Bug 1212083

Summary: Update selinux related packages to latest version
Product: [openSUSE] PUBLIC SUSE Linux Enterprise Server 15 SP4 Reporter: Prabhav Thali <prabhav.thali1>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact:
Severity: Normal    
Priority: P5 - None    
Version: unspecified   
Target Milestone: ---   
Hardware: S/390-64   
OS: SLES 15   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Prabhav Thali 2023-06-07 05:22:00 UTC 
Hello team,

##Observation:
While building docker-ce binaries for s390x on SLES 15.4, faced below issue:

Problem: the to be installed selinux-policy-20230214-150400.182.1.noarch requires 'policycoreutils >= 3.5', but this requirement cannot be provided.

In SUSE repositories, policycoreutils v3.1 is available.

Policycoreutils is needed as we need to install container-selinux as mentioned here(https://github.com/docker/docker-ce-packaging/blob/e43fbd37e48fde49d907b9195f23b13537521b94/rpm/SPECS/docker-ce.spec#L18). 

And following is the dependency tree of container-selinux:
# curl -O https://ftp.gwdg.de/pub/opensuse/repositories/security:/SELinux/15.4/noarch/container-selinux-2.215.0-150400.1.3.noarch.rpm
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 60756  100 60756    0     0  87648      0 --:--:-- --:--:-- --:--:-- 87544
# rpm -qpR ./container-selinux-2.215.0-150400.1.3.noarch.rpm
warning: ./container-selinux-2.215.0-150400.1.3.noarch.rpm: Header V3 DSA/SHA1 Signature, key ID 93b832ee: NOKEY
/bin/sh
/bin/sh
/bin/sh
/bin/sh
/usr/bin/sed
policycoreutils
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(PayloadIsXz) <= 5.2-1
selinux-policy >= 20230425-150400.194.8
selinux-policy-base >= 20230425
selinux-policy-targeted >= 20230425
selinux-tools

##Details:
As container-selinux requires selinux-policy >= 20230425-150400.194.8 and selinux-policy requires policycoreutils >= 3.5, it fails. However, in SUSE repositories selinux related packages are having v3.1(which is quite old). 

Will it be possible to upgrade the selinux-related packages(libselinux1, libsemanage, libsepol, policycoreutils) in SUSE repositories whenever a new release is out for selinux-policy?
Comment 1 Johannes Segitz 2023-06-07 07:00:39 UTC 
Please have a look at the SLES documentation. If you want to use the unofficial policy provided you need to use the https://build.opensuse.org/project/show/security:SELinux_legacy repository. If you use security:SELinux you also need to use the updated toolchain in there.

Updating the toolchain packages in 15.4 is tricky and would require an ECO