View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0012376Rocky-Linux-10selinux-policypublic2026-04-01 14:522026-04-02 19:05
ReporterHiroshi Nishida Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
OSRockyOS Version10.1 
Product Version10.1 
Summary0012376: security_policyvers() returns 33 but only policy.35 exists on disk
Description  ## Environment
  - Rocky Linux 10.1
  - libsepol-3.9-1.el10.x86_64
  - sestatus: Max kernel policy version: 33
  - Only policy.35 exists under /etc/selinux/targeted/policy/

  ## Problem
  security_policyvers() returns 33, but no policy.33 file exists on disk. The only
  installed binary policy file is policy.35. Software that locates the binary policy
  by searching downward from security_policyvers() will never find it.

  Confirmed: the internal binary version of policy.35 (read at offset 16 in the
  policydb) is 35. sestatus still reports "Max kernel policy version: 33".

  ## Root Cause
  Upstream libsepol defines POLICYDB_VERSION_MAX = 33. Rocky Linux 10.1 ships
  policy.35, which uses a downstream policy format version (35) not present in
  upstream libsepol. security_policyvers() reports the upstream ceiling (33),
  creating a mismatch with the actual on-disk file version.

  ## Suggested Fix
  Either:
  1. Ship policy.33 as a compatibility symlink to policy.35, or
  2. Update libsepol to expose POLICYDB_VERSION_MAX = 35 so that
     security_policyvers() reflects the actual on-disk policy version.

  ## Additional Notes
  - Rocky Linux 9.7 is unaffected: policy.33 on disk, internal version 33,
    matches security_policyvers().
  - Policy versions 34 and 35 do not appear in upstream libsepol source or
    changelog — they appear to be downstream extensions.
Steps To Reproduce  1. Install Rocky Linux 10.1 with SELinux enabled (targeted policy)
  2. Run: sestatus
     → "Max kernel policy version: 33"
  3. Run: ls /etc/selinux/targeted/policy/
     → Only policy.35 is present, no policy.33
  4. Run: python3 -c "import selinux; print(selinux.security_policyvers())"
     (or any program calling security_policyvers() from libsepol)
     → Returns 33
Tagsselinux

Activities

Hiroshi Nishida

Hiroshi Nishida

2026-04-02 19:05

reporter   ~0013201

Further investigation shows this is a packaging inconsistency specific to RHEL/Rocky 10.1.
  Both upstream projects already support policy version 35:
                                                            
  - Upstream Linux kernel (torvalds/linux, security/selinux/include/security.h):
  POLICYDB_VERSION_MAX = POLICYDB_VERSION_NEVERAUDIT = 35
  - Upstream libsepol (SELinuxProject/selinux): POLICYDB_VERSION_MAX =
  POLICYDB_VERSION_NEVERAUDIT = 35
                                                            
  The issue is that the RHEL/Rocky 10.1 kernel package was compiled with an older security.h
  where POLICYDB_VERSION_MAX = 33, but it is paired with libsepol-3.9 which writes policy.35.
  This causes security_policyvers() to return 33 at runtime while only policy.35 exists on disk.
                                                            
  The fix needs to happen in the kernel package — the v34/v35 SELinux support
  (POLICYDB_VERSION_COND_XPERMS and POLICYDB_VERSION_NEVERAUDIT) needs to be backported to the
  RHEL 10.1 kernel to match the shipped libsepol version.
                                                            
  Workaround in the meantime: sudo ln -s policy.35 /etc/selinux/targeted/policy/policy.33

Issue History

Date Modified Username Field Change
2026-04-01 14:52 Hiroshi Nishida New Issue
2026-04-01 14:52 Hiroshi Nishida Tag Attached: selinux
2026-04-02 19:05 Hiroshi Nishida Note Added: 0013201