Bug 2183089 - Reinstalling passt-selinux package leads to temporarily disabled policy
Summary: Reinstalling passt-selinux package leads to temporarily disabled policy
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: passt
Version: 9.2
Hardware: All
OS: Linux
medium
high
Target Milestone: rc
: 9.3
Assignee: Stefano Brivio
QA Contact: Lei Yang
URL:
Whiteboard:
Depends On:
Blocks: 2190511
TreeView+ depends on / blocked
 
Reported: 2023-03-30 11:51 UTC by Stefano Brivio
Modified: 2023-06-29 02:58 UTC (History)
9 users (show)

Fixed In Version: passt-0^20230222.g4ddbcb9-4.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2190511 (view as bug list)
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-153557 0 None None None 2023-03-30 11:52:22 UTC

Description Stefano Brivio 2023-03-30 11:51:28 UTC 
If the passt-selinux package is reinstalled (e.g. with 'dnf reinstall'), the package scriptlets temporarily unload the related SELinux policy with 'semodule -r'. See bz2172268#c45 for a complete example.

We need to modify the spec file with changes equivalent to upstream commit:

  https://passt.top/passt/commit/?id=dd2349661933c4e9756e524ae9465f38b53b7557
  fedora: Refresh SELinux labels in scriptlets, require -selinux package

which, in particular, replaces the existing %preun actions with:

  %postun selinux
  if [ $1 -eq 0 ]; then
  	%selinux_modules_uninstall -s %{selinuxtype} passt
  	%selinux_modules_uninstall -s %{selinuxtype} pasta
  fi

so that the policy modules are unloaded only if the package is actually removed.
Comment 4 Lei Yang 2023-05-26 02:45:06 UTC 
Hello Stefano

According to QE test result,the current problem is not fixed. The policy modules brought by the passt-selinux package still do not survive after reinstalling the passt* packages. Please help review the following steps:

1. Check the current status
# rpm -qa selinux\* passt\* | sort
passt-0^20230222.g4ddbcb9-3.el9.x86_64
passt-selinux-0^20230222.g4ddbcb9-3.el9.noarch
selinux-policy-38.1.13-1.el9.noarch
selinux-policy-devel-38.1.13-1.el9.noarch
selinux-policy-targeted-38.1.13-1.el9.noarch

2. Check the policy modules brought by the passt-selinux package
# semodule -lfull | grep -e pasta -e passt
400 passt                        pp          
400 pasta                        pp 

3. Reinstall passt* packages
yum -y reinstall passt-0^20230222.g4ddbcb9-3.el9.x86_64.rpm passt-selinux-0^20230222.g4ddbcb9-3.el9.noarch.rpm

4. Check the policy modules again, it can not be found on the host
# semodule -lfull | grep -e pasta -e passt
# 

Thanks
Lei
Comment 9 Lei Yang 2023-06-13 00:04:49 UTC 
1. Check the current status
# rpm -qa selinux\* passt\* | sort
passt-0^20230222.g4ddbcb9-4.el9.x86_64
passt-selinux-0^20230222.g4ddbcb9-4.el9.noarch
selinux-policy-38.1.14-1.el9.noarch
selinux-policy-devel-38.1.14-1.el9.noarch
selinux-policy-targeted-38.1.14-1.el9.noarch

2. Check the policy modules brought by the passt-selinux package
# semodule -lfull | grep -e pasta -e passt
200 passt                        pp          
200 pasta                        pp    

3. Reinstall passt* packages
# yum -y reinstall passt-0^20230222.g4ddbcb9-4.el9.x86_64.rpm passt-selinux-0^20230222.g4ddbcb9-4.el9.noarch.rpm

4. Check the policy modules again,the policy modules brought by the passt-selinux package survive after reinstalling the passt* packages.
# semodule -lfull | grep -e pasta -e passt
200 passt                        pp          
200 pasta                        pp   

Based on the above test result this problem has been fixed very well on the passt-0^20230222.g4ddbcb9-4.el9.x86_64, so move to "VERIFIED".
Note You need to log in before you can comment on or make changes to this bug.