Sent: Sunday, May 9, 2021 12:51 AM To: sle-beta at lists.suse.com Subject: "Boot Options" not available during EFI boot [EXTERNAL EMAIL] Hi, Why is it that we can specify "Boot Options" only for 'BIOS' boot and not for 'EFI' boot? Our lab hosts are firewalled off from the Internet, so being able to specify "self_update=0" option is important to me. Thanks, - Don Installer screen when using "BIOS" boot mode: [cid:image005.png at 01D7446E.0A8998C0] Installer screen when using "EFI" boot mode: [cid:image007.png at 01D7446E.0A8998C0] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 29916 bytes Desc: image001.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image005.png Type: image/png Size: 44924 bytes Desc: image005.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image006.png Type: image/png Size: 21941 bytes Desc: image006.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image007.png Type: image/png Size: 35671 bytes Desc: image007.png URL: From snwint at suse.de Mon May 10 15:18:05 2021 From: snwint at suse.de (Steffen Winterfeldt) Date: Mon, 10 May 2021 17:18:05 +0200 (CEST) Subject: "Boot Options" not available during EFI boot In-Reply-To: References: Message-ID: The difference is that in legacy BIOS mode, isolinux is used as boot loader, while in the EFI case grub2 is used. The 'GUI' is not yet available for grub2. Steffen On Sat, 8 May 2021, Chinna, Nanda Kishore wrote: > > Hi Don, > > In EFI mode, You can press the Key ?e? to get the grub config editor from where you can add the boot parameters > there. ?But I would let SuSE or some one add their thoughts on the GUI design > > > Regards, > > Nanda > > ? > > From: sle-beta On Behalf Of Buchholz, Donald > Sent: Sunday, May 9, 2021 12:51 AM > To: sle-beta at lists.suse.com > Subject: "Boot Options" not available during EFI boot > > ? > > [EXTERNAL EMAIL] > > Hi, > > ? > > Why is it that we can specify ?Boot Options? only for ?BIOS? boot and not for ?EFI? boot?? Our lab hosts are > firewalled off from the Internet, so being able to specify ?self_update=0? option is important to me. > > ? > > Thanks, > > - Don > > ? > > ? > > Installer screen when using ?BIOS? boot mode: > > [IMAGE] > > Installer screen when using ?EFI? boot mode: > > [IMAGE] > > From vmoutoussamy at suse.com Tue May 11 15:44:37 2021 From: vmoutoussamy at suse.com (Vincent Moutoussamy) Date: Tue, 11 May 2021 15:44:37 +0000 Subject: systemd obsolete / legacy warnigns In-Reply-To: <20210415151648.5636183.34260.2600@ostiasolutions.com> References: <20210415151648.5636183.34260.2600@ostiasolutions.com> Message-ID: <203A085B-B43A-423E-9E2F-42C9D9317BC1@suse.com> Hi, Since the initial report, we are working on fixing all the warnings but to summarise: the updated systemd-version in 15 SP3 prints now deprecation-warnings for outdated options and paths. Namely, there are two warnings: - systemd complains about PID- and temp-files located in /var/run/, which only is a symlink to /run/ since at least SLE 12 SP2 - The flag StandardOutput=/StandardError=syslog is deprecated and automatically falls back to "journal". This is already the case since systemd v210, but it only started to complain about it since v246. Therefore syslog should be replaced with journal or the line should be removed altogether. Both are already the default for quite some time, but the 15SP3 systemd version (v246) just started to output messages. We have opened internal bugs for all services/packages affected by this, however most of them will be fixed as a maintenance updates after the official release of 15SP3. As a reminder this issues are not urgent or critical, it?s only a warning. Nevertheless we should have spotted them way earlier so we could have a chance to fix them all during the beta program. That being said, we are sorry for the inconvenience. Have a nice day, Regards, -- Vincent Moutoussamy SUSE Beta Program Manager JeOS Technical Project Manager Paris, France > On 15 Apr 2021, at 17:16, Ostia wrote: > > You're a grand fellow Vincent. > I got my 1st Jab yesterday the 2nd is in July when 15.3 is avaliable to all. I wonder if we can fly then. > __R > > Sent from my BlackBerry 10 smartphone. > From: Vincent Moutoussamy > Sent: Donnerstag, 15. April 2021 16:14 > To: Bussmann, Lars Hendrik, NMD-I2.1 > Cc: sle-beta at lists.suse.com > Subject: Re: systemd obsolete / legacy warnigns > > Hi, > > So bsc#1184400 was marked as resolved fixed, but I recommend to create a dedicated bug for the systemd obsolete / legacy warnings, this will allow us to assign the bug > directly to our systemd maintainer. > > Anyway in the meantime, I?ll still try to find someone to help you here. > > Have a nice day, > Regards, > -- > Vincent Moutoussamy > SUSE Beta Program Manager > JeOS Technical Project Manager > Paris, France > >> On 6 Apr 2021, at 18:49, Bussmann, Lars Hendrik, NMD-I2.1 wrote: >> >> Hi, >> >> we start testing with SP3 and we noticed some systemd obsolete / legacy warnings. >> >> Apr 6 17:21:43 sles15sp3ucs systemd[1]: /usr/lib/systemd/system/grub2-once.service:13: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether. >> Apr 6 18:13:17 sles15sp3ucs systemd[1]: /usr/lib/systemd/system/mcelog.service:11: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether. >> Apr 6 18:13:17 sles15sp3ucs systemd[1]: /usr/lib/systemd/system/chronyd.service:14: PIDFile= references a path below legacy directory /var/run/, updating /var/run/chronyd.pid ? /run/chronyd.pid; please update the unit file accordingly. >> Apr 6 18:16:55 sles15sp3vm systemd[1]: /usr/lib/systemd/system/vmtoolsd.service:12: PIDFile= references a path below legacy directory /var/run/, updating /var/run/vmtoolsd.pid ? /run/vmtoolsd.pid; please update the unit file accordingly. >> >> >> I created one bug for chrony ( #1184400 ) but I am unsure if this is the right approach as it looks like an general issue. >> >> When I search through all units of the basesystem and Server-Applications packages if found over 30 further units with the old syntax. >> e.g. >> /usr/lib/systemd/system/ipmievd.service >> /usr/lib/systemd/system/nfs-blkmap.service >> /usr/lib/systemd/system/rpc-statd.service >> /usr/lib/systemd/system/fancontrol.service >> /usr/lib/systemd/system/sssd.service >> >> >> Maybe there is an build option for systemd or it is possible create an "affects multiple packages" bug? >> >> >> >> >> >> Kind Regards, >> Lars >> > > > > Powered by Portus > Ostia Software Solutions Limited, 6 The Mill Building, The Maltings, Bray, Co. Wicklow, Ireland > [ostiasolutions.com | LinkedIn | Twitter | YouTube] > Registered in Ireland CRO No.507541 This email and any attachments to it is, unless otherwise stated, confidential, may contain copyright material and is for the use of the intended recipient only. If you have received this email in error, please notify the sender by return and deleting all copies. Any views expressed in this email are those of the sender and do not form part of any contract between Ostia Software Solutions Limited and any other party. From beta-programs at suse.com Wed May 12 23:37:35 2021 From: beta-programs at suse.com (SUSE Beta Program) Date: Thu, 13 May 2021 01:37:35 +0200 Subject: [ANNOUNCE] SUSE Linux Enterprise 15 SP3 Online Updates 20210512! Message-ID: <609c66bf60468_2f962bc-21f@MacBouille.local.mail> We are happy to announce 20210512 for SUSE Linux Enterprise 15 Service Pack 3! Today we have enter the Gold Master Candidate phase, which is the last phase of the SLE 15 SP3 Beta Program. Any issues reported on previous beta milestones which we did not fix via an updates or for recent reported issues will be considered to be fixed by Maintenance Updates post release of the final version of SLE 15 SP3. Rest assured that we will communicate more about the upcoming Gold Master and First Customer Shipment. Download[1] What happened since Online Update 20210507 We are providing updates through our online channels. Please refer to our FAQ[2] for more information on our Update Channels. Kernel Application Binary Interface (kABI) freeze Since 2021-04-09 there won't be any changes regarding the set of in-kernel symbols used by drivers and other kernel modules (i.e kABI). Updated packages (selection) - libzypp: 17.25.8-1.2 => 17.25.8-3.33.1 - release-notes-ha: 15.3.20201117-1.58 => 15.3.20210505-1.1 - release-notes-sled: 15.3.20210310-1.16 => 15.3.20210505-1.1 - release-notes-sle_hpc: 15.300000000.20210331-1.9 => 15.300000000.20210505-1.1 - release-notes-sles-for-sap: 15.3.20201117-1.58 => 15.3.20210505-1.1 - release-notes-sles: 15.3.20210422-1.2 => 15.3.20210505-1.1 - release-notes-susemanager: 4.2.0~beta1-1.14 => 4.2.0-1.1 - release-notes-susemanager-proxy: 4.2.0~beta1-1.1 => 4.2.0-1.1 - shim: 15.4-1.3 => 15.4-2.1 - slurm: 20.11.5-1.2 => 20.11.5-2.1 - systemd: 246.13-4.2 => 246.13-5.1 openSUSE Leap 15.3 RC Since openSUSE Leap and SUSE Linux Enterprise are developed in sync, openSUSE Leap 15.3 is also entering the Release Candidate phase[3]. One more thing William Brown from our 389-ds team taped an awesome video about Migrating to 389-ds from openldap2[4] onYouTube. Please check it out and we would be happy to hear about your migration test with SLES 15 SP3. More information Schedule[5] Changelog[6] Known issues[7] Questions? If you have any questions, please contact us at beta-programs at suse.com. Your SUSE Linux Enterprise team Click here to unsubscribe[8] [1]:https://suse.com/betaprogram/sle-beta/#download [2]:https://suse.com/betaprogram/sle-beta/#faq-reg [3]:https://news.opensuse.org/2021/04/28/opensuse-leap-153-en ters-rc-phase/ [4]:https://youtu.be/qrbtWOXOhtA [5]:https://suse.com/betaprogram/sle-beta/#releases [6]:https://suse.com/betaprogram/sle-beta/#changelogs [7]:https://suse.com/betaprogram/sle-beta/#knownissues [8]:mailto:beta-programs at suse.com?subject=Unsubscribe%20from% 20SLE%20Public%20Beta%20Program&body=Unsubscribe%20from%20SLE %20Public%20Beta%20Program -------------- next part -------------- An HTML attachment was scrubbed... URL: From ecki at zusammenkunft.net Sat May 15 00:45:01 2021 From: ecki at zusammenkunft.net (Bernd) Date: Sat, 15 May 2021 02:45:01 +0200 Subject: 15.3 PRC: SE Linux Policy loading failed Message-ID: Hello, I just installed 15.3 PRC in a Hyper-V VM (UEFI with secure boot) to do some qualification testing. I used the Full ISO and installed SLES with only the base system module in minimal configuration and no registration. In the installer I enabled SELinux in advisory mode. This seems to freeze, in the first boot after Yast has installed the system. Eearly in systemd after the kernel is loaded with: [8.5...] systemd[1]: Failed to load SELinux policy. [!!!!!] Failed to load SELinux policy. .. Freezing Execution When using the grub boot config editor and removing "security=selinux selinux=1 enforcing=1" from the linuxefi kernel command line, it succeeded to boot. BTW: when I only change enforcing=1 to enforcing=0 the boot continues but shows quite a few errors about SELin ux label cannot be determined on systemd sockets because "Function not implemented".and in operations there are errors like broken name resolution. I have not yet tried with more modules. Do I need the Application Server module? I noticed that selinux-tools (from base module) is not installed in minimal (only "libselinux1" is present). If a user selects SELInux, it should probably add that packacge to the list. However I added this package manually, and it did not help with the situation. Want me to file a bugzilla? I havent seen it in "Known Issues" here: SLE Beta (suse.com) BTW: I also turned off DHCPv6, but wicket dhcp6 seems to be started anyway? Gruss Bernd -------------- next part -------------- An HTML attachment was scrubbed... URL: From ecki at zusammenkunft.net Sat May 15 02:13:49 2021 From: ecki at zusammenkunft.net (Bernd) Date: Sat, 15 May 2021 04:13:49 +0200 Subject: 15.3 PRC: SE Linux Policy loading failed In-Reply-To: References: Message-ID: Hello, I checked with the "text" mode and having Server Application Module enabled, but it does not change the problem, SELinux is just broken in those configurations. Strange enough it will also enable AppArmor pattern in this configuration (which is kind of redundant?). It miight be maybe a good idea to at least remove the claim that this works in 15.3 from the release notes. I also checked the "DHCPv4 only" option again - even when I set it in the config summary screen right before installation it will not show up in the summary screen and the resulting system will run both DHCP daemons. Gruss Bernd Am Sa., 15. Mai 2021 um 02:45 Uhr schrieb Bernd : > Hello, > > I just installed 15.3 PRC in a Hyper-V VM (UEFI with secure boot) to do > some qualification testing. I used the Full ISO and installed SLES with > only the base system module in minimal configuration and no registration. > In the installer I enabled SELinux in advisory mode. > > This seems to freeze, in the first boot after Yast has installed the > system. Eearly in systemd after the kernel is loaded with: > > [8.5...] systemd[1]: Failed to load SELinux policy. > [!!!!!] Failed to load SELinux policy. > .. Freezing Execution > > When using the grub boot config editor and removing "security=selinux > selinux=1 enforcing=1" from the linuxefi kernel command line, it succeeded > to boot. > > BTW: when I only change enforcing=1 to enforcing=0 the boot continues but > shows quite a few errors about SELin ux label cannot be determined on > systemd sockets because "Function not implemented".and in operations there > are errors like broken name resolution. > > I have not yet tried with more modules. Do I need the Application Server > module? > > I noticed that selinux-tools (from base module) is not installed in > minimal (only "libselinux1" is present). If a user selects SELInux, it > should probably add that packacge to the list. However I added this package > manually, and it did not help with the situation. > > Want me to file a bugzilla? I havent seen it in "Known Issues" here: SLE > Beta (suse.com) > > BTW: I also turned off DHCPv6, but wicket dhcp6 seems to be started anyway? > > Gruss > Bernd > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ecki at zusammenkunft.net Sun May 16 03:39:28 2021 From: ecki at zusammenkunft.net (Bernd) Date: Sun, 16 May 2021 05:39:28 +0200 Subject: 15.3 PRC: ssh audit race crashes Message-ID: Hello, a while back (15.1) I had an support ticket (00202015) open for sshd crashing or closing connections if sftp with high frequency of logins is used. This was supposed to be fixed by this:Bz#1174162 (openssh-7.1p2-audit-race-condition.patch) which I do not see in the changelog, and the rejections and crashes happen again. Have all those fixes be backported to this or will there be an update to this package available after the release? localhost sshd[31128]: fatal: mm_request_receive_expect: read: rtype 123 != type 115 localhost sshd[32288]: fatal: mm_request_receive_expect: read: rtype 115 != type 123 localhost kernel: [10140.368402] sshd[32288]: segfault at 308 ip 00005560d39aa1f2 sp 00007fffe4488b60 error 4 in sshd[5560d3951000+d6000] localhost kernel: [10140.368418] Code: 00 0f 1f 80 00 00 00 00 b8 fd ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 48 85 ff 74 3b 48 8b 87 20 01 00 00 48 85 c0 74 2f 53 <8b> 40 18 48 89 fb a8 02 75 2c a8 04 75 40 48 8b 7b 08 e8 77 4a fb localhost systemd[1]: Started Process Core Dump (PID 32289/UID 0). localhost systemd-coredump[32290]: Process 32288 (sshd) of user 1000 dumped core.#012#012Stack trace of thread 32288:#012#0 0x00005560d39aa1f2 n/a (sshd + 0x591f2)#012#1 0x00005560d39b0f30 n/a (sshd + 0x5ff30)#012#2 0x00005560d3963da4 n/a (sshd + 0x12da4)#012#3 0x00005560d39aa70b n/a (sshd + 0x5970b)#012#4 0x00005560d398243e n/a (sshd + 0x3143e)#012#5 0x00005560d398504c n/a (sshd + 0x3404c)#012#6 0x00005560d39ae65d n/a (sshd + 0x5d65d)#012#7 0x00005560d3974cac n/a (sshd + 0x23cac)#012#8 0x00005560d39769fc n/a (sshd + 0x259fc)#012#9 0x00005560d3977ba1 n/a (sshd + 0x26ba1)#012#10 0x00005560d39786f8 n/a (sshd + 0x276f8)#012#11 0x00005560d396cbee n/a (sshd + 0x1bbee)#012#12 0x00005560d39b64ea n/a (sshd + 0x654ea)#012#13 0x00005560d39b6599 n/a (sshd + 0x65599)#012#14 0x00005560d396e5ec n/a (sshd + 0x1d5ec)#012#15 0x00005560d3977233 n/a (sshd + 0x26233)#012#16 0x00005560d3961234 n/a (sshd + 0x10234)#012#17 0x00007fc44a5d034d __libc_start_main (libc.so.6 + 0x2534d)#012#18 0x00005560d3962eea n/a (sshd + 0x11eea) Its a bit hard to replicate, but it is Apacke Mina sshd doing simple sftp file uploads with some parallelity. I also tried internal-sftp subsystem, ut it does not really help. Gruss Bernd -------------- next part -------------- An HTML attachment was scrubbed... URL: From kukuk at suse.de Sun May 16 10:53:33 2021 From: kukuk at suse.de (Thorsten Kukuk) Date: Sun, 16 May 2021 12:53:33 +0200 Subject: 15.3 PRC: SE Linux Policy loading failed In-Reply-To: References: Message-ID: <20210516105333.GA28579@suse.de> Hi, On Sat, May 15, Bernd wrote: > Hello, > > I just installed 15.3 PRC in a Hyper-V VM (UEFI with secure boot) to do some > qualification testing. I used the Full ISO and installed SLES with only the > base system module in minimal configuration and no registration. In the > installer I enabled SELinux in advisory mode. I assume you mean SLES 15 SP3 and not Leap 15.3? It's really helpful to use correct product and version names, own created version numbers only lead to confusion and wrong advice. In short: as documented since a long time, SLES does not come with a SELinux policy, you need to bring your own with you. I don't know why this option is visible in YaST, as only SLE Micro comes with full SELinux support. Thorsten > This seems to freeze, in the first boot after Yast has installed the system. > Eearly in systemd after the kernel is loaded with: > > [8.5...] systemd[1]: Failed to load SELinux policy. > [!!!!!] Failed to load SELinux policy. > .. Freezing Execution > > When using the grub boot config editor and removing "security=selinux selinux=1 > enforcing=1" from the linuxefi kernel command line, it succeeded to boot. > > BTW: when I only change enforcing=1 to enforcing=0 the boot continues but shows > quite a few errors about SELin ux label cannot be determined on systemd sockets > because "Function not implemented".and in operations there are errors like > broken name resolution. > > I have not yet tried with more modules. Do I need the Application Server > module? > > I noticed that selinux-tools (from base module) is not installed in minimal > (only "libselinux1" is present). If a user selects SELInux, it should probably > add that packacge to the list. However I added this package manually, and it > did not help with the situation. > > Want me to file a bugzilla? I havent seen it in "Known Issues" here:?SLE Beta > (suse.com) > > BTW: I also turned off DHCPv6, but wicket dhcp6 seems to be started anyway? > > Gruss > Bernd -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany Managing Director: Felix Imendoerffer (HRB 36809, AG N?rnberg) From ecki at zusammenkunft.net Sun May 16 13:39:34 2021 From: ecki at zusammenkunft.net (Bernd Eckenfels) Date: Sun, 16 May 2021 13:39:34 +0000 Subject: 15.3 PRC: SE Linux Policy loading failed In-Reply-To: <20210516105333.GA28579@suse.de> References: , <20210516105333.GA28579@suse.de> Message-ID: > I assume you mean SLES 15 SP3 and not Leap 15.3? Yes, this is the SLE mailing list. > In short: as documented since a long time, SLES does not come with a SELinux policy The release notes only states that 15.3 does support SELinux, it should probably add a warning that it lacks default policies. > I don't know why this option is visible in YaST, as only SLE Micro comes with full SELinux support. What is SLE Micro? Gruss Bernd -- http://bernd.eckenfels.net ________________________________ Von: sle-beta im Auftrag von Thorsten Kukuk Gesendet: Sunday, May 16, 2021 12:53:33 PM An: sle-beta at lists.suse.com Betreff: Re: 15.3 PRC: SE Linux Policy loading failed Hi, On Sat, May 15, Bernd wrote: > Hello, > > I just installed 15.3 PRC in a Hyper-V VM (UEFI with secure boot) to do some > qualification testing. I used the Full ISO and installed SLES with only the > base system module in minimal configuration and no registration. In the > installer I enabled SELinux in advisory mode. I assume you mean SLES 15 SP3 and not Leap 15.3? It's really helpful to use correct product and version names, own created version numbers only lead to confusion and wrong advice. In short: as documented since a long time, SLES does not come with a SELinux policy, you need to bring your own with you. I don't know why this option is visible in YaST, as only SLE Micro comes with full SELinux support. Thorsten > This seems to freeze, in the first boot after Yast has installed the system. > Eearly in systemd after the kernel is loaded with: > > [8.5...] systemd[1]: Failed to load SELinux policy. > [!!!!!] Failed to load SELinux policy. > .. Freezing Execution > > When using the grub boot config editor and removing "security=selinux selinux=1 > enforcing=1" from the linuxefi kernel command line, it succeeded to boot. > > BTW: when I only change enforcing=1 to enforcing=0 the boot continues but shows > quite a few errors about SELin ux label cannot be determined on systemd sockets > because "Function not implemented".and in operations there are errors like > broken name resolution. > > I have not yet tried with more modules. Do I need the Application Server > module? > > I noticed that selinux-tools (from base module) is not installed in minimal > (only "libselinux1" is present). If a user selects SELInux, it should probably > add that packacge to the list. However I added this package manually, and it > did not help with the situation. > > Want me to file a bugzilla? I havent seen it in "Known Issues" here: SLE Beta > (suse.com) > > BTW: I also turned off DHCPv6, but wicket dhcp6 seems to be started anyway? > > Gruss > Bernd -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany Managing Director: Felix Imendoerffer (HRB 36809, AG N?rnberg) -------------- next part -------------- An HTML attachment was scrubbed... URL: From kukuk at suse.de Sun May 16 16:25:12 2021 From: kukuk at suse.de (Thorsten Kukuk) Date: Sun, 16 May 2021 18:25:12 +0200 Subject: 15.3 PRC: SE Linux Policy loading failed In-Reply-To: References: <20210516105333.GA28579@suse.de> Message-ID: <20210516162512.GA9125@suse.de> On Sun, May 16, Bernd Eckenfels wrote: > > > I assume you mean SLES 15 SP3 and not Leap 15.3? > > Yes, this is the SLE mailing list. But there is no SLE product with the version number 15.3! > > In short: as documented since a long time, SLES does not come with a SELinux > policy > > The release notes only states that 15.3 does support SELinux, it should > probably add a warning that it lacks default policies. 15.3 is openSUSE Leap. # grep VERSION= /etc/os-release # VERSION="15-SP3" Is it so difficult to use the correct version number to not confuse other people? I filled a bug for SLES 15 SP3 that the release notes are not correct. > > I don't know why this option is visible in YaST, as only SLE Micro comes with > full SELinux support. > > What is SLE Micro? https://www.suse.com/c/suse-linux-enterprise-micro-5-0-is-generally-available/ Thorsten > ??????????????????????????????????????????????????????????????????????????????? > Von: sle-beta im > Auftrag von Thorsten Kukuk > Gesendet: Sunday, May 16, 2021 12:53:33 PM > An: sle-beta at lists.suse.com > Betreff: Re: 15.3 PRC: SE Linux Policy loading failed > > > Hi, > > On Sat, May 15, Bernd wrote: > > > Hello, > > > > I just installed 15.3 PRC in a Hyper-V VM (UEFI with secure boot) to do some > > qualification testing. I used the Full ISO and installed SLES with only the > > base system module in minimal configuration and no registration. In the > > installer I enabled SELinux in advisory mode. > > I assume you mean SLES 15 SP3 and not Leap 15.3? > It's really helpful to use correct product and version names, own created > version numbers only lead to confusion and wrong advice. > > In short: as documented since a long time, SLES does not come with a > SELinux policy, you need to bring your own with you. > I don't know why this option is visible in YaST, as only SLE Micro comes > with full SELinux support. > > Thorsten > > > This seems to freeze, in the first boot after Yast has installed the system. > > Eearly in systemd after the kernel is loaded with: > > > > [8.5...] systemd[1]: Failed to load SELinux policy. > > [!!!!!] Failed to load SELinux policy. > > .. Freezing Execution > > > > When using the grub boot config editor and removing "security=selinux selinux > =1 > > enforcing=1" from the linuxefi kernel command line, it succeeded to boot. > > > > BTW: when I only change enforcing=1 to enforcing=0 the boot continues but > shows > > quite a few errors about SELin ux label cannot be determined on systemd > sockets > > because "Function not implemented".and in operations there are errors like > > broken name resolution. > > > > I have not yet tried with more modules. Do I need the Application Server > > module? > > > > I noticed that selinux-tools (from base module) is not installed in minimal > > (only "libselinux1" is present). If a user selects SELInux, it should > probably > > add that packacge to the list. However I added this package manually, and it > > did not help with the situation. > > > > Want me to file a bugzilla? I havent seen it in "Known Issues" here: SLE Beta > > (suse.com) > > > > BTW: I also turned off DHCPv6, but wicket dhcp6 seems to be started anyway? > > > > Gruss > > Bernd > > -- > Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS > SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany > Managing Director: Felix Imendoerffer (HRB 36809, AG N?rnberg) -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany Managing Director: Felix Imendoerffer (HRB 36809, AG N?rnberg) From ecki at zusammenkunft.net Sun May 16 18:09:51 2021 From: ecki at zusammenkunft.net (Bernd Eckenfels) Date: Sun, 16 May 2021 18:09:51 +0000 Subject: 15.3 PRC: SE Linux Policy loading failed In-Reply-To: <20210516162512.GA9125@suse.de> References: <20210516105333.GA28579@suse.de> , <20210516162512.GA9125@suse.de> Message-ID: Hello Thorsten, The aproperiate answer to somebody giving you his spare time to test your beta product is not ?you wrote my version number wrong? but the correct answer is ?thank you?. Anyway, this report is about the latest/only beta candidate of SLES which is currently available, as my original Mail clearly stated. Gruss Bernd -- http://bernd.eckenfels.net ________________________________ Von: sle-beta im Auftrag von Thorsten Kukuk Gesendet: Sonntag, Mai 16, 2021 6:26 PM An: sle-beta at lists.suse.com Betreff: Re: 15.3 PRC: SE Linux Policy loading failed On Sun, May 16, Bernd Eckenfels wrote: > > > I assume you mean SLES 15 SP3 and not Leap 15.3? > > Yes, this is the SLE mailing list. But there is no SLE product with the version number 15.3! > > In short: as documented since a long time, SLES does not come with a SELinux > policy > > The release notes only states that 15.3 does support SELinux, it should > probably add a warning that it lacks default policies. 15.3 is openSUSE Leap. # grep VERSION= /etc/os-release # VERSION="15-SP3" Is it so difficult to use the correct version number to not confuse other people? I filled a bug for SLES 15 SP3 that the release notes are not correct. > > I don't know why this option is visible in YaST, as only SLE Micro comes with > full SELinux support. > > What is SLE Micro? https://www.suse.com/c/suse-linux-enterprise-micro-5-0-is-generally-available/ Thorsten > ??????????????????????????????????????????????????????????????????????????????? > Von: sle-beta im > Auftrag von Thorsten Kukuk > Gesendet: Sunday, May 16, 2021 12:53:33 PM > An: sle-beta at lists.suse.com > Betreff: Re: 15.3 PRC: SE Linux Policy loading failed > > > Hi, > > On Sat, May 15, Bernd wrote: > > > Hello, > > > > I just installed 15.3 PRC in a Hyper-V VM (UEFI with secure boot) to do some > > qualification testing. I used the Full ISO and installed SLES with only the > > base system module in minimal configuration and no registration. In the > > installer I enabled SELinux in advisory mode. > > I assume you mean SLES 15 SP3 and not Leap 15.3? > It's really helpful to use correct product and version names, own created > version numbers only lead to confusion and wrong advice. > > In short: as documented since a long time, SLES does not come with a > SELinux policy, you need to bring your own with you. > I don't know why this option is visible in YaST, as only SLE Micro comes > with full SELinux support. > > Thorsten > > > This seems to freeze, in the first boot after Yast has installed the system. > > Eearly in systemd after the kernel is loaded with: > > > > [8.5...] systemd[1]: Failed to load SELinux policy. > > [!!!!!] Failed to load SELinux policy. > > .. Freezing Execution > > > > When using the grub boot config editor and removing "security=selinux selinux > =1 > > enforcing=1" from the linuxefi kernel command line, it succeeded to boot. > > > > BTW: when I only change enforcing=1 to enforcing=0 the boot continues but > shows > > quite a few errors about SELin ux label cannot be determined on systemd > sockets > > because "Function not implemented".and in operations there are errors like > > broken name resolution. > > > > I have not yet tried with more modules. Do I need the Application Server > > module? > > > > I noticed that selinux-tools (from base module) is not installed in minimal > > (only "libselinux1" is present). If a user selects SELInux, it should > probably > > add that packacge to the list. However I added this package manually, and it > > did not help with the situation. > > > > Want me to file a bugzilla? I havent seen it in "Known Issues" here: SLE Beta > > (suse.com) > > > > BTW: I also turned off DHCPv6, but wicket dhcp6 seems to be started anyway? > > > > Gruss > > Bernd > > -- > Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS > SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany > Managing Director: Felix Imendoerffer (HRB 36809, AG N?rnberg) -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany Managing Director: Felix Imendoerffer (HRB 36809, AG N?rnberg) -------------- next part -------------- An HTML attachment was scrubbed... URL: From ngompa13 at gmail.com Sun May 16 18:21:51 2021 From: ngompa13 at gmail.com (Neal Gompa) Date: Sun, 16 May 2021 14:21:51 -0400 Subject: 15.3 PRC: SE Linux Policy loading failed In-Reply-To: <20210516162512.GA9125@suse.de> References: <20210516105333.GA28579@suse.de> <20210516162512.GA9125@suse.de> Message-ID: On Sun, May 16, 2021 at 12:25 PM Thorsten Kukuk wrote: > > On Sun, May 16, Bernd Eckenfels wrote: > > > > > > I assume you mean SLES 15 SP3 and not Leap 15.3? > > > > Yes, this is the SLE mailing list. > > But there is no SLE product with the version number 15.3! > > > > In short: as documented since a long time, SLES does not come with a SELinux > > policy > > > > The release notes only states that 15.3 does support SELinux, it should > > probably add a warning that it lacks default policies. > > 15.3 is openSUSE Leap. > > # grep VERSION= /etc/os-release > # VERSION="15-SP3" > > Is it so difficult to use the correct version number to not confuse > other people? > > I filled a bug for SLES 15 SP3 that the release notes are not correct. > While it is not commonly referenced that way in SUSE marketing, it is accurate to call SUSE Linux Enterprise 15 SP3 as SUSE Linux Enterprise 15.3. After all, the machine-parseable name VERSION_ID value is set to "15.3" because it's *sane* to handle it that way. I personally wish we'd stop using the "service pack" terminology as it's effectively pointless. -- ?????????/ Always, there's only one truth! From mge at suse.com Sun May 16 20:51:23 2021 From: mge at suse.com (Matthias G. Eckermann) Date: Sun, 16 May 2021 22:51:23 +0200 Subject: 15.3 PRC: SE Linux Policy loading failed In-Reply-To: Message-ID: Hello Bernd, Neal, and all, On 2021-05-16 T 18:09 +0000 Bernd Eckenfels wrote: > The aproperiate answer to somebody giving you his spare time to test > your beta product is not ?you wrote my version number wrong? but the > correct answer is ?thank you?. agreed, and indeed we highly appreciate the time and efforts you are investing to contribute to the quality of our products. In that context we are also noticing that SELinux becomes more relevant, specifically for the use case of container isolation. That's why we support the SELinux stack in SUSE Linux Enterprise as a platform, and an SELinux policy for SUSE Linux Enterprise Micro 5.0. That said, and if your use case is different from container isolation, Bernd, I'd appreciate a use case description, either publically or privately (mge at suse.com) at your choice. > Anyway, this report is about the latest/only beta candidate of SLES > which is currently available, as my original Mail clearly stated. On 2021-05-16 T 14:21 -0400 Neal Gompa wrote: > While it is not commonly referenced that way in SUSE marketing, it > is accurate to call SUSE Linux Enterprise 15 SP3 as SUSE Linux > Enterprise 15.3. I am afraid, Neal, it is not: as you have seen in this case, referring to "15.3" most SUSE employees will connect to openSUSE Leap, while for SUSE Linux Enterprise we are only talking about "15 SP3", and this is an explicit decision, and followed through very thoroughly. Thus I recommend to stick to the "SPx" naming to avoid confusion, for SUSE Linux Enterprise 12 and 15 products. > After all, the machine-parseable name VERSION_ID value is set to > "15.3" because it's *sane* to handle it that way. As you say, "machine-parseable", thus for machines, not for human beings. However, ... > I personally wish we'd stop using the "service pack" terminology as > it's effectively pointless. ... I do not disagree that re-visiting the naming scheme for new products is a good idea, and part of our work in product management. Hint: it is called SUSE Linux Enterprise Micro 5.0 :-) So long - MgE -- Matthias G. Eckermann, Head of Product Management Linux Platforms SUSE Software Solutions Germany GmbH - Maxfeldstr. 5 - 90409 N?rnberg (HRB 36809, AG N?rnberg) Gesch?ftsf?hrer: Felix Imend?rffer From ecki at zusammenkunft.net Mon May 17 05:00:45 2021 From: ecki at zusammenkunft.net (Bernd Eckenfels) Date: Mon, 17 May 2021 05:00:45 +0000 Subject: 15.3 PRC: SE Linux Policy loading failed In-Reply-To: References: , Message-ID: Hello Matthias, I actually don?t have a usecase for SELinux, but in the past (not sure if this was only by customers of the other enterprise Linux) we had customer ask for compatibility with SELinux as a general hardening mechanism on their machines. So we do not ship a policy with our software since it is a pain to maintain, especially for multiple target platforms (and rhe interest is low). However when I do testing of operating systems and I see that they support hardening settings like SELinux, AppArmor, FIPS or the ?paranoid file permissions? Settings I do test them so we can document how to run on such environments (like with unconfined app user). That?s why I tried out the installer setting. This might change for containers, where it is a bit easier to control the required policies, but I don?t have concrete plans yet. (I will look at SLE Micro separately) Having said that, I would actually prefer if you don?t support SELinux since it?s less testing and documenting for me ,) I did not yet had a look at the GMC but I suspect it doesn?t have much differences for my tests. (Still needing a solution for my sftp problem mentioned in the other mail). Gruss Bernd -- http://bernd.eckenfels.net ________________________________ Von: Matthias G. Eckermann Gesendet: Sunday, May 16, 2021 10:51:23 PM An: Bernd Eckenfels ; sle-beta at lists.suse.com ; Neal Gompa ; Thorsten Kukuk Betreff: Re: 15.3 PRC: SE Linux Policy loading failed Hello Bernd, Neal, and all, On 2021-05-16 T 18:09 +0000 Bernd Eckenfels wrote: > The aproperiate answer to somebody giving you his spare time to test > your beta product is not ?you wrote my version number wrong? but the > correct answer is ?thank you?. agreed, and indeed we highly appreciate the time and efforts you are investing to contribute to the quality of our products. In that context we are also noticing that SELinux becomes more relevant, specifically for the use case of container isolation. That's why we support the SELinux stack in SUSE Linux Enterprise as a platform, and an SELinux policy for SUSE Linux Enterprise Micro 5.0. That said, and if your use case is different from container isolation, Bernd, I'd appreciate a use case description, either publically or privately (mge at suse.com) at your choice. > Anyway, this report is about the latest/only beta candidate of SLES > which is currently available, as my original Mail clearly stated. On 2021-05-16 T 14:21 -0400 Neal Gompa wrote: > While it is not commonly referenced that way in SUSE marketing, it > is accurate to call SUSE Linux Enterprise 15 SP3 as SUSE Linux > Enterprise 15.3. I am afraid, Neal, it is not: as you have seen in this case, referring to "15.3" most SUSE employees will connect to openSUSE Leap, while for SUSE Linux Enterprise we are only talking about "15 SP3", and this is an explicit decision, and followed through very thoroughly. Thus I recommend to stick to the "SPx" naming to avoid confusion, for SUSE Linux Enterprise 12 and 15 products. > After all, the machine-parseable name VERSION_ID value is set to > "15.3" because it's *sane* to handle it that way. As you say, "machine-parseable", thus for machines, not for human beings. However, ... > I personally wish we'd stop using the "service pack" terminology as > it's effectively pointless. ... I do not disagree that re-visiting the naming scheme for new products is a good idea, and part of our work in product management. Hint: it is called SUSE Linux Enterprise Micro 5.0 :-) So long - MgE -- Matthias G. Eckermann, Head of Product Management Linux Platforms SUSE Software Solutions Germany GmbH - Maxfeldstr. 5 - 90409 N?rnberg (HRB 36809, AG N?rnberg) Gesch?ftsf?hrer: Felix Imend?rffer -------------- next part -------------- An HTML attachment was scrubbed... URL: From sweiberg at suse.de Mon May 17 07:29:09 2021 From: sweiberg at suse.de (Stefan Weiberg) Date: Mon, 17 May 2021 09:29:09 +0200 Subject: 15.3 PRC: SE Linux Policy loading failed In-Reply-To: <20210516105333.GA28579@suse.de> References: <20210516105333.GA28579@suse.de> Message-ID: <4077CF17-6009-43B9-941E-F0C5D766382E@suse.de> Hi Bernd, Thank you for your report. > On 16. May 2021, at 12:53, Thorsten Kukuk wrote: > > > Hi, > > On Sat, May 15, Bernd wrote: > >> Hello, >> >> I just installed 15.3 PRC in a Hyper-V VM (UEFI with secure boot) to do some >> qualification testing. I used the Full ISO and installed SLES with only the >> base system module in minimal configuration and no registration. In the >> installer I enabled SELinux in advisory mode. > > I assume you mean SLES 15 SP3 and not Leap 15.3? > It's really helpful to use correct product and version names, own created > version numbers only lead to confusion and wrong advice. > > In short: as documented since a long time, SLES does not come with a > SELinux policy, you need to bring your own with you. > I don't know why this option is visible in YaST, as only SLE Micro comes > with full SELinux support. This is actually a bug, which has been fixed after the PublicRC release. This functionality was implemented to enable SELinux configuration via autoYaST in SUSE Linux Enterprise Server and offer a visual configuration option in the installer for products that have a default SUSE SELinux policy available. For now this only applies to SUSE Linux Enterprise Micro and therefore the option has been switched to not be visible in the installer of SUSE Linux Enterprise Server. If a SELinux policy is provided by the user it can still be configured via autoYaST though. Best regards, Stefan -- Stefan Weiberg SLE Releasemanager SUSE Software Solutions Germany GmbH Maxfeldstr. 5 D-90409 N?rnberg T +49-(0)911-740 53 0 M +49-(0)173-587 6848 E https://www.suse.com/ (HRB 36809, AG N?rnberg) Gesch?ftsf?hrer: Felix Imend?rffer -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: Message signed with OpenPGP URL: From mt at suse.de Mon May 17 06:38:04 2021 From: mt at suse.de (Marius Tomaschewski) Date: Mon, 17 May 2021 08:38:04 +0200 Subject: 15.3 PRC: SE Linux Policy loading failed In-Reply-To: References: Message-ID: Hi! Yes, wickedd-dhcp4/dhcp6 are a supplicants of wickedd used for dhcp on all interfaces and always started since SLE-12-GA. To prevent it from starting you can mask them using: `systemctl mask wickedd-dhcp6.service' Don't forget to unmask + re-enable + start them before a configuration that needs them (aka using BOOTROTO=dhcp, dhcp4 or dhcp6) gets applied. Am 15.05.21 um 02:45 schrieb Bernd: > BTW: I also turned off DHCPv6, but wicket dhcp6 seems to be started anyway? Best regards / Mit freundlichen Gr??en, Marius Tomaschewski , -- SUSE Software Solutions Germany GmbH, Maxfeldstra?e 5, 90409 N?rnberg, Germany, HRB 36809, AG N?rnberg, GF: Felix Imend?rffer From tomaz.borstnar at softergee.si Mon May 17 08:11:59 2021 From: tomaz.borstnar at softergee.si (=?UTF-8?B?VG9tYcW+IEJvcsWhdG5hciwgU29mdGVyZ2Vl?=) Date: Mon, 17 May 2021 10:11:59 +0200 Subject: 15.3 PRC: SE Linux Policy loading failed In-Reply-To: References: Message-ID: <48301e7b-591b-b108-ba24-99b7e932e4cf@softergee.si> Matthias G. Eckermann je 16. 05. 21 ob 22:51?napisal: > > agreed, and indeed we highly appreciate the time and efforts you are > investing to contribute to the quality of our products. > > In that context we are also noticing that SELinux becomes more > relevant, specifically for the use case of container isolation. That's > why we support the SELinux stack in SUSE Linux Enterprise as a > platform, and an SELinux policy for SUSE Linux Enterprise Micro 5.0. But we are waiting for policies (notice the plural) since SLES 12 at least. And you are right, those policies are even more important for containers. But do not forget other parts as well. Currently all we have is selinux-policy-targeted package. But what is needed is conservative desktop and server policy as well. Toma? From vmoutoussamy at suse.com Mon May 17 08:54:40 2021 From: vmoutoussamy at suse.com (Vincent Moutoussamy) Date: Mon, 17 May 2021 08:54:40 +0000 Subject: 15.3 PRC: SE Linux Policy loading failed In-Reply-To: References: <20210516105333.GA28579@suse.de> Message-ID: <5AD77125-69AD-4D01-902A-5C5C82AC3751@suse.com> Hi, On 16 May 2021, at 15:39, Bernd Eckenfels > wrote: > I assume you mean SLES 15 SP3 and not Leap 15.3? Yes, this is the SLE mailing list. This is true, but since SLE and openSUSE are now developed together, there is absolutely no issue to discuss openSUSE Leap 15.3 in this mailing list : ). To say it differently we would like to have such SLE/openSUSE reports or discussions during the beta program since it will help our ambition to improve SLE and openSUSE. > In short: as documented since a long time, SLES does not come with a SELinux policy The release notes only states that 15.3 does support SELinux, it should probably add a warning that it lacks default policies. Yes, we are going to rewrote the Release Notes statement about SELinux thanks to your report and suggestion. Thank you and have a nice day, Regards, -- Vincent Moutoussamy SUSE Beta Program Manager JeOS Technical Project Manager Paris, France Gruss Bernd -- http://bernd.eckenfels.net Von: sle-beta im Auftrag von Thorsten Kukuk Gesendet: Sunday, May 16, 2021 12:53:33 PM An: sle-beta at lists.suse.com Betreff: Re: 15.3 PRC: SE Linux Policy loading failed Hi, On Sat, May 15, Bernd wrote: > Hello, > > I just installed 15.3 PRC in a Hyper-V VM (UEFI with secure boot) to do some > qualification testing. I used the Full ISO and installed SLES with only the > base system module in minimal configuration and no registration. In the > installer I enabled SELinux in advisory mode. I assume you mean SLES 15 SP3 and not Leap 15.3? It's really helpful to use correct product and version names, own created version numbers only lead to confusion and wrong advice. In short: as documented since a long time, SLES does not come with a SELinux policy, you need to bring your own with you. I don't know why this option is visible in YaST, as only SLE Micro comes with full SELinux support. Thorsten > This seems to freeze, in the first boot after Yast has installed the system. > Eearly in systemd after the kernel is loaded with: > > [8.5...] systemd[1]: Failed to load SELinux policy. > [!!!!!] Failed to load SELinux policy. > .. Freezing Execution > > When using the grub boot config editor and removing "security=selinux selinux=1 > enforcing=1" from the linuxefi kernel command line, it succeeded to boot. > > BTW: when I only change enforcing=1 to enforcing=0 the boot continues but shows > quite a few errors about SELin ux label cannot be determined on systemd sockets > because "Function not implemented".and in operations there are errors like > broken name resolution. > > I have not yet tried with more modules. Do I need the Application Server > module? > > I noticed that selinux-tools (from base module) is not installed in minimal > (only "libselinux1" is present). If a user selects SELInux, it should probably > add that packacge to the list. However I added this package manually, and it > did not help with the situation. > > Want me to file a bugzilla? I havent seen it in "Known Issues" here: SLE Beta > (suse.com) > > BTW: I also turned off DHCPv6, but wicket dhcp6 seems to be started anyway? > > Gruss > Bernd -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany Managing Director: Felix Imendoerffer (HRB 36809, AG N?rnberg) -------------- next part -------------- An HTML attachment was scrubbed... URL: From vmoutoussamy at suse.com Mon May 17 09:24:14 2021 From: vmoutoussamy at suse.com (Vincent Moutoussamy) Date: Mon, 17 May 2021 09:24:14 +0000 Subject: 15.3 PRC: ssh audit race crashes In-Reply-To: References: Message-ID: <396D54CC-DE0B-4A23-821C-7F1E143AB542@suse.com> Hello, > On 16 May 2021, at 05:39, Bernd wrote: > > Hello, > > a while back (15.1) I had an support ticket (00202015) open for sshd crashing or closing connections if sftp with high frequency of logins is used. This was supposed to be fixed by this:Bz#1174162 (openssh-7.1p2-audit-race-condition.patch) which I do not see in the changelog, and the rejections and crashes happen again. I see, bsc#1174162 was opened for SLES 15 SP1 which should have a fix with openssh-7.9p1-6.22.1 (also openssh-7.9p1-lp151.4.18.1 for openSUSE Leap 15.1). > Have all those fixes be backported to this or will there be an update to this package available after the release? > > localhost sshd[31128]: fatal: mm_request_receive_expect: read: rtype 123 != type 115 > localhost sshd[32288]: fatal: mm_request_receive_expect: read: rtype 115 != type 123 > localhost kernel: [10140.368402] sshd[32288]: segfault at 308 ip 00005560d39aa1f2 sp 00007fffe4488b60 error 4 in sshd[5560d3951000+d6000] > localhost kernel: [10140.368418] Code: 00 0f 1f 80 00 00 00 00 b8 fd ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 48 85 ff 74 3b 48 8b 87 20 01 00 00 48 85 c0 74 2f 53 <8b> 40 18 48 89 fb a8 02 75 2c a8 04 75 40 48 8b 7b 08 e8 77 4a fb > localhost systemd[1]: Started Process Core Dump (PID 32289/UID 0). > localhost systemd-coredump[32290]: Process 32288 (sshd) of user 1000 dumped core.#012#012Stack trace of thread 32288:#012#0 0x00005560d39aa1f2 n/a (sshd + 0x591f2)#012#1 0x00005560d39b0f30 n/a (sshd + 0x5ff30)#012#2 0x00005560d3963da4 n/a (sshd + 0x12da4)#012#3 0x00005560d39aa70b n/a (sshd + 0x5970b)#012#4 0x00005560d398243e n/a (sshd + 0x3143e)#012#5 0x00005560d398504c n/a (sshd + 0x3404c)#012#6 0x00005560d39ae65d n/a (sshd + 0x5d65d)#012#7 0x00005560d3974cac n/a (sshd + 0x23cac)#012#8 0x00005560d39769fc n/a (sshd + 0x259fc)#012#9 0x00005560d3977ba1 n/a (sshd + 0x26ba1)#012#10 0x00005560d39786f8 n/a (sshd + 0x276f8)#012#11 0x00005560d396cbee n/a (sshd + 0x1bbee)#012#12 0x00005560d39b64ea n/a (sshd + 0x654ea)#012#13 0x00005560d39b6599 n/a (sshd + 0x65599)#012#14 0x00005560d396e5ec n/a (sshd + 0x1d5ec)#012#15 0x00005560d3977233 n/a (sshd + 0x26233)#012#16 0x00005560d3961234 n/a (sshd + 0x10234)#012#17 0x00007fc44a5d034d __libc_start_main (libc.so.6 + 0x2534d)#012#18 0x00005560d3962eea n/a (sshd + 0x11eea) > > Its a bit hard to replicate, but it is Apacke Mina sshd doing simple sftp file uploads with some parallelity. I also tried internal-sftp subsystem, ut it does not really help. > Just to be 100% sure, you were able to reproduce with 15SP3 Beta right? and this is a fresh error output? Anyway, I?ll dig around to check for this with 15SP3 and report here. Have a nice day, > Gruss > Bernd Regards, -- Vincent Moutoussamy SUSE Beta Program Manager JeOS Technical Project Manager Paris, France From ecki at zusammenkunft.net Mon May 17 10:05:37 2021 From: ecki at zusammenkunft.net (Bernd Eckenfels) Date: Mon, 17 May 2021 10:05:37 +0000 Subject: 15.3 PRC: ssh audit race crashes In-Reply-To: <396D54CC-DE0B-4A23-821C-7F1E143AB542@suse.com> References: , <396D54CC-DE0B-4A23-821C-7F1E143AB542@suse.com> Message-ID: Yes, I can confirm that the initial reported problem received an fix and the stock 15SP3PRC install I tried did. again show this (or a similar) problem including the crash shown in the mail. The shown crash was freshly replicated with SLES 15SP3 Public RC (no online updates). it is OpenSSH-Server 8.4p1-1.28 it seems. I can later on try with GMC and upload a report if you can provide me with an upload location. Gruss Bernd -- http://bernd.eckenfels.net ________________________________ Von: Vincent Moutoussamy Gesendet: Monday, May 17, 2021 11:24:14 AM An: Bernd Cc: sle-beta at lists.suse.com Betreff: Re: 15.3 PRC: ssh audit race crashes Hello, > On 16 May 2021, at 05:39, Bernd wrote: > > Hello, > > a while back (15.1) I had an support ticket (00202015) open for sshd crashing or closing connections if sftp with high frequency of logins is used. This was supposed to be fixed by this:Bz#1174162 (openssh-7.1p2-audit-race-condition.patch) which I do not see in the changelog, and the rejections and crashes happen again. I see, bsc#1174162 was opened for SLES 15 SP1 which should have a fix with openssh-7.9p1-6.22.1 (also openssh-7.9p1-lp151.4.18.1 for openSUSE Leap 15.1). > Have all those fixes be backported to this or will there be an update to this package available after the release? > > localhost sshd[31128]: fatal: mm_request_receive_expect: read: rtype 123 != type 115 > localhost sshd[32288]: fatal: mm_request_receive_expect: read: rtype 115 != type 123 > localhost kernel: [10140.368402] sshd[32288]: segfault at 308 ip 00005560d39aa1f2 sp 00007fffe4488b60 error 4 in sshd[5560d3951000+d6000] > localhost kernel: [10140.368418] Code: 00 0f 1f 80 00 00 00 00 b8 fd ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 48 85 ff 74 3b 48 8b 87 20 01 00 00 48 85 c0 74 2f 53 <8b> 40 18 48 89 fb a8 02 75 2c a8 04 75 40 48 8b 7b 08 e8 77 4a fb > localhost systemd[1]: Started Process Core Dump (PID 32289/UID 0). > localhost systemd-coredump[32290]: Process 32288 (sshd) of user 1000 dumped core.#012#012Stack trace of thread 32288:#012#0 0x00005560d39aa1f2 n/a (sshd + 0x591f2)#012#1 0x00005560d39b0f30 n/a (sshd + 0x5ff30)#012#2 0x00005560d3963da4 n/a (sshd + 0x12da4)#012#3 0x00005560d39aa70b n/a (sshd + 0x5970b)#012#4 0x00005560d398243e n/a (sshd + 0x3143e)#012#5 0x00005560d398504c n/a (sshd + 0x3404c)#012#6 0x00005560d39ae65d n/a (sshd + 0x5d65d)#012#7 0x00005560d3974cac n/a (sshd + 0x23cac)#012#8 0x00005560d39769fc n/a (sshd + 0x259fc)#012#9 0x00005560d3977ba1 n/a (sshd + 0x26ba1)#012#10 0x00005560d39786f8 n/a (sshd + 0x276f8)#012#11 0x00005560d396cbee n/a (sshd + 0x1bbee)#012#12 0x00005560d39b64ea n/a (sshd + 0x654ea)#012#13 0x00005560d39b6599 n/a (sshd + 0x65599)#012#14 0x00005560d396e5ec n/a (sshd + 0x1d5ec)#012#15 0x00005560d3977233 n/a (sshd + 0x26233)#012#16 0x00005560d3961234 n/a (sshd + 0x10234)#012#17 0x00007fc44a5d034d __libc_start_main (libc.so.6 + 0x2534d)#012#18 0x00005560d3962eea n/a (sshd + 0x11eea) > > Its a bit hard to replicate, but it is Apacke Mina sshd doing simple sftp file uploads with some parallelity. I also tried internal-sftp subsystem, ut it does not really help. > Just to be 100% sure, you were able to reproduce with 15SP3 Beta right? and this is a fresh error output? Anyway, I?ll dig around to check for this with 15SP3 and report here. Have a nice day, > Gruss > Bernd Regards, -- Vincent Moutoussamy SUSE Beta Program Manager JeOS Technical Project Manager Paris, France -------------- next part -------------- An HTML attachment was scrubbed... URL: From Jan.Hebler at vodafone.com Mon May 17 10:36:41 2021 From: Jan.Hebler at vodafone.com (Hebler, Jan, Vodafone DE) Date: Mon, 17 May 2021 10:36:41 +0000 Subject: uboot for Raspberry 4 Message-ID: Hi Booting RP4 with anything "smarter" than an simple Keyboard is painfully slow here. This is already covered by https://bugzilla.suse.com/show_bug.cgi?id=1171222 but the Bug is marked as "Tumbleweed". [Vodafone] Jan Hebler TIKS, ZV, Senior DC System Administrator VCI Service Operations +49 151 12047285 Jan.Hebler at vodafone.com Vodafone Deutschland GmbH, Germaniastra?e 14-17, 12099 Berlin vodafone.de Together we can C2 General -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.jpg Type: image/jpeg Size: 999 bytes Desc: image003.jpg URL: From vmoutoussamy at suse.com Mon May 17 12:17:13 2021 From: vmoutoussamy at suse.com (Vincent Moutoussamy) Date: Mon, 17 May 2021 12:17:13 +0000 Subject: uboot for Raspberry 4 In-Reply-To: References: Message-ID: <0B5643AC-F69C-4936-A3F9-B1D4FC6EE1B2@suse.com> Hi, I just talked to our QA engineer that is doing the RPi testing and he did not experience a slow boot while using a USB Keyboard. So Jan could you please create a bug report for us? https://bugzilla.suse.com/enter_bug.cgi?product=PUBLIC%20SUSE%20Linux%20Enterprise%20Server%2015%20SP3 Last but not least please be verbose when describing your setup, with or without USB-Hub, etc. Thanks a lot, Regards, -- Vincent Moutoussamy SUSE Beta Program Manager JeOS Technical Project Manager Paris, France > On 17 May 2021, at 12:36, Hebler, Jan, Vodafone DE wrote: > > Hi > > Booting RP4 with anything ?smarter? than an simple Keyboard is painfully slow here. This is already covered by https://bugzilla.suse.com/show_bug.cgi?id=1171222 but the Bug is marked as ?Tumbleweed?. > > > Jan Hebler > TIKS, ZV, Senior DC System Administrator > VCI Service Operations > +49 151 12047285 > Jan.Hebler at vodafone.com > > Vodafone Deutschland GmbH, Germaniastra?e 14-17, 12099 Berlin > > vodafone.de > > Together we can > > > > C2 General From hpj at suse.com Wed May 19 00:47:44 2021 From: hpj at suse.com (Hans Petter Jansson) Date: Wed, 19 May 2021 02:47:44 +0200 Subject: 15.3 PRC: ssh audit race crashes In-Reply-To: References: Message-ID: On Sun, 2021-05-16 at 05:39 +0200, Bernd wrote: > Hello, > > a while back (15.1) I had an support ticket (00202015) open for sshd > crashing or closing connections if sftp with high frequency of logins > is used. This was supposed to be fixed by this:Bz#1174162 (openssh- > 7.1p2-audit-race-condition.patch) which I do not see in the > changelog, and the rejections and crashes happen again. > > Have all those fixes be backported to this or will there be an update > to this package available after the release? Hi, thanks for reporting this. The fix is indeed missing in SP3 and will be available in an update. The surrounding code has changed quite a bit; I've ported the patch and am currently testing it. -- Hans Petter -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: This is a digitally signed message part URL: From beta-programs at suse.com Fri May 21 13:44:13 2021 From: beta-programs at suse.com (SUSE Beta Program) Date: Fri, 21 May 2021 15:44:13 +0200 Subject: [ANNOUNCEMENT] SUSE Linux Enterprise 15 SP3 INTERNAL Gold Master! Message-ID: <60a7b92da25ba_11a992bc-2aa@MacBouille.local.mail> We are happy to announce that after the final validation and acceptance phase, we have INTERNAL Gold Master for SUSE Linux Enterprise 15 Service Pack 3! As of today, Gold Master is identical to Gold Master Candidate! But as for GMC, we are not providing the GM ISOs as part of the SLE Public Beta Program. However we are glad to announce that the release date (FCS) for SLE 15 SP3 is scheduled for 22nd June 2021. In the mean time, you can still use the Public RC ISOs + updates for your evaluation. Any issues reported on previous beta milestones, which do not have a fix included in GMC or issues reported directly on GMC, will be considered to be fixed by Maintenance Updates post release of the final version of SLE 15 SP3. Your feedback matters! Thank you all for your contributions! We can not emphasise enough on how you help us improve the quality of SLE. Our SLE Public Beta Program is still opened until the FCS date so feel free to bring anything to our attention here or by contacting us privately at beta-programs at suse.com. We can even offer to have a direct call if you want one! Questions? If you have any questions, please contact us at beta-programs at suse.com. Your SUSE Linux Enterprise team Click here to unsubscribe[1] [1]:mailto:beta-programs at suse.com?subject=Unsubscribe%20from% 20SLE%20Public%20Beta%20Program&body=Unsubscribe%20from%20SLE %20Public%20Beta%20Program -------------- next part -------------- An HTML attachment was scrubbed... URL: