Bug 2196642

Summary: Fix selinux-policy update behavior under rpm-ostree with user-installed policy modules
Product: Red Hat Enterprise Linux 9 Reporter: Micah Abbott <miabbott>
Component: ostreeAssignee: RHCOS SST <rhcos-sst>
Status: NEW --- QA Contact: RHCOS SST QE <rhcos-sst-qe>
Severity: medium Docs Contact:
Priority: low    
Version: 9.1CC: fdeutsch, hhei, jcastran, jdickers, jlebon, lvrabec, miabbott, mrussell, omosnace, travier, walters, wenshen, ykashtan
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2057497 Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2049189, 2057497    
Bug Blocks:    

Description Micah Abbott 2023-05-09 17:15:27 UTC 
Cloned BZ#2057497 to explore the feasibility of backporting the fix for that problem to RHEL 9.1.

We had a RHEL for Edge customer hit this problem after doing a SELinux policy modification on RHEL 9.0 and then running into problems after upgrading to RHEL 9.1.

See https://redhat-internal.slack.com/archives/C01UHN61GSD/p1683290313616689
See https://access.redhat.com/support/cases/#/case/03503744

The upstream issue that tracks this (or part of this) is https://github.com/coreos/rpm-ostree/issues/27.

A workaround for this is currently included in Red Hat CoreOS via a systemd unit that runs `semodule -B` early in the boot process:

https://github.com/openshift/os/blob/master/overlay.d/05rhcos/usr/lib/systemd/system/rhcos-selinux-policy-upgrade.service
https://github.com/openshift/os/blob/master/overlay.d/05rhcos/usr/libexec/rhcos-rebuild-selinux-policy
Comment 1 Colin Walters 2023-05-09 18:03:52 UTC 
This is fixed since ostreedev/ostree#2569 in ostree v2022.3, which is shipped in 9.1 already.

But note that the fix needs to be in the version we're upgrading *from*.  We could try to ship this back to 9.0.z but it's a nontrivial patch.
Comment 3 Timothée Ravier 2023-05-10 08:53:29 UTC 
This also depends on fixes in libsemanage and policy coreutils that I've verified have landed in 9.0 already:
- https://bugzilla.redhat.com/show_bug.cgi?id=2049191 in 9.0
- https://bugzilla.redhat.com/show_bug.cgi?id=2049193 in 9.0
- https://bugzilla.redhat.com/show_bug.cgi?id=2104935 in 9.1 backported to 9.0 with https://bugzilla.redhat.com/show_bug.cgi?id=2129140
Comment 4 Timothée Ravier 2023-05-10 08:56:26 UTC 
Link for upstream ostree PR: https://github.com/ostreedev/ostree/pull/2569