Bug 1131575
| Summary: | selinux relabel after yum update of pulp-selinux | |||
|---|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Chris Roberts <chrobert> | |
| Component: | Pulp | Assignee: | Mike McCune <mmccune> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Tazim Kolhar <tkolhar> | |
| Severity: | high | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 6.0.3 | CC: | bbuckingham, bkearney, bmbouter, chrobert, cwelton, daviddavis, dkliban, ggainey, ipanova, lzap, mhrivnak, mmccune, mmello, nshaik, pcreech, pgervase, rchan, riehecky, shughes, tkolhar, ttereshc, xdmoon | |
| Target Milestone: | Unspecified | Keywords: | Triaged | |
| Target Release: | Unused | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1145720 (view as bug list) | Environment: | ||
| Last Closed: | 2015-08-12 14:02:04 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1205668 | |||
| Bug Blocks: | 950746, 1115190 | |||
|
Description
Chris Roberts
2014-08-19 15:16:20 UTC
Since this issue was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release. There is other way of fixing this - relabel is not necessary to do every time for every single directory. It would be possible to introduce a special param to the relabel script like --full to do it on /var/lib/pulp. And during upgrade we could skip it. If there was a bug requiring to relabel it, we could ask users to call enable script with --full. What lzap describes in comment #9 is very similar to the fix that is being put in place. The restorecon statements will run conditionally based on actual needed changes for a fresh install or upgrade instead of all restorecon statements all the time. The upstream Pulp bug is listed on the external tracker. Once the fix is put in place upstream, all downstream should have to do is cherry pick. We'll set the downstream bug at POST when upstream is merged. The Pulp upstream bug status is at POST. Updating the external tracker on this bug. The Pulp upstream bug status is at MODIFIED. Updating the external tracker on this bug. I'm not sure if this is cherry picked or not, but it should be. Without this, a sat6.0 user who has a lot of synced content and is upgrading to sat6.1 will take hours to install. With this patch the SELinux portion will take minutes. The Pulp upstream bug status is at ON_QA. Updating the external tracker on this bug. hi please provide verification steps thanks Use the verification steps from here [0], except that when it says to upgrade from Pulp 2.5.x you should upgrade from sat 6.0. needsinfo me with more questions if you have them. [0]: https://pulp.plan.io/issues/540#note-13 The Pulp upstream bug status is at VERIFIED. Updating the external tracker on this bug. VERIFIED: # rpm -qa | grep foreman puppet-foreman_scap_client-0.3.3-8.el7sat.noarch ruby193-rubygem-foreman_docker-1.2.0.10-1.el7sat.noarch ruby193-rubygem-foreman-tasks-0.6.12.4-1.el7sat.noarch rubygem-hammer_cli_foreman_discovery-0.0.1.8-1.el7sat.noarch foreman-libvirt-1.7.2.18-1.el7sat.noarch ruby193-rubygem-foreman_bootdisk-4.0.2.12-1.el7sat.noarch foreman-compute-1.7.2.18-1.el7sat.noarch foreman-ovirt-1.7.2.18-1.el7sat.noarch ruby193-rubygem-foreman_discovery-2.0.0.12-1.el7sat.noarch rubygem-hammer_cli_foreman_tasks-0.0.3.4-1.el7sat.noarch foreman-debug-1.7.2.18-1.el7sat.noarch foreman-postgresql-1.7.2.18-1.el7sat.noarch qe-sat6-rhel71.usersys.redhat.com-foreman-client-1.0-1.noarch qe-sat6-rhel71.usersys.redhat.com-foreman-proxy-1.0-1.noarch ruby193-rubygem-foreman_gutterball-0.0.1.9-1.el7sat.noarch foreman-1.7.2.18-1.el7sat.noarch foreman-gce-1.7.2.18-1.el7sat.noarch ruby193-rubygem-foreman_hooks-0.3.7-2.el7sat.noarch rubygem-hammer_cli_foreman-0.1.4.10-1.el7sat.noarch foreman-selinux-1.7.2.13-1.el7sat.noarch foreman-vmware-1.7.2.18-1.el7sat.noarch rubygem-hammer_cli_foreman_bootdisk-0.1.2.6-1.el7sat.noarch foreman-proxy-1.7.2.4-1.el7sat.noarch qe-sat6-rhel71.usersys.redhat.com-foreman-proxy-client-1.0-1.noarch ruby193-rubygem-foreman-redhat_access-0.1.0-1.el7sat.noarch Steps: $sudo touch /var/lib/pulp/test $sudo chown apache:apache /var/lib/pulp/test $sudo chcon 'system_u:object_r:var_run_t:s0' /var/lib/pulp/test $ls -laZ /var/lib/pulp drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 . drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 .. drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 celery drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 content -rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 init.flag drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 nodes drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 packages drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 published -rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 sn.dat drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 static -rw-r--r--. apache apache system_u:object_r:var_run_t:s0 test drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 uploads drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 working moving it to ON_QA as this requires upgrade from sat6.0 to sat6.1 the concerned conversation: <bmbouter> tkolhar: hey. tazim? <tkolhar> bmbouter, do i need to makes those [0] link changes before i perform upgrade from sat6.0 to sat6.1 for this bz https://bugzilla.redhat.com/show_bug.cgi?id=1131575#c20 <tkolhar> bmbouter, yes <bmbouter> let me see <tkolhar> bmbouter, ok thanks * dcaplan_ (~dcaplan.redhat.com) has joined #satellite6 <bmbouter> yes those link changes need to happen before the 6.0 -> 6.1 upgrade * walden|afk is now known as walden <bmbouter> so install 6.0 start it up and ensure everything is good <bmbouter> make those link changes <bmbouter> the chcon operations <bmbouter> then do the upgrade to 6.1 * thomasmckay is now known as thomasmckay|errand * aladke (~aladke.redhat.com) has joined #satellite6 <bmbouter> then startup 6.1 and make sure everything is ok <tkolhar> bmbouter, ok got it thanks a lot . i will move it to ON_QA and retest it * joeg (~jgiordan.redhat.com) has joined #satellite6 <bmbouter> then verify that the file you created and set the chcon on carries the expected security label <tkolhar> bmbouter, ok got it <bmbouter> tkolhar: cool thanks for verifying. ping me with more questions if they come up FAILEDQA : # rpm -qa | grep foreman rubygem-hammer_cli_foreman-0.1.4.10-1.el6_6sat.noarch foreman-libvirt-1.7.2.18-1.el6_6sat.noarch ruby193-rubygem-foreman_bootdisk-4.0.2.12-1.el6_6sat.noarch dell-pe1950-01.rhts.eng.bos.redhat.com-foreman-proxy-1.0-1.noarch foreman-1.7.2.18-1.el6_6sat.noarch foreman-debug-1.7.2.18-1.el6_6sat.noarch rubygem-hammer_cli_foreman_tasks-0.0.3.4-1.el6_6sat.noarch foreman-selinux-1.7.2.13-1.el6_6sat.noarch foreman-compute-1.7.2.18-1.el6_6sat.noarch foreman-vmware-1.7.2.18-1.el6_6sat.noarch ruby193-rubygem-foreman_hooks-0.3.7-2.el6_6sat.noarch rubygem-hammer_cli_foreman_bootdisk-0.1.2.6-1.el6_6sat.noarch foreman-ovirt-1.7.2.18-1.el6_6sat.noarch foreman-gce-1.7.2.18-1.el6_6sat.noarch ruby193-rubygem-foreman_discovery-2.0.0.12-1.el6_6sat.noarch foreman-postgresql-1.7.2.18-1.el6_6sat.noarch dell-pe1950-01.rhts.eng.bos.redhat.com-foreman-client-1.0-1.noarch ruby193-rubygem-foreman-redhat_access-0.1.0-1.el6_6sat.noarch ruby193-rubygem-foreman_gutterball-0.0.1.9-1.el6_6sat.noarch rubygem-hammer_cli_foreman_discovery-0.0.1.8-1.el6_6sat.noarch ruby193-rubygem-foreman_docker-1.2.0.10-1.el6_6sat.noarch ruby193-rubygem-foreman-tasks-0.6.12.4-1.el6_6sat.noarch foreman-proxy-1.7.2.4-1.el6_6sat.noarch steps : $sudo touch /var/lib/pulp/test $sudo chown apache:apache /var/lib/pulp/test $sudo chcon 'system_u:object_r:var_run_t:s0' /var/lib/pulp/test $ls -laZ /var/lib/pulp drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 . drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 .. drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 celery drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 content -rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 init.flag drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 nodes drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 packages drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 published -rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 sn.dat drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 static -rw-r--r--. apache apache system_u:object_r:var_run_t:s0 test drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 uploads drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 working # katello-installer --upgrade File not found /usr/share/katello-installer/modules/katello_plugin_gutterball/manifests/init.pp, check your answer file The Pulp upstream bug status is at CLOSED - CURRENTRELEASE. Updating the external tracker on this bug. VERIFIED: steps: # sudo touch /var/lib/pulp/test # sudo chown apache:apache /var/lib/pulp/test # sudo chcon 'system_u:object_r:var_run_t:s0' /var/lib/pulp/test # ls -laZ /var/lib/pulp drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 . drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 .. drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 celery drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 content -rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 init.flag drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 nodes drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 packages drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 published -rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 sn.dat drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 static -rw-r--r--. apache apache system_u:object_r:var_run_t:s0 test drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 uploads drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 working # yum -y update # katello-installer --upgrade Upgrading... Upgrade Step: stop_services... Upgrade Step: start_mongo... Upgrade Step: migrate_pulp... Upgrade Step: migrate_candlepin... Upgrade Step: migrate_foreman... Upgrade Step: Running installer... Installing Info: START 622 [0%] [100%] [] The full log is at /var/log/katello-installer/katello-installer.log Upgrade Step: Restarting services... Upgrade Step: db:seed... Upgrade Step: Running errata import task (this may take a while)... Katello upgrade completed! # ls -laZ /var/lib/pulpdrwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 . drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 .. drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 celery drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 content -rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 init.flag drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 nodes drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 packages drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 published -rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 sn.dat drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 static -rw-r--r--. apache apache system_u:object_r:var_run_t:s0 test drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 uploads drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 working packages # rpm -qa | grep foreman rubygem-hammer_cli_foreman_docker-0.0.3.6-1.el6_6sat.noarch foreman-vmware-1.7.2.21-1.el6_6sat.noarch ruby193-rubygem-foreman_docker-1.2.0.12-1.el6_6sat.noarch rubygem-hammer_cli_foreman-0.1.4.11-1.el6_6sat.noarch foreman-ovirt-1.7.2.21-1.el6_6sat.noarch ruby193-rubygem-foreman_hooks-0.3.7-2.el6_6sat.noarch ibm-ls22-01.rhts.eng.brq.redhat.com-foreman-proxy-1.0-1.noarch rubygem-hammer_cli_foreman_discovery-0.0.1.10-1.el6_6sat.noarch foreman-libvirt-1.7.2.21-1.el6_6sat.noarch ruby193-rubygem-foreman-redhat_access-0.1.0-1.el6_6sat.noarch ruby193-rubygem-foreman-tasks-0.6.12.5-1.el6_6sat.noarch ruby193-rubygem-foreman_gutterball-0.0.1.9-1.el6_6sat.noarch ibm-ls22-01.rhts.eng.brq.redhat.com-foreman-proxy-client-1.0-1.noarch rubygem-hammer_cli_foreman_tasks-0.0.3.4-1.el6_6sat.noarch foreman-1.7.2.21-1.el6_6sat.noarch foreman-gce-1.7.2.21-1.el6_6sat.noarch ruby193-rubygem-foreman_bootdisk-4.0.2.13-1.el6_6sat.noarch foreman-proxy-1.7.2.4-1.el6_6sat.noarch rubygem-hammer_cli_foreman_bootdisk-0.1.2.7-1.el6_6sat.noarch foreman-selinux-1.7.2.13-1.el6_6sat.noarch foreman-compute-1.7.2.21-1.el6_6sat.noarch ibm-ls22-01.rhts.eng.brq.redhat.com-foreman-client-1.0-1.noarch ruby193-rubygem-foreman_discovery-2.0.0.13-1.el6_6sat.noarch foreman-postgresql-1.7.2.21-1.el6_6sat.noarch foreman-debug-1.7.2.21-1.el6_6sat.noarch This bug is slated to be released with Satellite 6.1. This bug was fixed in version 6.1.1 of Satellite which was released on 12 August, 2015. |