Skip to content

selinux-policy: Restore excluded policy.kern. #14549

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: 3.0-dev
Choose a base branch
from
Open

selinux-policy: Restore excluded policy.kern. #14549

wants to merge 1 commit into from

Conversation

pebenito
Copy link
Contributor

@pebenito pebenito commented Aug 19, 2025
edited
Loading

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge
Summary

Fix this issue:

$ sudo semanage fcontext -a -e /var /mnt/overlays/var/upper
libsemanage.semanage_read_policydb: Could not open kernel policy /var/lib/selinux/targeted/active/policy.kern for reading. (No such file or directory).
FileNotFoundError: No such file or directory
Change Log
  • Restore policy.kern to fix semanage error.
Does this affect the toolchain?

NO

Test Methodology
  • Pipeline build id: 903051

@pebenito pebenito requested a review from a team as a code owner August 19, 2025 12:27
@microsoft-github-policy-service microsoft-github-policy-service bot added Packaging 3.0-dev PRs Destined for AzureLinux 3.0 labels Aug 19, 2025
@CBL-Mariner-Bot
Copy link
Collaborator

✅ PR Check Passed

No critical issues detected in spec file changes.

🤖 AI Analysis Summary:

Brief Analysis:
The changes update the package release number and tighten file verification for policy.kern, with an associated changelog entry explaining the new inclusion. No new CVE-related patches are referenced.

Critical Issues Found:
• No ERROR/CRITICAL issues detected regarding missing CVE patches or misapplied patch directives.

Recommended Actions:
• Verify that any future CVE fixes use the mandated "Patch: CVE-YYYY-XXXXX.patch" naming scheme.
• Continue using %verify to avoid file mismatches and ensure policy file integrity.
• Maintain clear changelog entries for security fixes as done in this update.

📋 For detailed analysis and recommendations, check the Azure DevOps pipeline logs.

cwize1 added a commit to microsoft/azure-linux-image-tools that referenced this pull request Aug 19, 2025
@cwize1
Disable Overlay + SELinux test for AZL 3.0.
4593b5f 
Azure Linux 3.0 has a bug where the `policy.kern` file is missing. And
this results in calls to `semanage fcontext` failing, since that
command expects the `policy.kern` to exist. This bug should be fixed in
microsoft/azurelinux#14549. But in the
meantime, disable the test.
cwize1 added a commit to microsoft/azure-linux-image-tools that referenced this pull request Aug 19, 2025
@cwize1
Disable Overlay + SELinux test for AZL 3.0.
1090a3b 
Azure Linux 3.0 has a bug where the `policy.kern` file is missing. And
this results in calls to `semanage fcontext` failing, since that
command expects the `policy.kern` to exist. This bug should be fixed in
microsoft/azurelinux#14549. But in the
meantime, disable the test.
@cwize1 cwize1 mentioned this pull request Aug 19, 2025
Merged
3 tasks
cwize1 added a commit to microsoft/azure-linux-image-tools that referenced this pull request Aug 19, 2025
@cwize1
Disable Overlay + SELinux test for AZL 3.0. (#385)
c9f67a3 
Azure Linux 3.0 has a bug where the `policy.kern` file is missing. And
this results in calls to `semanage fcontext` failing, since that command
expects the `policy.kern` to exist. This bug should be fixed in
microsoft/azurelinux#14549. But in the meantime,
disable the test.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cwize1 cwize1 cwize1 approved these changes

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
3.0-dev PRs Destined for AzureLinux 3.0 Packaging
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pebenito @CBL-Mariner-Bot @cwize1