Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Undefined
Fix Version/s: rhel-9.4
Affects Version/s: rhel-9.4
Component/s: rhel-system-roles
Labels:
- system_role_selinux

Fixed in Build:
rhel-system-roles-1.23.0-2.1.el9

Pool Team:

sst_system_roles

Dev Target Milestone:
11
Internal Target Milestone:
22
ACKs Check:

QE ack, Dev ack
Target Version:

rhel-9.4
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Products:

Red Hat Enterprise Linux

Preliminary Testing:
Pass
Errata Link:
https://errata.devel.redhat.com/advisory/124808

Release Note Type:
Enhancement
Release Note Text:

Hide
.`selinux` role now supports configuring SELinux in disabled mode

With this update, the `selinux` RHEL System Role supports configuring SELinux ports, file contexts, and boolean mappings on nodes that have SELinux set to disabled. This is useful for configuration scenarios before you enable SELinux to permissive or enforcing mode on a system.

Show
.`selinux` role now supports configuring SELinux in disabled mode With this update, the `selinux` RHEL System Role supports configuring SELinux ports, file contexts, and boolean mappings on nodes that have SELinux set to disabled. This is useful for configuration scenarios before you enable SELinux to permissive or enforcing mode on a system.
Release Note Status:
Done

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

It is possible to configure SELinux on nodes with SELinux disabled before they're switch to permissive/enforcing. The only requirement is that targeted SELinux policy (or a policy configured in /etc/selinux/config) needs to be installed.

Fixes: https://github.com/linux-system-roles/selinux/issues/188

Note that boolean settings doesn't work work even with `ignore_selinux_state=true` - it's a bug in seboolean module which uses `selinux.security_get_boolean_names()` instead of `seobject` API from semanage.

Enhancement: SELinux ports, fcontexts, booleans mappings can be configured on nodes with SELinux disabled.

Reason: It should be possible to configure SELinux - ports, fcontexts, booleans - on nodes with SELinux disabled before they're switch to permissive/enforcing.

Result: It is possible to configure SELinux on nodes with SELinux disabled before they're switch to permissive/enforcing.

Issue Tracker Tickets (Jira or BZ if any):

is cloned by

RHEL-15871 fix: Use `ignore_selinux_state` module option

Release Pending

links to

link to github pull

RHEA-2023:124808 rhel-system-roles bug fix and enhancement update

mentioned on

Merge request - System Roles update 1.23.0-1.1

Assignee:: Richard Megginson

Reporter:: Richard Megginson

Developer:: Richard Megginson

QA Contact:: Jakub Haruda

Doc Contact:: Mirek Jahoda

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Created:: 2023/11/06 9:45 PM

Updated:: 2024/05/09 10:18 AM

Resolved:: 2024/04/30 9:50 AM

Target end:: 2024/01/29

Release Date:: 2024/04/30

Details

Description

Attachments

Issue Links

Activity

People

Dates

Hide