Bug 1240240

Summary: [SELinux] gluster-nagios-addons should have a dependency on selinux packages (RHEL-7.1)
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: Prasanth <pprakash>
Component: gluster-nagios-addonsAssignee: Ramesh N <rnachimu>
Status: CLOSED ERRATA QA Contact: RamaKasturi <knarra>
Severity: high Docs Contact:
Priority: high    
Version: rhgs-3.1CC: amainkar, annair, asrivast, dpati, mgrepl, mmalik, nlevinki, nsathyan, pprakash, rcyriac, rhsc-qe-bugs, sabose, vagarwal
Target Milestone: ---   
Target Release: RHGS 3.1.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: gluster-nagios-addons-0.2.4-4.el7, selinux-policy-3.13.1-23.el7_1.9 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-29 05:34:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1202842, 1212796    

Description Prasanth 2015-07-06 10:22:02 UTC 
Description of problem:

gluster-nagios-adons should have a dependency on selinux packages in RHEL-7.1

Version-Release number of selected component (if applicable):
gluster-nagios-addons-0.2.4-2.el6rhs

The packages that Milos mentions [1] as possible candidates for
dependent packages list are

 + policycoreutils package because it brings the setsebool command
 + libselinux-utils package because it brings the getsebool command
 + selinux-policy-targeted or selinux-policy-base (virtual package)
because it brings the policy where booleans are defined and stored

If the semanage command is to be used, I would add to the list

 + policycoreutils-python package because it brings the semanage command

It is also interesting to note that the policycoreutils-python package
depends on the policycoreutils package, which further depends on the
libselinux-utils package

And the selinux-policy-targeted package dependency must have a minimal
version restriction for that version which has all the SELinux policy
rules for RHGS 3.1.

See the following BZ's for more details regarding this decision:

https://bugzilla.redhat.com/show_bug.cgi?id=1238055
https://bugzilla.redhat.com/show_bug.cgi?id=1237065


The only available and latest SELinux RHEL-7.1 build is: https://brewweb.devel.redhat.com/buildinfo?buildID=441837

However, I'm not very sure if this can be considered as the right candidate for setting the above required dependency as it doesn't seems to have all the fixes backported. So either we should wait for a build which has all the fixes backported or get a confirmation from the SELinux team to go with this build. 

Miroslav/Milos,

Could you please check the above and confirm so that we can proceed further with creating this dependency.
Comment 2 Ramesh N 2015-07-10 06:42:56 UTC 
I will add the dependency to selinux-policy-targeted-3.13.1-23.el7_1.9. Though it doesn't have the required sebool 'logging_syslogd_run_nagios_plugins' it can be verified by ensuring that selinux-packages are getting installed before gluster-nagios-addons. 

sebool 'logging_syslogd_run_nagios_plugins' is available with 'selinux-policy-3.13.1-31.el7' as in bz#1233550. It will be pack ported to RHEL7.1.
Comment 3 RamaKasturi 2015-07-13 09:45:53 UTC 
Verified and works fine with build gluster-nagios-addons-0.2.4-4.el7rhgs.x86_64. 

There is a requires on selinux policy for  gluster-nagios-addons-0.2.4-4.el7rhgs.x86_64 (Server-RH-Gluster-3-Server)
           Requires: selinux-policy-targeted >= 3.13.1-23.el7_1.9

When freshly installed on RHEL7 it sets the following booleans on the RHGS nodes.

logging_syslogd_run_nagios_plugins --> on
nagios_run_sudo --> on

Marking this verified.
Comment 4 errata-xmlrpc 2015-07-29 05:34:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2015-1494.html