Overview:

As part of the work for RHEL-108712, Subscription Manager is gaining the capability to distinguish between traditional package-mode hosts and bootc/ostree-based systems. This detection is essential to accurately report package persistence info in the packages profile.

To achieve this, the Subscription Manager needs to verify the existence and state of the /run/ostree-booted file. However, this query is currently blocked by SELinux, preventing the daemon from functioning correctly on atomic/immutable systems.

Technical Details:

• Source Daemon: The denials are caused by the rhsmcertd daemon (specifically within the rhsmcertd_t SELinux domain).

• Target File: /run/ostree-booted.

• Issue: The file currently carries the install_var_run_t SELinux type. The current policy does not grant rhsmcertd the necessary getattr and read permissions to access files with this specific label.

• Symptom: The system fails to detect the ostree/bootc backend, and multiple AVC denial logs are generated in the audit log.

Reason for Change

This change is required now because Subscription Manager is implementing a new feature that needs to detect bootc systems. Without this SELinux policy adjustment, the persistence information in the packages profile will be inaccurate or missing on all modern immutable RHEL/Fedora variants.

Proposed Solution

Update the SELinux policy to allow the rhsmcertd_t domain to perform getattr and read operations specifically for /run/ostree-booted.

Relevant links

• PR that introduces the change: feat: added package persistence info in packages profile #3684