Bug 1149790

Summary: Module cinder depends on permission kill in class service, not satisfied
Product: [Fedora] Fedora Reporter: Miroslav Suchý <msuchy>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: dominick.grift, dwalsh, lvrabec, mgrepl, plautrba, vedran
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-90.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-30 10:34:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Miroslav Suchý 2014-10-06 16:01:53 UTC 
Description of problem:
During upgrade from Fedora 20 -> 21 with disabled selinux, I got this:

  Updating   : selinux-policy-targeted-3.13.1-84.fc21.noarch                                                                             2171/8173 
libsepol.permission_copy_callback: Module cinder depends on permission kill in class service, not satisfied (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
/usr/sbin/semodule:  Failed!
  Updating   : ImageMagick-perl-6.8.8.10-5.fc21.x86_64                                                                                   2172/8173 


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-84.fc21.noarch

How reproducible:
done once

Steps to Reproduce:
1. fully upgraded Fedora 20
2. /usr/bin/yum --releasever=21 --disableplugin=presto distro-sync


Actual results:
error from post scriptlet of selinux-policy-targeted

Expected results:
no errors

Additional info:
$ getenforce 
Disabled
Comment 1 Miroslav Grepl 2014-10-07 07:47:21 UTC 
Could you execute

# yum reinstall selinux-policy-targeted
Comment 2 Miroslav Suchý 2014-10-07 08:26:29 UTC 
yum reinstall selinux-policy-targeted
  ...
  Installing : selinux-policy-targeted-3.13.1-84.fc21.noarch                                                                                  1/1 
etckeeper: post transaction commit
  Verifying  : selinux-policy-targeted-3.13.1-84.fc21.noarch

I.e. no error on reinstall. I'm not sure what was the point.
Comment 3 Miroslav Grepl 2014-10-07 08:31:59 UTC 
We needed to rebuild the policy. This is caused by upstream merge. We don't have "kill" permission in F21.

But yes, this is ugly bug.
Comment 4 Vedran Miletić 2014-10-13 12:05:42 UTC 
It happens with SELinux enabled as well.
Comment 5 Daniel Walsh 2014-10-27 23:09:34 UTC 
You will need to rebuild the policy for cinder to fix this problem.  I think we should just add back in those permissions in the file and mark them as not to use.
Comment 6 Lukas Vrabec 2014-10-30 10:34:04 UTC 
https://github.com/selinux-policy/selinux-policy/commit/f20c4e38b4443f2ab7c442c20dc42b7dc57fdebe

Related to link above, I think we can close this issue.
Comment 7 Miroslav Grepl 2014-10-30 12:13:22 UTC 
I added back those permissions because it breaks updates.