nikdoof.com

/posts/ 2021/centos8-and-broken-selinux-policy

CentOS 8 and the broken SELinux Policy

Mar 22, 2021

#linux #centos #selinux 

TASK [www : Enable httpd_read_user_content] ************************************
04:03:45
459
fatal: [s1.dimension.sh]: FAILED! => {"changed": false, "msg": "Failed to manage policy for boolean httpd_read_user_content: [Errno 0] Error"}

The result of a standard weekly AWX run on a system was an error. Failed to manage policy for boolean ...: [Errno 0] Error, not exactly the most helpful error to be spat out by Ansible, but it’s all I had. I had recently completed patching on the VM, so the occurrence of the issue can be attributed to an updated package.

The Issue

The Ansible error is a generic catch-all error within the SEBoolean module. The Python in the module tries to replicate what the management commands are doing under the hood, so while the code is complicated, it should be easily replicated with the CLI commands. Running to set the boolean worked:

# setsebool httpd_enable_homedirs=on

But, running to apply the boolean permanently failed.

# setsebool -P httpd_enable_homedirs=on
libsepol.context_from_record: type systemd_sleep_exec_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:object_r:systemd_sleep_exec_t:s0 to sid
invalid context system_u:object_r:systemd_sleep_exec_t:s0
#

The underlying error is that type systemd_sleep_exec_t isn’t defined in the SELinux policy, a fundamental part in my opinion, which points to something wrong with the policy files. Searching on RedHat’s and CentOS bug trackers directs me to a few other people experiencing similar.

The Resolution

In previous instances, I had an issue where multiple versions of the SELinux policy files were installed, and removing the old instance and re-installing the current version resolved the issue. In this instance, I only had one installed version, so I re-installed:

# dnf re-install "selinux-policy*"

...

Reinstalling:
 selinux-policy             noarch  3.14.3-54.el8_3.2 baseos 622 k
 selinux-policy-targeted    noarch  3.14.3-54.el8_3.2 baseos 15 M

...

Reinstalled:
  selinux-policy-3.14.3-54.el8_3.2.noarch
  selinux-policy-targeted-3.14.3-54.el8_3.2.noarch

Complete!

And now it works as expected.

# setsebool -P httpd_enable_homedirs=on
#