+++ This bug was initially created as a clone of Bug #1560019 +++

Description of problem:

Base (i.e. unmodified) OSP containers are failing one of the certification
checks enforced by the system our Partners will use to distribute their OSP
container plugins. Our partner's container images won't pass the certification
checks unless the base images pass.

The test that fails is called "rpm_verify_successful" and it ensures all
packages pass the "rpm -V" test. The selinux-policy-targeted RPM fails:

[[snip]]

Actually, this is outside of containers - on RHEL 7.5 beta:

[root@localhost ~]# rpm -V selinux-policy-targeted

[root@localhost ~]# ls -lZ /etc/selinux/targeted/active/users_extra
-rw-------. root root unconfined_u:object_r:semanage_store_t:s0 /etc/selinux/targeted/active/users_extra

[root@localhost ~]# semanage port -N -m -p tcp 4444 -t mysqld_port_t
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[root@localhost ~]# rpm -V selinux-policy-targeted
.M.......    /etc/selinux/targeted/active/users_extra

[root@localhost ~]# ls -lZ /etc/selinux/targeted/active/users_extra
-rw-r--r--. root root unconfined_u:object_r:semanage_store_t:s0 /etc/selinux/targeted/active/users_extra


It seems when you alter something with 'semanage', the /etc/selinux/targeted/active/users_extra file is rewritten with the wrong mode (also the seusers file)

This reproduces on 7.4, so is not a regression.


TL;DR: The reason this is an issue is it breaks certification if someone (or something) changes anything using semanage, since 'rpm -V selinux-policy-targeted' will now fail.