I recently discovered that a piece of SELInux code perfectly OK on CentOS 7, CentOS Stream8, RHEL 7.X, RHEL 8, Fedora 35 and Fedora 36, would not just compile on CentOS Stream9, since the definition of a SELinux user is rejected on Stream 9 with an error message.
For instance the SELinux policy module source code below will pass the check module stage successfully an all distress, but the CentOS Stream 9 will fail at the semodule_package stage.
Code: Select all
module foo 0.1.0;
require {
role staff_r;
sensitivity s0;
sensitivity s0-s0;
category c0;
category c1023;
}
user foo_u roles staff_r level s0 range s0-s0:c0.c1023;
[hubertqc@nyx ~]$ semodule_package -o foo.pp -m foo.mod
libsepol.validate_user_datum: Invalid user datum
libsepol.validate_datum_array_entries: Invalid datum array entries
libsepol.validate_policydb: Invalid policydb
semodule_package: Error while reading policy module from foo.mod
I just don't understand what is going on.