Bug 2196642

Summary: Fix selinux-policy update behavior under rpm-ostree with user-installed policy modules
Product: Red Hat Enterprise Linux 9 Reporter: Micah Abbott <miabbott>
Component: ostreeAssignee: RHCOS SST <rhcos-sst>
Status: CLOSED WONTFIX QA Contact: RHCOS SST QE <rhcos-sst-qe>
Severity: medium Docs Contact:
Priority: low    
Version: 9.1CC: fdeutsch, hhei, jcastran, jdickers, jlebon, lvrabec, miabbott, mrussell, omosnace, travier, walters, wenshen, ykashtan
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2057497 Environment:
Last Closed: 2023-08-31 15:21:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2049189, 2057497    
Bug Blocks:    

Description Micah Abbott 2023-05-09 17:15:27 UTC 
Cloned BZ#2057497 to explore the feasibility of backporting the fix for that problem to RHEL 9.1.

We had a RHEL for Edge customer hit this problem after doing a SELinux policy modification on RHEL 9.0 and then running into problems after upgrading to RHEL 9.1.

See https://redhat-internal.slack.com/archives/C01UHN61GSD/p1683290313616689
See https://access.redhat.com/support/cases/#/case/03503744

The upstream issue that tracks this (or part of this) is https://github.com/coreos/rpm-ostree/issues/27.

A workaround for this is currently included in Red Hat CoreOS via a systemd unit that runs `semodule -B` early in the boot process:

https://github.com/openshift/os/blob/master/overlay.d/05rhcos/usr/lib/systemd/system/rhcos-selinux-policy-upgrade.service
https://github.com/openshift/os/blob/master/overlay.d/05rhcos/usr/libexec/rhcos-rebuild-selinux-policy
Comment 1 Colin Walters 2023-05-09 18:03:52 UTC 
This is fixed since ostreedev/ostree#2569 in ostree v2022.3, which is shipped in 9.1 already.

But note that the fix needs to be in the version we're upgrading *from*.  We could try to ship this back to 9.0.z but it's a nontrivial patch.
Comment 3 Timothée Ravier 2023-05-10 08:53:29 UTC 
This also depends on fixes in libsemanage and policy coreutils that I've verified have landed in 9.0 already:
- https://bugzilla.redhat.com/show_bug.cgi?id=2049191 in 9.0
- https://bugzilla.redhat.com/show_bug.cgi?id=2049193 in 9.0
- https://bugzilla.redhat.com/show_bug.cgi?id=2104935 in 9.1 backported to 9.0 with https://bugzilla.redhat.com/show_bug.cgi?id=2129140
Comment 4 Timothée Ravier 2023-05-10 08:56:26 UTC 
Link for upstream ostree PR: https://github.com/ostreedev/ostree/pull/2569
Comment 7 Timothée Ravier 2023-08-31 15:21:23 UTC 
Given that this is fixed in 9.2 and that 9.1 is no longer supported anymore, we will close this issue as it's unlikely that we'll be able to fix it.