semodule does not list versions anymore in Red Hat Enterprise Linux 7, 8
Environment
- Red Hat Enterprise Linux (RHEL) 7.3
- Red Hat Enterprise Linux (RHEL) 8
- Fedora, upstream
- policycoreutils-2.5-8.el7
Issue
- With
RHEL 7.3
thesemodule -l
does not list the versions any more. - this behaviour change breaks compatibility with
puppet
and other tools, existing scripts.
Original behaviour:
# semodule -l | head -3
abrt 1.4.1
accountsd 1.1.0
acct 1.6.0
After update:
# semodule -l | head -3
abrt
accountsd
acct
Resolution
- For RHEL 7, please update to
policycoreutils-2.5-17.1.el7
shipped with Advisory RHBA-2017:1883 or newer. - There are no plans to revert the behaviour upstream, in
Fedora
orRHEL 8
Root Cause
Since SELinux
userspace 2.4 modules uses CIL
and CIL
doesn't have any component which would represent a module name or version. Therefore a module name is derived from a filename and version is completely dropped from semodule
output.
In order to maintain compatibility during RHEL 7
lifetime the libsemanage
library was patched to mimic the old behaviour if possible, i.e. if an original module was installed from .pp
file containing the version info extract it from corresponding hll
file.
Since this approach affects performance to some extent there are no plans to mimic the old behaviour in RHEL 8 and newer.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments