Bug 2226701

Summary: Set rhcd_t permissive even when SELinux is disabled
Product: Red Hat Enterprise Linux 9 Reporter: Alba Hita <ahitacat>
Component: rhcAssignee: CSI Client Tools Bugs <csi-client-tools-bugs>
Status: VERIFIED --- QA Contact: CSI Client Tools Bugs <csi-client-tools-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 9.3CC: arpandey, cmarinea, redakkan, zpetrace, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rhc-0.2.4-1.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2226710 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2226710    

Description Alba Hita 2023-07-26 08:56:06 UTC 
Description of problem:
The %post script is not working when SELinux is enabled after the package installation but was disabled during installation.

This is happening when building an image in a container that doesn't have SELinux enable, and later is installed in bare metal or in a VM that enabled SELinux.

More references: ESSNTL-4875

Version-Release number of selected component (if applicable):
rhc-0.2.3-1.el9
Comment 1 Zdenek Petracek 2023-08-07 10:08:12 UTC 
Version of rhc:
[root@kvm-02-guest08 ~]# rhc --version
rhc version 0.2.2

Disable SELinux:
[root@kvm-02-guest08 ~]# cat /etc/selinux/config | grep SELINUX
# SELINUX= can take one of these three values:
# NOTE: In earlier Fedora kernel builds, SELINUX=disabled would also
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
SELINUXTYPE=targeted

[root@kvm-02-guest08 ~]# reboot

[root@kvm-02-guest08 ~]# selinuxenabled
[root@kvm-02-guest08 ~]# echo $?
1
^^ SELinux is disabled

Installing rhc:
[root@kvm-02-guest08 ~]# yum install rhc -y
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered with an entitlement server. You can use subscription-manager to register.

Last metadata expiration check: 0:08:23 ago on Mon 07 Aug 2023 11:37:18 AM CEST.
Dependencies resolved.
========================================================================================================================================
 Package                  Architecture                Version                               Repository                             Size
========================================================================================================================================
Installing:
 rhc                      x86_64                      1:0.2.2-1.el9                         beaker-AppStream                      9.5 M
...
Installed:
  rhc-1:0.2.2-1.el9.x86_64                                                                                                              

Complete!

Checking for permissive packages:
[root@kvm-02-guest08 ~]# semanage permissive -l

Builtin Permissive Types 

mptcpd_t
rshim_t

Customized Permissive Types

insights_client_t
^^ rhcd_t is missing --> bug successfully reproduced



I removed the rhc package and reinstalled it with a newer package that has fixed the issue:
[root@kvm-02-guest08 ~]# rhc --version
rhc version 0.2.4

[root@kvm-02-guest08 ~]# semanage permissive -l

Builtin Permissive Types 

mptcpd_t
rshim_t

Customized Permissive Types

insights_client_t
rhcd_t
^^ rhcd_t is here --> pre-verification PASSED
Comment 4 Zdenek Petracek 2023-08-09 12:35:05 UTC 
[root@kvm-02-guest10 ~]# rhc --version
rhc version 0.2.4

Disabling SELinux:
[root@kvm-02-guest10 ~]# cat /etc/selinux/config | grep SELINUX=
# SELINUX= can take one of these three values:
# NOTE: In earlier Fedora kernel builds, SELINUX=disabled would also
SELINUX=disabled

[root@kvm-02-guest10 ~]# reboot

[root@kvm-02-guest10 ~]# selinuxenabled
[root@kvm-02-guest10 ~]# echo $?
1
^^ SELinux is disabled

Installing rhc:
[root@kvm-02-guest10 ~]# yum install rhc -y
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered with an entitlement server. You can use subscription-manager to register.

Last metadata expiration check: 0:15:53 ago on Wed 09 Aug 2023 02:14:47 PM CEST.
Dependencies resolved.
======================================================================================================
 Package          Architecture        Version                     Repository                     Size
======================================================================================================
Installing:
 rhc              x86_64              1:0.2.4-1.el9               beaker-AppStream              9.8 M
...
Installed:
  rhc-1:0.2.4-1.el9.x86_64                                                                            

Complete!

[root@kvm-02-guest10 ~]# semanage permissive -l

Builtin Permissive Types 

mptcpd_t
rshim_t

Customized Permissive Types

insights_client_t
rhcd_t
^^ rhcd_t is present as expected --> VERIFICATION PASSED