Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-1548

Remove Glusterd SELinux module from Distribution policy

    • selinux-policy-38.1.27-1.el9
    • Major
    • sst_security_selinux
    • ssg_security
    • 12
    • None
    • QE ack, Dev ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Hide

      The glusterd policy module is not installed during the installation of the selinux-policy* RPMs.

      Show
      The glusterd policy module is not installed during the installation of the selinux-policy* RPMs.
    • Pass
    • None
    • Enhancement
    • Hide
      .The `glusterd` SELinux module moved to a separate `glusterfs-selinux` package

      With this update, the `glusterd` SELinux module is maintained in the separate `glusterfs-selinux` package. The module is therefore no longer part of the `selinux-policy` package. For any actions that concern the `glusterd` module, install and use the `glusterfs-selinux` package.
      Show
      .The `glusterd` SELinux module moved to a separate `glusterfs-selinux` package With this update, the `glusterd` SELinux module is maintained in the separate `glusterfs-selinux` package. The module is therefore no longer part of the `selinux-policy` package. For any actions that concern the `glusterd` module, install and use the `glusterfs-selinux` package.
    • Done
    • None

      Similar to RHEL 8, we would like to remove the gluster selinux module from distribution policy.

      +++ This bug was initially created as a clone of Bug #1816718 +++

      +++ This bug was initially created as a clone of Bug #1460654 +++

      Description of problem:
      Due to different timelines of Gluster and RHEL product we have lot of Z-stream erratas in RHEL because of changes in Glusterd SELinux module which is shipped by selinux-policy in RHEL base. This is quite uncomfortable for both sides (selinux-team and gluster team). We have solution for this situation. Glusterd SELinux module can be shipped by Gluster team by own (sub)package. For more info please see:

      Shipping a custom SELinux policy together with product bring several benefits:

      Changes in a policy can be modified immediately, so the product package maintainer does not need to wait until the distribution SELinux policy is updated.

      Policy changes in product SELinux policy can be released together with changes in product package so SELinux policy will be always synchronized with a product.

      Product package can follow different timeline deadlines then SELinux policy package, this can cause issues and customer can get new product package version without necessary changes in SELinux policy and this can block some functionality of a product.

      Actual results:
      Glusterd SELinux module is part of selinux-policy package in RHEL.

      Expected results:
      Glusterd SELinux module will be part of glusterd package.

      — Additional comment from Red Hat Bugzilla Rules Engine on 2017-06-12 12:49:33 CEST —

      Since this bug report was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release.

      — Additional comment from Lukas Vrabec on 2017-08-16 12:55:13 CEST —

      After meeting with Gluster folks, this should be done in rhel-7.6

      — Additional comment from Dalibor Pospíšil on 2018-04-04 11:07:41 CEST —

      Granting qa_ack+ for rhel-7.6.0

      — Additional comment from Lukas Vrabec on 2018-06-26 14:00:13 CEST —

      Moving to RHEL-7.7 for now. We'll discuss how this issue will be handled here:

      https://docs.engineering.redhat.com/display/RHELPLAN/SELinux%3A+Extract+Gluster+SELinux+security+module+from+Distribution+policy?focusedCommentId=60660284#comment-60660284

      — Additional comment from Lukas Vrabec on 2019-02-05 13:30:16 CET —

      Hi Milind,

      How it looks like? Could we push glusterfs-selinux package to your product and remove it from selinux-policy package?

      Thanks for update.
      Lukas.

      — Additional comment from Zdenek Pytela on 2019-03-14 18:05:36 CET —

      This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it has been stalled for some time and the very next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

      We will now close this issue and continue the effort in Red Hat Enterprise Linux 8.

      — Additional comment from RHEL Program Management on 2020-09-30 12:13:56 CEST —

      pm_ack is no longer used for this product. The flag has been reset.

      See https://issues.redhat.com/browse/PTT-1821 for additional details or contact lmiksik@redhat.com if you have any questions.

      — Additional comment from Karel Srot on 2021-05-05 10:55:59 CEST —

      @QE: BaseOS bug triage rating for this bug has been cloned from the original bug. Please, confirm that the current value is correct by removing the 'needsTriage' label from QA Whiteboard. Details can be found at https://wiki.test.redhat.com/BaseOs/BugTriageRatingSystem#Supportintools

      — Additional comment from Milos Malik on 2021-05-10 18:50:15 CEST —

      Proposed acceptance criteria:

      • SELinux policy packages will not ship the glusterd policy module
      • the glusterfs-selinux requirement is added to all our automated TCs which deal with gluster

      — Additional comment from Zdenek Pytela on 2021-06-02 17:07:21 CEST —

      It needs to be reconsidered because of references from other modules:

      rpc.te: glusterd_manage_log(nfsd_t)
      rpc.te: glusterd_manage_pid(nfsd_t)
      rpm.te: glusterd_filetrans_named_pid(rpm_script_t)

      rsync.te: glusterd_stream_connect(rsync_t)

      samba.te: glusterd_read_conf(smbd_t)
      samba.te: glusterd_rw_lib(smbd_t)
      samba.te: glusterd_manage_pid(smbd_t)

      virt.te: glusterd_manage_pid(virt_domain)

      — Additional comment from RHEL Program Management on 2021-06-02 17:07:28 CEST —

      Release+ was dropped because the Internal Target Milestone field is empty and the bug does not appear to target ZStream.

      — Additional comment from Zdenek Pytela on 2021-08-12 18:24:36 CEST —

      https://src.osci.redhat.com/fork/zpytela/rpms/selinux-policy/c/66d0a5059079b7068e093ae6aa9106311f6d98c0
      commit 66d0a5059079b7068e093ae6aa9106311f6d98c0
      Author: Zdenek Pytela <zpytela@redhat.com>
      Date: Thu Aug 12 17:57:42 2021 +0200

      Remove glusterd SELinux module from distribution policy

      The glusterd module was deleted in the modules-targeted-contrib.conf
      and modules-minimum-contrib.conf files.
      Incorrect reference to gluster inside the tomcat module was fixed.

      Resolves: rhbz#1816718

      — Additional comment from RHEL Program Management on 2021-08-19 09:31:22 CEST —

      DevMissed

      The Current Deadline for this BZ has passed. Please discuss with your PO & QE Contact and revise the Current Deadline by either updating the DTM or setting a custom deadline type and date. Note that BZs that miss their due date by more than 2 weeks will automatically lose their ITM and thus their release+. Resetting ITM will cause release+ to be restored.

      More details about the deadline management are available at https://one.redhat.com/rhel-developer-guide/#_using_deadlines_to_prioritize_work

      — Additional comment from Milos Malik on 2021-08-20 19:33:32 CEST —

      1. rpm -qa selinux*
        selinux-policy-devel-3.14.3-77.el8.noarch
        selinux-policy-mls-3.14.3-77.el8.noarch
        selinux-policy-minimum-3.14.3-77.el8.noarch
        selinux-policy-3.14.3-77.el8.noarch
        selinux-policy-sandbox-3.14.3-77.el8.noarch
        selinux-policy-targeted-3.14.3-77.el8.noarch
        selinux-policy-doc-3.14.3-77.el8.noarch
      2. semodule -l | grep -i gluster
        #

      — Additional comment from errata-xmlrpc on 2021-08-23 10:21:29 CEST —

      This bug has been added to advisory RHBA-2021:76436 by Milos Malik (mmalik@redhat.com)

      — Additional comment from errata-xmlrpc on 2021-08-23 10:21:30 CEST —

      Bug report changed to ON_QA status by Errata System.
      A QE request has been submitted for advisory RHBA-2021:76436-02
      https://errata.devel.redhat.com/advisory/76436

      — Additional comment from errata-xmlrpc on 2021-11-09 01:28:41 CET —

      Bug report changed to RELEASE_PENDING status by Errata System.
      Advisory RHBA-2021:76436-03 has been changed to PUSH_READY status.
      https://errata.devel.redhat.com/advisory/76436

      — Additional comment from errata-xmlrpc on 2021-11-09 20:42:28 CET —

      Since the problem described in this bug report should be
      resolved in a recent advisory, it has been closed with a
      resolution of ERRATA.

      For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
      files, follow the link below.

      If the solution does not work for you, open a new bug report.

      https://access.redhat.com/errata/RHBA-2021:4420

            rhn-support-zpytela Zdenek Pytela
            rhn-support-zpytela Zdenek Pytela
            Zdenek Pytela
            Nikola Kňažeková Nikola Kňažeková (Inactive)
            Milos Malik Milos Malik
            Jan Fiala Jan Fiala
            Votes:
            0 Vote for this issue
            Watchers:
            17 Start watching this issue

              Created:
              Updated:
              Resolved: