Re: Re: Problem with selinux since Kernel Update

[Maarten]

Hello Scot,
I installed the most recent version of the policy but still have the same 
problem on all systems:
libsepol-2.5-8.1.sl7.x86_64
libsepol.policydb_read: policydb version 31 does not match my version range 
15-30
invalid binary policy 

On Thu, May 24, 2018 at 17:11, Scott Reid  wrote:
Hi Orion,

Thank you for the report. A new version of libsepol has been pushed out which 
should address your problem.

Thanks!

On 5/23/18, 5:26 PM, "owner-scientific-linux-us...@listserv.fnal.gov 
(mailto:owner-scientific-linux-us...@listserv.fnal.gov) on behalf of Orion 
Poplawski"  wrote:

On 05/15/2018 05:45 PM, Orion Poplawski wrote:
On 05/15/2018 05:41 PM, Orion Poplawski wrote:
On 05/15/2018 12:23 PM, Maarten wrote:
I have the same problem on all of my systems, running the same package
versions and kernel, also under 7.5:

libsepol.policydb_read: policydb version 31 does not match my version
range 15-30
invalid binary policy

3.10.0-862.2.3.el7.x86_64

policycoreutils-2.5-22.el7.x86_64
checkpolicy-2.5-6.el7.x86_64
selinux-policy-targeted-3.13.1-192.el7_5.3.noarch
policycoreutils-python-2.5-22.el7.x86_64
selinux-policy-3.13.1-192.el7_5.3.noarch

sl-release-7.5-2.sl7.x86_64

On 05/11/2018 07:29 AM, Klaus Steinberger wrote:
Am 04.05.2018 um 13:06 schrieb Steven C Timm:
Did you just update the kernel or also all the other security updates
that came out.
The problem is also after upgrading to SL 7.5:

[root@dmz-sv-mirror01 ~]# audit2allow -a -m local
libsepol.policydb_read: policydb version 31 does not match my version
range 15-30
invalid binary policy ???T

[root@dmz-sv-mirror01 ~]# uname -a
Linux dmz-sv-mirror01.physik.uni-muenchen.de 3.10.0-862.2.3.el7.x86_64 #1 SMP
Tue May 8 14:55:36 CDT 2018 x86_64 x86_64 x86_64 GNU/Linux
[root@dmz-sv-mirror01 ~]# rpm -q -a | grep policy
policycoreutils-2.5-22.el7.x86_64
policycoreutils-python-2.5-22.el7.x86_64
checkpolicy-2.5-6.el7.x86_64
selinux-policy-targeted-3.13.1-192.el7_5.3.noarch
selinux-policy-3.13.1-192.el7_5.3.noarch
[root@dmz-sv-mirror01 ~]#

Sincerly,
Klaus

I see this as well.  Very strange since the message and constants appear to
be defined in libsepol, and since that is updated I don't see how the
policydb version can be wrong.

# strings /usr/lib64/libsepol.so.1 | grep 'version range'
policydb version %d does not match my version range %d-%d
policydb module version %d does not match my version range %d-%d
# rpm -q libsepol
libsepol-2.5-8.1.el7.x86_64

Ah, but there is a libsepol-static package - so if packages were incorrectly
built against the older version of that, that would explain the problem.

Ping?  I think this is a pretty serious issue with the SL7.5 packages.  I
don't see this with CentOS or RHEL.

-- 
Orion Poplawski
Manager of NWRA Technical Systems          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       or...@nwra.com (mailto:or...@nwra.com)
Boulder, CO 80301                 
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.nwra.com_&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=K5IsmKIlfeGD3zuXIueSwQ&m=HOrUKrdX0_RlnX8W2Rv3LAamiLNAjjE-5-bEaEhgGV0&s=jhQsxCFCn_mwuHV1RYyI1eTN2PZLmTZz9BKjcZPSQWg&e=
 
(https://urldefense.proofpoint.com/v2/url?u=https-3A__www.nwra.com_&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=K5IsmKIlfeGD3zuXIueSwQ&m=HOrUKrdX0_RlnX8W2Rv3LAamiLNAjjE-5-bEaEhgGV0&s=jhQsxCFCn_mwuHV1RYyI1eTN2PZLmTZz9BKjcZPSQWg&e=)