-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-9.4.z, rhel-9.5
-
None
-
No
-
None
-
rhel-sst-security-special-projects
-
ssg_security
-
None
-
False
-
-
None
-
None
-
None
-
None
-
None
What were you trying to do that didn't work?
I am trying to build a package that ships additional rules for fapolicyd.
To properly load those rules, the package contains the following scriptlets:
%post
%{_sbindir}/fagenrules --load
%{_bindir}/systemctl try-restart fapolicyd.service
%postun
%{_sbindir}/fagenrules --load
%systemd_postun_with_restart fapolicyd.service
When the package is already installed and you reinstall it (or upgrade), fapolicyd crashes:
Nov 11 09:33:00 rhel9.tanso.example.com fapolicyd[9808]: shutting down... Nov 11 09:33:00 rhel9.tanso.example.com systemd[1]: Stopping File Access Policy Daemon... Nov 11 09:33:01 rhel9.tanso.example.com fapolicyd[9808]: Ruleset identity: 2deb9ad8ebbb2141031f00077a4c2dcfc9d108727e9e42c15fd14f91e4cca19e Nov 11 09:33:01 rhel9.tanso.example.com fapolicyd[9808]: It looks like there was an update of the system... Syncing DB. Nov 11 09:33:01 rhel9.tanso.example.com fapolicyd[9808]: Loading rpmdb backend Nov 11 09:33:01 rhel9.tanso.example.com fapolicyd[9808]: Updating trust database Nov 11 09:33:01 rhel9.tanso.example.com fapolicyd[9808]: Creating trust database Nov 11 09:33:01 rhel9.tanso.example.com fapolicyd[9808]: Loading trust data from rpmdb backend Nov 11 09:33:01 rhel9.tanso.example.com fapolicyd[9808]: Loading trust data from file backend Nov 11 09:33:01 rhel9.tanso.example.com fapolicyd[9808]: Updated Nov 11 09:33:02 rhel9.tanso.example.com systemd[1]: fapolicyd.service: Deactivated successfully. Nov 11 09:33:02 rhel9.tanso.example.com systemd[1]: Stopped File Access Policy Daemon. Nov 11 09:33:02 rhel9.tanso.example.com systemd[1]: Starting File Access Policy Daemon... Nov 11 09:33:02 rhel9.tanso.example.com fagenrules[9843]: /usr/sbin/fagenrules: No change Nov 11 09:33:02 rhel9.tanso.example.com fapolicyd[9868]: 11/11/2024 09:33:02 [ INFO ]: Can handle 524288 file descriptors Nov 11 09:33:02 rhel9.tanso.example.com fapolicyd[9868]: 11/11/2024 09:33:02 [ INFO ]: Ruleset identity: 2deb9ad8ebbb2141031f00077a4c2dcfc9d108727e9e42c15fd14f91e4cca19e Nov 11 09:33:02 rhel9.tanso.example.com fapolicyd[9869]: Initializing the trust database Nov 11 09:33:02 rhel9.tanso.example.com systemd[1]: Started File Access Policy Daemon. Nov 11 09:33:02 rhel9.tanso.example.com fapolicyd[9869]: fapolicyd integrity is 0 Nov 11 09:33:02 rhel9.tanso.example.com fapolicyd[9869]: Loading rpmdb backend Nov 11 09:33:02 rhel9.tanso.example.com systemd[1]: fapolicyd.service: Main process exited, code=exited, status=129/n/a Nov 11 09:33:02 rhel9.tanso.example.com systemd[1]: fapolicyd.service: Failed with result 'exit-code'.
What is the impact of this issue to you?
Breaks systems? 
I can workaround by using "systemctl try-restart fapolicyd.service" in postun, but would expect the macro also to work.
Please provide the package NVR for which the bug is seen:
- fapolicyd-1.3.2-100.el9.x86_64 (9.4)
- fapolicyd-1.3.3-100.el9.x86_64 (9.5)
How reproducible is this bug?:
100%
Steps to reproduce
- Build dummy-fapolicyd.rpm from the below spec
- Install resulting RPM
- Reinstall resulting RPM
Expected results
fapolicyd is running
Actual results
fapolicyd has crashed
Additional information
Name: dummy-fapolicyd
Version: 1.0
Release: 1%{?dist}
Summary: dummy fapolicyd rules
Group: System Environment/Base
License: GPLv3+
BuildArch: noarch
Requires: fapolicyd
Requires: systemd
BuildRequires: systemd-rpm-macros
%description
dummy fapolicyd rules
%prep
%build
%install
%post
%{_sbindir}/fagenrules --load
%{_bindir}/systemctl try-restart fapolicyd.service
%postun
%{_sbindir}/fagenrules --load
%systemd_postun_with_restart fapolicyd.service
%files
%changelog
