View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0012376 | Rocky-Linux-10 | selinux-policy | public | 2026-04-01 14:52 | 2026-04-01 14:52 |
| Reporter | Hiroshi Nishida | Assigned To | |||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | new | Resolution | open | ||
| OS | Rocky | OS Version | 10.1 | ||
| Product Version | 10.1 | ||||
| Summary | 0012376: security_policyvers() returns 33 but only policy.35 exists on disk | ||||
| Description | ## Environment - Rocky Linux 10.1 - libsepol-3.9-1.el10.x86_64 - sestatus: Max kernel policy version: 33 - Only policy.35 exists under /etc/selinux/targeted/policy/ ## Problem security_policyvers() returns 33, but no policy.33 file exists on disk. The only installed binary policy file is policy.35. Software that locates the binary policy by searching downward from security_policyvers() will never find it. Confirmed: the internal binary version of policy.35 (read at offset 16 in the policydb) is 35. sestatus still reports "Max kernel policy version: 33". ## Root Cause Upstream libsepol defines POLICYDB_VERSION_MAX = 33. Rocky Linux 10.1 ships policy.35, which uses a downstream policy format version (35) not present in upstream libsepol. security_policyvers() reports the upstream ceiling (33), creating a mismatch with the actual on-disk file version. ## Suggested Fix Either: 1. Ship policy.33 as a compatibility symlink to policy.35, or 2. Update libsepol to expose POLICYDB_VERSION_MAX = 35 so that security_policyvers() reflects the actual on-disk policy version. ## Additional Notes - Rocky Linux 9.7 is unaffected: policy.33 on disk, internal version 33, matches security_policyvers(). - Policy versions 34 and 35 do not appear in upstream libsepol source or changelog — they appear to be downstream extensions. | ||||
| Steps To Reproduce | 1. Install Rocky Linux 10.1 with SELinux enabled (targeted policy) 2. Run: sestatus → "Max kernel policy version: 33" 3. Run: ls /etc/selinux/targeted/policy/ → Only policy.35 is present, no policy.33 4. Run: python3 -c "import selinux; print(selinux.security_policyvers())" (or any program calling security_policyvers() from libsepol) → Returns 33 | ||||
| Tags | selinux | ||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2026-04-01 14:52 | Hiroshi Nishida | New Issue | |
| 2026-04-01 14:52 | Hiroshi Nishida | Tag Attached: selinux |
