Bug 2226701

Summary: Set rhcd_t permissive even when SELinux is disabled
Product: Red Hat Enterprise Linux 9 Reporter: Alba Hita <ahitacat>
Component: rhcAssignee: CSI Client Tools Bugs <csi-client-tools-bugs>
Status: CLOSED ERRATA QA Contact: CSI Client Tools Bugs <csi-client-tools-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 9.3CC: arpandey, cmarinea, redakkan, zpetrace, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rhc-0.2.4-1.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2226710 (view as bug list) Environment:
Last Closed: 2023-11-07 08:36:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2226710    

Description Alba Hita 2023-07-26 08:56:06 UTC 
Description of problem:
The %post script is not working when SELinux is enabled after the package installation but was disabled during installation.

This is happening when building an image in a container that doesn't have SELinux enable, and later is installed in bare metal or in a VM that enabled SELinux.

More references: ESSNTL-4875

Version-Release number of selected component (if applicable):
rhc-0.2.3-1.el9
Comment 1 Zdenek Petracek 2023-08-07 10:08:12 UTC 
Version of rhc:
[root@kvm-02-guest08 ~]# rhc --version
rhc version 0.2.2

Disable SELinux:
[root@kvm-02-guest08 ~]# cat /etc/selinux/config | grep SELINUX
# SELINUX= can take one of these three values:
# NOTE: In earlier Fedora kernel builds, SELINUX=disabled would also
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
SELINUXTYPE=targeted

[root@kvm-02-guest08 ~]# reboot

[root@kvm-02-guest08 ~]# selinuxenabled
[root@kvm-02-guest08 ~]# echo $?
1
^^ SELinux is disabled

Installing rhc:
[root@kvm-02-guest08 ~]# yum install rhc -y
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered with an entitlement server. You can use subscription-manager to register.

Last metadata expiration check: 0:08:23 ago on Mon 07 Aug 2023 11:37:18 AM CEST.
Dependencies resolved.
========================================================================================================================================
 Package                  Architecture                Version                               Repository                             Size
========================================================================================================================================
Installing:
 rhc                      x86_64                      1:0.2.2-1.el9                         beaker-AppStream                      9.5 M
...
Installed:
  rhc-1:0.2.2-1.el9.x86_64                                                                                                              

Complete!

Checking for permissive packages:
[root@kvm-02-guest08 ~]# semanage permissive -l

Builtin Permissive Types 

mptcpd_t
rshim_t

Customized Permissive Types

insights_client_t
^^ rhcd_t is missing --> bug successfully reproduced



I removed the rhc package and reinstalled it with a newer package that has fixed the issue:
[root@kvm-02-guest08 ~]# rhc --version
rhc version 0.2.4

[root@kvm-02-guest08 ~]# semanage permissive -l

Builtin Permissive Types 

mptcpd_t
rshim_t

Customized Permissive Types

insights_client_t
rhcd_t
^^ rhcd_t is here --> pre-verification PASSED
Comment 4 Zdenek Petracek 2023-08-09 12:35:05 UTC 
[root@kvm-02-guest10 ~]# rhc --version
rhc version 0.2.4

Disabling SELinux:
[root@kvm-02-guest10 ~]# cat /etc/selinux/config | grep SELINUX=
# SELINUX= can take one of these three values:
# NOTE: In earlier Fedora kernel builds, SELINUX=disabled would also
SELINUX=disabled

[root@kvm-02-guest10 ~]# reboot

[root@kvm-02-guest10 ~]# selinuxenabled
[root@kvm-02-guest10 ~]# echo $?
1
^^ SELinux is disabled

Installing rhc:
[root@kvm-02-guest10 ~]# yum install rhc -y
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered with an entitlement server. You can use subscription-manager to register.

Last metadata expiration check: 0:15:53 ago on Wed 09 Aug 2023 02:14:47 PM CEST.
Dependencies resolved.
======================================================================================================
 Package          Architecture        Version                     Repository                     Size
======================================================================================================
Installing:
 rhc              x86_64              1:0.2.4-1.el9               beaker-AppStream              9.8 M
...
Installed:
  rhc-1:0.2.4-1.el9.x86_64                                                                            

Complete!

[root@kvm-02-guest10 ~]# semanage permissive -l

Builtin Permissive Types 

mptcpd_t
rshim_t

Customized Permissive Types

insights_client_t
rhcd_t
^^ rhcd_t is present as expected --> VERIFICATION PASSED
Comment 6 errata-xmlrpc 2023-11-07 08:36:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rhc bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6541