Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Undefined
Fix Version/s: rhel-9.4
Affects Version/s: rhel-9.4
Component/s: rhel-system-roles
Labels:
- system_role_selinux

Fixed in Build:
rhel-system-roles-1.23.0-2.1.el9
Regression:
None
Severity:
None

Pool Team:

rhel-sst-system-roles

Dev Target Milestone:
11
Internal Target Milestone:
22
Story Points:
None
ACKs Check:

QE ack, Dev ack
Target Version:

rhel-9.4
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Products:

Red Hat Enterprise Linux
Sprint:
None

Preliminary Testing:
Pass
Errata Link:
https://errata.devel.redhat.com/advisory/124808
Test Coverage:
None

Release Note Type:
Enhancement
Release Note Text:

Hide
.`selinux` role now supports configuring SELinux in disabled mode

With this update, the `selinux` RHEL System Role supports configuring SELinux ports, file contexts, and boolean mappings on nodes that have SELinux set to disabled. This is useful for configuration scenarios before you enable SELinux to permissive or enforcing mode on a system.

Show
.`selinux` role now supports configuring SELinux in disabled mode With this update, the `selinux` RHEL System Role supports configuring SELinux ports, file contexts, and boolean mappings on nodes that have SELinux set to disabled. This is useful for configuration scenarios before you enable SELinux to permissive or enforcing mode on a system.
Release Note Status:
Done

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

It is possible to configure SELinux on nodes with SELinux disabled before they're switch to permissive/enforcing. The only requirement is that targeted SELinux policy (or a policy configured in /etc/selinux/config) needs to be installed.

Fixes: https://github.com/linux-system-roles/selinux/issues/188

Note that boolean settings doesn't work work even with `ignore_selinux_state=true` - it's a bug in seboolean module which uses `selinux.security_get_boolean_names()` instead of `seobject` API from semanage.

Enhancement: SELinux ports, fcontexts, booleans mappings can be configured on nodes with SELinux disabled.

Reason: It should be possible to configure SELinux - ports, fcontexts, booleans - on nodes with SELinux disabled before they're switch to permissive/enforcing.

Result: It is possible to configure SELinux on nodes with SELinux disabled before they're switch to permissive/enforcing.

Issue Tracker Tickets (Jira or BZ if any):

is cloned by

RHEL-15871 fix: Use `ignore_selinux_state` module option

Closed

links to

link to github pull

RHEA-2023:124808 rhel-system-roles bug fix and enhancement update

mentioned on

Merge request - System Roles update 1.23.0-1.1

Assignee:: Richard Megginson

Reporter:: Richard Megginson

Developer:: Richard Megginson

QA Contact:: Jakub Haruda

Doc Contact:: Mirek Jahoda

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Created:: 2023/11/06 9:45 PM

Updated:: 2024/05/09 10:18 AM

Resolved:: 2024/04/30 9:50 AM

Target end:: 2024/01/29

Release Date:: 2024/04/30

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates