SELinux policy does not work on Fedora

[julianbrost]

To Reproduce

1. Set up a fresh and up-to-date Fedora 36 system.
2. Install the icinga2 and icinga2-selinux packages from packages.icinga.com
3. systemctl start icinga2
4. Observe that the process is running unconfined:

   # ps -eZ | grep icinga2
   system_u:system_r:unconfined_service_t:s0 2050 ? 00:00:00 icinga2
   system_u:system_r:unconfined_service_t:s0 2076 ? 00:00:00 icinga2
   system_u:system_r:unconfined_service_t:s0 2081 ? 00:00:00 icinga2

Additional info

The command used by the %post scriptlet of the RPM fails to install the policy module:

# semodule -s targeted -i /usr/share/selinux/targeted/icinga2.pp
Failed to resolve roleattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/icinga2/cil:46
Failed to resolve AST
semodule:  Failed!

(No error is visible during the actual package installation.)

Your Environment

• Version used (icinga2 --version): r2.13.4-1
• Operating System and version: Fedora Linux 36 (Cloud Edition)

[yhabteab]

I have manually built the SELinux module on my fedora vm and it works!

[root@yh-fedora icinga2-selinux]# ps -eZ | grep icinga
system_u:system_r:icinga2_t:s0     1592 ?        00:00:00 icinga2
system_u:system_r:icinga2_t:s0     1634 ?        00:00:00 icinga2
system_u:system_r:icinga2_t:s0     1643 ?        00:00:00 icinga2

[julianbrost]

So might be more of a packaging issue then? I have observed something similar when installing the package on a CentOS 7 installed from an ancient image without installing system updates first, so might be some kind of version mismatch. But I don't know about the compatibility of *.pp files and when they have to be recompiled.

[julianbrost]

Forgot to mention: when installing the snapshot packages, the policy works fine. So most certainly something with the packaging, missing versioned dependency or rebuild or something like that.

[lippserd]

Fixed by Icinga/icinga2#9664.