Bug 1123381

Summary: foreman-selinux fails to uninstall and reinstall cleanly
Product: Red Hat Satellite Reporter: Lukas Zapletal <lzap>
Component: SELinuxAssignee: Lukas Zapletal <lzap>
Status: CLOSED CURRENTRELEASE QA Contact: Corey Welton <cwelton>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 6.0.4CC: ajeain, bbuckingham, cwelton, jmontleo, lhh, mburns, sthirugn, yeylon
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: http://projects.theforeman.org/issues/6780
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1123279 Environment:
Last Closed: 2014-09-11 12:19:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1127773    
Bug Blocks: 1123279    

Description Lukas Zapletal 2014-07-25 13:27:53 UTC 
+++ This bug was initially created as a clone of Bug #1123279 +++

Discovered by the OpenStack team.

Description of problem:

There's a problem with foreman-selinux. It won't uninstall cleanly:

libsepol.context_from_record: type elasticsearch_port_t is not defined
libsepol.context_from_record: could not create context structure (Invalid argument).
libsepol.port_from_record: could not create port structure for range 9200:9300 (tcp) (Invalid argument).
libsepol.sepol_port_modify: could not load port range 9200 - 9300 (tcp) (Invalid argument).
libsemanage.dbase_policydb_modify: could not modify record value (Invalid argument).
libsemanage.semanage_base_merge_components: could not merge local modifications into policy (Invalid argument).
/usr/sbin/semodule:  Failed!

And it also leaves its SELinux modifications in the system; at least, that is:

# semanage port -l | grep 9200
elasticsearch_port_t           tcp      9200-9300

(When it's being installed, it does     /usr/sbin/semanage -S $selinuxvariant -i - << _EOT2
      port -a -t elasticsearch_port_t -p tcp 9200-9300
_EOT2). As a result, it cannot be installed again cleanly anymore:

/usr/sbin/semanage: Port tcp/9200-9300 already defined
warning: %post(foreman-selinux-1.6.0.3-1.el6sat.noarch) scriptlet failed, exit status 1
Comment 2 Lukas Zapletal 2014-07-25 14:05:48 UTC 
To fix this bug, apply both patches:

https://github.com/theforeman/foreman-selinux/pull/24
https://github.com/theforeman/foreman-packaging/pull/290
Comment 3 Lukas Zapletal 2014-08-04 08:01:29 UTC 
This was not merged yet, RHOS backported it.
Comment 4 Bryan Kearney 2014-08-06 14:04:27 UTC 
Moving to POST since upstream bug http://projects.theforeman.org/issues/6780 has been closed
-------------
Lukas Zapletal
To fix this bug, apply both patches:

https://github.com/theforeman/foreman-selinux/pull/24
https://github.com/theforeman/foreman-packaging/pull/290
-------------
Anonymous
Applied in changeset commit:ae6f1a694d6a13c32d9bdfecbbb95cd2d0bb20bd.
Comment 6 Corey Welton 2014-08-19 19:09:24 UTC 
Verified in Satellite-6.0.4-RHEL-6-20140813.2
Comment 7 Bryan Kearney 2014-09-11 12:19:02 UTC 
This was delivered with Satellite 6.0 which was released on 10 September 2014.