icinga-packaging icon indicating copy to clipboard operation
icinga-packaging copied to clipboard

Published 20 hours ago verified publisher icon Icinga

Icinga paid repository - broken SELinux package

Open scaronni opened this issue 2 years ago • 5 comments

We are paying the subscription to get official Icinga packages for EL distributions. The latest icinga2-selinux-2.13.6-2 packages are broken, on a new install there are no SELinux booleans available.

The postinstall scriptlet has not changed between 2.13.6-1 and 2.13.6-2.

With 2.13.6-1 there is some error but in the end the booleans are there:

# for selinuxvariant in mls targeted; do /usr/sbin/semodule -s ${selinuxvariant} -i /usr/share/selinux/${selinuxvariant}/icinga2.pp; done
Failed to resolve booleanif statement at /var/lib/selinux/mls/tmp/modules/400/icinga2/cil:1894
Failed to resolve AST
/usr/sbin/semodule:  Failed!
# semanage boolean -l | grep icinga
httpd_can_connect_icinga2_api  (on   ,   on)  Allow httpd to can connect icinga2 api
httpd_can_write_icinga2_command (on   ,   on)  Allow httpd to can write icinga2 command
icinga2_can_connect_all        (off  ,  off)  Allow icinga2 to can connect all
icinga2_run_sudo               (off  ,  off)  Allow icinga2 to run sudo
icinga2adm_exec_content        (on   ,   on)  Allow icinga2adm to exec content

With 2.13.6-2 there are 2 errors and in the end the booleans are not there:

# for selinuxvariant in mls targeted; do /usr/sbin/semodule -s ${selinuxvariant} -i /usr/share/selinux/${selinuxvariant}/icinga2.pp; done
Failed to resolve booleanif statement at /var/lib/selinux/mls/tmp/modules/400/icinga2/cil:1873
Failed to resolve AST
/usr/sbin/semodule:  Failed!
Failed to resolve roleattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/icinga2/cil:46
Failed to resolve AST
/usr/sbin/semodule:  Failed!
# semanage boolean -l | grep icinga

Of course if you do an upgrade, the previous policy is installed and you're not noticing anythig as you're redirecting everything to /dev/null in postinstall.

scaronni avatar Feb 08 '23 09:02 scaronni

Beside the appropriate fix, I would suggest to show errors in the postinstall, so you can probably notice it, and not redirect everything to /dev/null.

Thanks.

scaronni avatar Feb 08 '23 09:02 scaronni

Hi,

Thanks for the report. Will be fixed asap.

All the best, Eric

lippserd avatar Feb 09 '23 12:02 lippserd

Hi @lippserd any update? there is a merge request open to fix the issue.

Thanks.

scaronni avatar Feb 14 '23 15:02 scaronni

2.13.7 with the fix included will be released tomorrow.

lippserd avatar Feb 15 '23 09:02 lippserd

Thanks, it works, booleans are there.

The error that was present before 2.13.6-2 is still there, though:

# for selinuxvariant in mls targeted; do /usr/sbin/semodule -s ${selinuxvariant} -i /usr/share/selinux/${selinuxvariant}/icinga2.pp; done
Failed to resolve booleanif statement at /var/lib/selinux/mls/tmp/modules/400/icinga2/cil:1894
Failed to resolve AST
/usr/sbin/semodule:  Failed!

scaronni avatar Feb 17 '23 08:02 scaronni