Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Icinga paid repository - broken SELinux package #276

Open
scaronni opened this issue Feb 8, 2023 · 5 comments
Open

Icinga paid repository - broken SELinux package #276

scaronni opened this issue Feb 8, 2023 · 5 comments
Labels
bug Something isn't working

Comments

@scaronni
Copy link

scaronni commented Feb 8, 2023

We are paying the subscription to get official Icinga packages for EL distributions. The latest icinga2-selinux-2.13.6-2 packages are broken, on a new install there are no SELinux booleans available.

The postinstall scriptlet has not changed between 2.13.6-1 and 2.13.6-2.

With 2.13.6-1 there is some error but in the end the booleans are there:

# for selinuxvariant in mls targeted; do /usr/sbin/semodule -s ${selinuxvariant} -i /usr/share/selinux/${selinuxvariant}/icinga2.pp; done
Failed to resolve booleanif statement at /var/lib/selinux/mls/tmp/modules/400/icinga2/cil:1894
Failed to resolve AST
/usr/sbin/semodule:  Failed!
# semanage boolean -l | grep icinga
httpd_can_connect_icinga2_api  (on   ,   on)  Allow httpd to can connect icinga2 api
httpd_can_write_icinga2_command (on   ,   on)  Allow httpd to can write icinga2 command
icinga2_can_connect_all        (off  ,  off)  Allow icinga2 to can connect all
icinga2_run_sudo               (off  ,  off)  Allow icinga2 to run sudo
icinga2adm_exec_content        (on   ,   on)  Allow icinga2adm to exec content

With 2.13.6-2 there are 2 errors and in the end the booleans are not there:

# for selinuxvariant in mls targeted; do /usr/sbin/semodule -s ${selinuxvariant} -i /usr/share/selinux/${selinuxvariant}/icinga2.pp; done
Failed to resolve booleanif statement at /var/lib/selinux/mls/tmp/modules/400/icinga2/cil:1873
Failed to resolve AST
/usr/sbin/semodule:  Failed!
Failed to resolve roleattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/icinga2/cil:46
Failed to resolve AST
/usr/sbin/semodule:  Failed!
# semanage boolean -l | grep icinga

Of course if you do an upgrade, the previous policy is installed and you're not noticing anythig as you're redirecting everything to /dev/null in postinstall.
@scaronni
Copy link
Author

scaronni commented Feb 8, 2023

Beside the appropriate fix, I would suggest to show errors in the postinstall, so you can probably notice it, and not redirect everything to /dev/null.

Thanks.

@lippserd
Copy link
Member

lippserd commented Feb 9, 2023

Hi,

Thanks for the report. Will be fixed asap.

All the best,
Eric

@lippserd lippserd added the bug Something isn't working label Feb 9, 2023
@htriem htriem mentioned this issue Feb 13, 2023
Merged
@scaronni
Copy link
Author

Hi @lippserd any update? there is a merge request open to fix the issue.

Thanks.

@lippserd
Copy link
Member

2.13.7 with the fix included will be released tomorrow.

@scaronni
Copy link
Author

Thanks, it works, booleans are there.

The error that was present before 2.13.6-2 is still there, though:

# for selinuxvariant in mls targeted; do /usr/sbin/semodule -s ${selinuxvariant} -i /usr/share/selinux/${selinuxvariant}/icinga2.pp; done
Failed to resolve booleanif statement at /var/lib/selinux/mls/tmp/modules/400/icinga2/cil:1894
Failed to resolve AST
/usr/sbin/semodule:  Failed!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lippserd @scaronni