Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-37663

New sap selinux policy requires unconfined policy module

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Major Major
    • rhel-9.5
    • rhel-9.4
    • selinux-policy
    • None
    • selinux-policy-38.1.39-1.el9
    • None
    • Important
    • rhel-sst-security-selinux
    • ssg_security
    • 16
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • Red Hat Enterprise Linux
    • None
    • Hide

      The sap policy module is not dependent on the unconfined policy module. The unconfined policy module can get disabled without triggering any errors during a policy rebuild.

      Show
      The sap policy module is not dependent on the unconfined policy module. The unconfined policy module can get disabled without triggering any errors during a policy rebuild.
    • Pass
    • None
    • Unspecified Release Note Type - Unknown
    • All
    • None

      What were you trying to do that didn't work?

      Upgrade from RHEL 9.3 to 9.4 with selinux module 'unconfined' disabled.

      Please provide the package NVR for which bug is seen:

      selinux-policy-targeted-38.1.35-2.el9_4.0.2.

      How reproducible:

      Consistently

      Steps to reproduce

      1. Start with an EL 9.3 host
      2. Disable unconfined policy module (semodule -d unconfined)
      3. Upgrade to EL 9.4
      4.  

      Or

      1. Start with generic el 9.4 host
      2. semodule -d unconfined
      3.  

      Expected results

      Selinux policy continue to work without errors post update

      Ability to disable unconfined module

      Actual results

      Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/100/sap/cil:29
      Failed to resolve AST
      semodule:  Failed!

       

      Custom selinux modules fail to re-apply

       

      Use case 2, unconfined module is not disabled.

      Work-Around:

      1. semodule -e unconfined
      2. dnf update
      3. semodule -d sap
      4. semodule -d unconfined

              rhn-support-zpytela Zdenek Pytela
              redhat-developer-1 Matthew Davis (Inactive)
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: