Bug 2048015

Summary: rpmbooleans.custom: No such file or directory
Product: Red Hat Enterprise Linux 9 Reporter: Jiri Jaburek <jjaburek>
Component: bindAssignee: Petr Menšík <pemensik>
Status: CLOSED WONTFIX QA Contact: rhel-cs-infra-services-qe <rhel-cs-infra-services-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0Keywords: Triaged
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-07-29 07:28:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jiri Jaburek 2022-01-29 03:58:47 UTC 
Description of problem:

When I follow a specific sequence to install/remove bind:

  1) dnf install bind
  2) dnf install selinux-policy-mls
  3) dnf remove bind

the remove command prints out a warning:

Running transaction
  Preparing        :                                                        1/1 
  Running scriptlet: bind-32:9.16.23-1.el9.x86_64                           1/1 
  Erasing          : bind-32:9.16.23-1.el9.x86_64                           1/1 
  Running scriptlet: bind-32:9.16.23-1.el9.x86_64                           1/1 
grep: /var/lib/selinux/mls/rpmbooleans.custom: No such file or directory

  Verifying        : bind-32:9.16.23-1.el9.x86_64                           1/1 


This is likely caused by the pretty intimidating postuninstall scriptlet assuming the package was installed with the same SELinux policy package set than it is being removed with.

Note that I didn't switch the active policy to mls, I only installed the extra package.

From a cursory look, bind seems to be importing its own policy module, so maybe it would benefit from %pretrans / %posttrans to do that whenever selinux-policy-* is installed.

In any case, the grep error message probably shouldn't be there, even if its presence might indicate a bigger issue.


Version-Release number of selected component (if applicable):
bind-9.16.23-1.el9
Comment 1 Petr Menšík 2022-03-11 12:22:21 UTC 
Scriptlets in %post were required to pass upgrade from older major release, where default of named_write_master_zones used selinux boolean used to be off, but it needs to be on to succeed restarting of named. That happens in %post on upgrade.

BIND does not ship its own policy, but changes selinux booleans. Default has been changed in selinux-policy and it should not be required in most cases. It has to be ensured only on upgrade from RHEL8 selinux-policy and corresponding BIND. Should be updated first in Fedora.

I think using OrderWithRequires(post): selinux-policy should be used instead of hard dependencies if possible.

But I am using %selinux_set_booleans macro provided by selinux-policy. I am not aware of any better detection mls is active. I would expect the macro might detect itself mls is active or ready to use. I don't know how to check it otherwise. But I would like to get rid of using this macro anyway.
Comment 4 RHEL Program Management 2023-07-29 07:28:06 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.