semodule does not list versions anymore in Red Hat Enterprise Linux 7, 8

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL) 7.3
  • Red Hat Enterprise Linux (RHEL) 8
  • Fedora, upstream
  • policycoreutils-2.5-8.el7

Issue

  • With RHEL 7.3 the semodule -l does not list the versions any more.
  • this behaviour change breaks compatibility with puppet and other tools, existing scripts.

Original behaviour:

# semodule -l | head -3
abrt    1.4.1
accountsd   1.1.0
acct    1.6.0

After update:

# semodule -l | head -3
abrt
accountsd
acct

Resolution

  • For RHEL 7, please update to policycoreutils-2.5-17.1.el7 shipped with Advisory RHBA-2017:1883 or newer.
  • There are no plans to revert the behaviour upstream, in Fedora or RHEL 8

Root Cause

Since SELinux userspace 2.4 modules uses CIL and CIL doesn't have any component which would represent a module name or version. Therefore a module name is derived from a filename and version is completely dropped from semodule output.

In order to maintain compatibility during RHEL 7 lifetime the libsemanage library was patched to mimic the old behaviour if possible, i.e. if an original module was installed from .pp file containing the version info extract it from corresponding hll file.

Since this approach affects performance to some extent there are no plans to mimic the old behaviour in RHEL 8 and newer.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.