search

Icinga / icinga-packaging

Packaging documentation and issues for the official Icinga repository
https://packages.icinga.com
44 stars 15 forks source link

Icinga paid repository - broken SELinux package #276

Open scaronni opened 1 year ago

scaronni commented 1 year ago

We are paying the subscription to get official Icinga packages for EL distributions. The latest icinga2-selinux-2.13.6-2 packages are broken, on a new install there are no SELinux booleans available.

The postinstall scriptlet has not changed between 2.13.6-1 and 2.13.6-2.

With 2.13.6-1 there is some error but in the end the booleans are there:

# for selinuxvariant in mls targeted; do /usr/sbin/semodule -s ${selinuxvariant} -i /usr/share/selinux/${selinuxvariant}/icinga2.pp; done
Failed to resolve booleanif statement at /var/lib/selinux/mls/tmp/modules/400/icinga2/cil:1894
Failed to resolve AST
/usr/sbin/semodule:  Failed!
# semanage boolean -l | grep icinga
httpd_can_connect_icinga2_api  (on   ,   on)  Allow httpd to can connect icinga2 api
httpd_can_write_icinga2_command (on   ,   on)  Allow httpd to can write icinga2 command
icinga2_can_connect_all        (off  ,  off)  Allow icinga2 to can connect all
icinga2_run_sudo               (off  ,  off)  Allow icinga2 to run sudo
icinga2adm_exec_content        (on   ,   on)  Allow icinga2adm to exec content

With 2.13.6-2 there are 2 errors and in the end the booleans are not there:

# for selinuxvariant in mls targeted; do /usr/sbin/semodule -s ${selinuxvariant} -i /usr/share/selinux/${selinuxvariant}/icinga2.pp; done
Failed to resolve booleanif statement at /var/lib/selinux/mls/tmp/modules/400/icinga2/cil:1873
Failed to resolve AST
/usr/sbin/semodule:  Failed!
Failed to resolve roleattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/icinga2/cil:46
Failed to resolve AST
/usr/sbin/semodule:  Failed!
# semanage boolean -l | grep icinga

Of course if you do an upgrade, the previous policy is installed and you're not noticing anythig as you're redirecting everything to /dev/null in postinstall.

scaronni commented 1 year ago

Beside the appropriate fix, I would suggest to show errors in the postinstall, so you can probably notice it, and not redirect everything to /dev/null.

Thanks.

lippserd commented 1 year ago

Hi,

Thanks for the report. Will be fixed asap.

All the best, Eric

scaronni commented 1 year ago

Hi @lippserd any update? there is a merge request open to fix the issue.

Thanks.

lippserd commented 1 year ago

2.13.7 with the fix included will be released tomorrow.

scaronni commented 1 year ago

Thanks, it works, booleans are there.

The error that was present before 2.13.6-2 is still there, though:

# for selinuxvariant in mls targeted; do /usr/sbin/semodule -s ${selinuxvariant} -i /usr/share/selinux/${selinuxvariant}/icinga2.pp; done
Failed to resolve booleanif statement at /var/lib/selinux/mls/tmp/modules/400/icinga2/cil:1894
Failed to resolve AST
/usr/sbin/semodule:  Failed!