-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
rhel-8.10
-
No
-
Low
-
EasyFix
-
rhel-security-selinux
-
ssg_security
-
2
-
False
-
False
-
-
None
-
Red Hat Enterprise Linux
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
-
All
-
None
Quite regularly we see customers opening cases because they get the following error when the policy gets rebuilt (in verbose mode):
Ok: return value of 0.
Committing changes:
Problems processing filecon rules
Failed post db handling
semodule: Failed!
This usually occurs due to conflicts on "filecon" rules.
With RHEL8, it's very hard to find the conflicting rules because semodule doesn't adjust the CIL log level, compared to what is done on RHEL9.
(semodule.c)
RHEL9 code
25 #include <sepol/cil/cil.h> : 406 int main(int argc, char *argv[]) 407 { 408 int i, commit = 0; 409 int result; 410 int status = EXIT_FAILURE; 411 const char *genhomedirconargv[] = { "genhomedircon", "-B", "-n" }; 412 create_signal_handlers(); 413 if (strcmp(basename(argv[0]), "genhomedircon") == 0) { 414 argc = 3; 415 argv = (char **)genhomedirconargv; 416 } 417 parse_command_line(argc, argv); 418 419 cil_set_log_level(CIL_ERR + verbose); 420 421 if (build || check_ext_changes) 422 commit = 1; 423 424 sh = semanage_handle_create(); :
RHEL8 code
340 int main(int argc, char *argv[]) 341 { 342 int i, commit = 0; 343 int result; 344 int status = EXIT_FAILURE; 345 const char *genhomedirconargv[] = { "genhomedircon", "-B", "-n" }; 346 create_signal_handlers(); 347 if (strcmp(basename(argv[0]), "genhomedircon") == 0) { 348 argc = 3; 349 argv = (char **)genhomedirconargv; 350 } 351 parse_command_line(argc, argv); 352 353 if (build) 354 commit = 1; 355 356 sh = semanage_handle_create(); :
Please kindly backport lines 419 and 25 to RHEL8, it would greatly save time of both customer and support when troubleshooting such issues.
