Bug 2183089

Summary: Reinstalling passt-selinux package leads to temporarily disabled policy
Product: Red Hat Enterprise Linux 9 Reporter: Stefano Brivio <sbrivio>
Component: passtAssignee: Stefano Brivio <sbrivio>
Status: VERIFIED --- QA Contact: Lei Yang <leiyang>
Severity: high Docs Contact:
Priority: medium    
Version: 9.2CC: jinzhao, juzhang, leiyang, lvivier, mmalik, mrezanin, yalzhang, ymankad, zhguo
Target Milestone: rcKeywords: CustomerScenariosInitiative, Triaged, ZStream
Target Release: 9.3   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: passt-0^20230222.g4ddbcb9-4.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2190511 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2190511    

Description Stefano Brivio 2023-03-30 11:51:28 UTC 
If the passt-selinux package is reinstalled (e.g. with 'dnf reinstall'), the package scriptlets temporarily unload the related SELinux policy with 'semodule -r'. See bz2172268#c45 for a complete example.

We need to modify the spec file with changes equivalent to upstream commit:

  https://passt.top/passt/commit/?id=dd2349661933c4e9756e524ae9465f38b53b7557
  fedora: Refresh SELinux labels in scriptlets, require -selinux package

which, in particular, replaces the existing %preun actions with:

  %postun selinux
  if [ $1 -eq 0 ]; then
  	%selinux_modules_uninstall -s %{selinuxtype} passt
  	%selinux_modules_uninstall -s %{selinuxtype} pasta
  fi

so that the policy modules are unloaded only if the package is actually removed.
Comment 4 Lei Yang 2023-05-26 02:45:06 UTC 
Hello Stefano

According to QE test result,the current problem is not fixed. The policy modules brought by the passt-selinux package still do not survive after reinstalling the passt* packages. Please help review the following steps:

1. Check the current status
# rpm -qa selinux\* passt\* | sort
passt-0^20230222.g4ddbcb9-3.el9.x86_64
passt-selinux-0^20230222.g4ddbcb9-3.el9.noarch
selinux-policy-38.1.13-1.el9.noarch
selinux-policy-devel-38.1.13-1.el9.noarch
selinux-policy-targeted-38.1.13-1.el9.noarch

2. Check the policy modules brought by the passt-selinux package
# semodule -lfull | grep -e pasta -e passt
400 passt                        pp          
400 pasta                        pp 

3. Reinstall passt* packages
yum -y reinstall passt-0^20230222.g4ddbcb9-3.el9.x86_64.rpm passt-selinux-0^20230222.g4ddbcb9-3.el9.noarch.rpm

4. Check the policy modules again, it can not be found on the host
# semodule -lfull | grep -e pasta -e passt
# 

Thanks
Lei
Comment 9 Lei Yang 2023-06-13 00:04:49 UTC 
1. Check the current status
# rpm -qa selinux\* passt\* | sort
passt-0^20230222.g4ddbcb9-4.el9.x86_64
passt-selinux-0^20230222.g4ddbcb9-4.el9.noarch
selinux-policy-38.1.14-1.el9.noarch
selinux-policy-devel-38.1.14-1.el9.noarch
selinux-policy-targeted-38.1.14-1.el9.noarch

2. Check the policy modules brought by the passt-selinux package
# semodule -lfull | grep -e pasta -e passt
200 passt                        pp          
200 pasta                        pp    

3. Reinstall passt* packages
# yum -y reinstall passt-0^20230222.g4ddbcb9-4.el9.x86_64.rpm passt-selinux-0^20230222.g4ddbcb9-4.el9.noarch.rpm

4. Check the policy modules again,the policy modules brought by the passt-selinux package survive after reinstalling the passt* packages.
# semodule -lfull | grep -e pasta -e passt
200 passt                        pp          
200 pasta                        pp   

Based on the above test result this problem has been fixed very well on the passt-0^20230222.g4ddbcb9-4.el9.x86_64, so move to "VERIFIED".