Bug 1238055

Summary: [SELinux] glusterfs-server-3.7.1-<>.el6rhs should have a dependency >=selinux-policy-targeted-3.7.19-279.el6.noarch and selinux-policy-3.7.19-279.el6.noarch
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: Prasanth <pprakash>
Component: buildAssignee: Niels de Vos <ndevos>
Status: CLOSED WONTFIX QA Contact: Prasanth <pprakash>
Severity: urgent Docs Contact:
Priority: urgent    
Version: rhgs-3.1CC: amainkar, annair, asrivast, barumuga, nlevinki, nsathyan, pprakash, rcyriac, rhs-bugs, rnachimu, vagarwal
Target Milestone: ---   
Target Release: RHGS 3.1.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-03 18:12:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Prasanth 2015-07-01 06:01:50 UTC 
Description of problem:

glusterfs-server-3.7.1-<>.el6rhs should have a dependency >= selinux-policy-targeted-3.7.19-279.el6.noarch and selinux-policy-3.7.19-279.el6.noarch to make sure that all the latest gluster related SELinux policy fixes are available in the system before the users start using glusterfs in Enforcing mode of SELinux.

Version-Release number of selected component (if applicable):
glusterfs-server-3.7.1-6.el6rhs.x86_64
selinux-policy-3.7.19-279.el6.noarch
selinux-policy-targeted-3.7.19-279.el6.noarch

How reproducible:


Steps to Reproduce:
1. # yum install glusterfs-server
2.
3.

Actual results: glusterfs-server is currently not having any dependency on selinux-policy to ensure that a RHGS-3.1 system has all the required gluster SELinux policies. This might end up in SELinux related issues later in customer environments if they haven't updated the selinux-policy\* to the latest in their system which has all the fixes required for the proper functioning of glusterfs.


Expected results: The objective of this dependency on SELinux is to make sure that all the gluster related SELinux fixes are present in the RHGS-3.1 system before using glusterfs.


Additional info: Brew build: https://brewweb.devel.redhat.com/buildinfo?buildID=443534
Comment 1 Rejy M Cyriac 2015-07-01 06:30:22 UTC 
I think a dependency on selinux-policy package is enough. It should pull in the selinux-policy-targeted package as dependency. Can you check this out ?
Comment 4 Prasanth 2015-07-01 10:39:05 UTC 
(In reply to Rejy M Cyriac from comment #1)
> I think a dependency on selinux-policy package is enough. It should pull in
> the selinux-policy-targeted package as dependency. Can you check this out ?

In fact, it's the other way. 'selinux-policy-targeted' pulls in 'selinux-policy' as a dependency. See below:

#########
# yum install selinux-policy-targeted
Loaded plugins: product-id, rhnplugin, security, subscription-manager
This system is receiving updates from RHN Classic or RHN Satellite.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package selinux-policy-targeted.noarch 0:3.7.19-279.el6 will be installed
--> Processing Dependency: selinux-policy = 3.7.19-279.el6 for package: selinux-policy-targeted-3.7.19-279.el6.noarch
--> Processing Dependency: selinux-policy = 3.7.19-279.el6 for package: selinux-policy-targeted-3.7.19-279.el6.noarch
--> Running transaction check
---> Package selinux-policy.noarch 0:3.7.19-279.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==============================================================================================================================================================================================
 Package                                             Arch                               Version                                       Repository                                         Size
==============================================================================================================================================================================================
Installing:
 selinux-policy-targeted                             noarch                             3.7.19-279.el6                                RHEL_Guest-6.7-Puddle                             3.1 M
Installing for dependencies:
 selinux-policy                                      noarch                             3.7.19-279.el6                                RHEL_Guest-6.7-Puddle                             881 k

Transaction Summary
==============================================================================================================================================================================================
Install       2 Package(s)

Total download size: 3.9 M
Installed size: 13 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): selinux-policy-3.7.19-279.el6.noarch.rpm                                                                                                                        | 881 kB     00:00     
(2/2): selinux-policy-targeted-3.7.19-279.el6.noarch.rpm                                                                                                               | 3.1 MB     00:05     
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
#########
Comment 5 Bala.FA 2015-07-01 11:12:17 UTC 
patch is under review https://code.engineering.redhat.com/gerrit/52096
Comment 6 Niels de Vos 2015-07-01 11:22:04 UTC 
Adding a dependency on selinux-policy-targeted does not like the right approach to me. After talking to Prasanth, it was assumed that this would solve problems like this:

 - some package from RHGS gets updates
 - said package has a %post script that modifies a new selinux boolean
   - the new selinux boolean is not available yet, setting it fails
 - selinux-policy-targeted gets updated, new boolean is made available


I am not sure if it is common practise to change an selinux boolean in a %post script of an RPM package. It is not something I have seen getting done before. I would assume that there is a cleaner way of doing this, maybe by providing some selinux policy module that overloads the default boolean values. This is something selinux developers should be able to assist with.

For the immediate need of fixing the sketched problem, a dependency in the package(s) that modifies selinux booleans in %post is needed. The only (ugly) way to do this that I know of, is by adding a dependency like this:

   Requires(post): selinux-policy-targeted >= 3.7.19-279

The (post) after the Requires indicates that %post script. In case the package modifies a selinux boolean in %pre, the format would be like "Requires(pre)". This needs some testing, a versioned dependency like this is not very common.
Comment 7 Niels de Vos 2015-07-02 12:00:48 UTC 
Prasanth, do you know what the plan is with this? Should I close this bug and do you open separate bugs for each of the packages that modify SElinux booleans in rpm scriptlets?
Comment 8 Niels de Vos 2015-07-02 13:44:24 UTC 
RCM gave a similar response in https://bugzilla.redhat.com/show_bug.cgi?id=1237065#c5
Comment 9 Prasanth 2015-07-03 18:12:08 UTC 
(In reply to Niels de Vos from comment #7)
> Prasanth, do you know what the plan is with this? Should I close this bug
> and do you open separate bugs for each of the packages that modify SElinux
> booleans in rpm scriptlets?

Niels, as discussed in today's meeting, we all agreed to a common solution which is to create a dependency in the package(s) that modifies selinux booleans, instead of creating a dependency for glusterfs-server on selinux-policy. So based on that, i'm closing this bZ for now and will open new BZ's for different components that needs this fix.