Bug 1265544

Summary: SELinux policy from RHEL 7.2 is not compatible with Satellite 6.1 policy (missing optional block for docker_var_run_t)
Product: Red Hat Satellite Reporter: Jan Pazdziora <jpazdziora>
Component: SELinuxAssignee: Lukas Zapletal <lzap>
Status: CLOSED ERRATA QA Contact: Lukas Pramuk <lpramuk>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.1.2CC: bbuckingham, bkearney, chpeters, cwelton, jpazdziora, lpramuk, lvrabec, lzap, mgrepl, mmalik, mmccune, plautrba, pvrabec, sghai, ssekidde
Target Milestone: UnspecifiedKeywords: Reopened, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: http://projects.theforeman.org/issues/11934
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 20:32:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
installer completed successfully in enforcing mode none

Description Jan Pazdziora 2015-09-23 08:22:39 UTC
Description of problem:

Running foreman-installer started to fail on RHEL 7.2 composes.

Version-Release number of selected component (if applicable):

selinux-policy-3.13.1-52.el7.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. Run foreman-installer.

Actual results:

# [ERROR 2015-09-23 02:33:51 verbose]  /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[foreman.example.com]: Could not evaluate: Proxy foreman.example.com cannot be registered (Could not load data from https://foreman.example.com# [ INFO 2015-09-23 02:33:51 verbose]  - is your server down?
# [ INFO 2015-09-23 02:33:51 verbose]  - was rake apipie:cache run when using apipie cache? (typical production settings)): N/A
[...]
#   Something went wrong! Check the log for ERROR-level output

Expected results:

No error

Additional info:

AVC denials:

avc:  denied  { getattr } for  pid=23191 comm="httpd" path="/etc/puppet/rack/config.ru" dev="dm-0" ino=815544 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file

# sesearch --allow -s httpd_t -t puppet_etc_t
Found 2 semantic av rules:
   allow httpd_t file_type : filesystem getattr ; 
   allow httpd_t file_type : dir { getattr search open } ; 

On selinux-policy-3.13.1-49.el7.noarch where things work, sesearch says

Found 4 semantic av rules:
   allow httpd_t file_type : filesystem getattr ; 
   allow httpd_t file_type : dir { getattr search open } ; 
   allow httpd_t puppet_etc_t : file { ioctl read getattr lock open } ; 
   allow httpd_t puppet_etc_t : dir { getattr search open } ;

Comment 5 Lukas Vrabec 2015-09-23 08:53:55 UTC
Hi, 
Related rules comes from foreman-selinux package. 

[root@dhcp-10-40-3-126 ~]# rpm -q --all | grep selinux
libselinux-python-2.2.2-6.el7.x86_64
libselinux-2.2.2-6.el7.x86_64
libselinux-utils-2.2.2-6.el7.x86_64
selinux-policy-devel-3.13.1-49.el7.noarch
foreman-selinux-1.9.2-1.el7.noarch
selinux-policy-targeted-3.13.1-53.el7.noarch
selinux-policy-3.13.1-53.el7.noarch

I believe, foreman-selinux is not installed on your system.

Comment 7 Jan Pazdziora 2015-09-23 11:41:30 UTC
(In reply to Milos Malik from comment #3)
> 
> Is it possible that foreman-selinux package did not install successfully?

The package is installed but its SELinux module was not loaded.

With

# rpm -qf /usr/sbin/foreman-selinux-enable
foreman-selinux-1.10.0-0.develop.201509210827gitd3a9081.el7.noarch

running it fails:

# /usr/sbin/foreman-selinux-enable
libsepol.print_missing_requirements: foreman's global requirements were not met: type/attribute docker_var_run_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
ValueError: Could not commit semanage transaction
ValueError: Type elasticsearch_port_t is invalid, must be a port type

With selinux-policy-3.13.1-49.el7.noarch, loading passes:

# semanage module -l | grep foreman
foreman                  1.10.0

Comment 8 Milos Malik 2015-09-23 11:59:42 UTC
The docker_var_run_t type is defined in docker.pp, which is not part of selinux-policy since 3.13.1-51.el7, because docker.pp is shipped within docker-selinux package.

Comment 9 Miroslav Grepl 2015-09-23 12:32:20 UTC
Jan,
what does 

# semodule -l |grep docker

on affected system?

Thank you.

Comment 10 Jan Pazdziora 2015-09-23 12:36:12 UTC
(In reply to Miroslav Grepl from comment #9)
> what does 
> 
> # semodule -l |grep docker
> 
> on affected system?

# semodule -l |grep docker
#

On system where things work it outputs

# semodule -l |grep docker
docker	1.0.0	
#

Comment 11 Miroslav Grepl 2015-09-23 12:44:19 UTC
Ok, taking back. This is actually bug in foreman.pp policy. They need to use optional_policy() for docker calling.

Comment 12 Lukas Zapletal 2015-09-23 13:32:41 UTC
Relevant part: https://github.com/theforeman/foreman-selinux/blob/develop/foreman.te#L363-L379

Creating issue: http://projects.theforeman.org/issues/11934

Feel free to close this one.

Comment 13 Lukas Zapletal 2015-09-23 13:44:20 UTC
For the record this build fixes it: http://koji.katello.org/koji/taskinfo?taskID=348626

Comment 14 Lukas Zapletal 2015-09-24 07:58:33 UTC
Bringing this into Satellite 6 as we will cherry pick this into the product.

Comment 18 Bryan Kearney 2015-09-28 14:06:09 UTC
Moving to POST since upstream bug http://projects.theforeman.org/issues/11934 has been closed
-------------
Dominic Cleal
The foreman-selinux-enable error:

<pre>
  Installing : foreman-selinux-1.10.0-0.develop.201509210827gitd3a9081.el7.noarch                                                  1/1 
libsepol.print_missing_requirements: foreman's global requirements were not met: type/attribute docker_var_run_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
ValueError: Could not commit semanage transaction
ValueError: Type elasticsearch_port_t is invalid, must be a port type
warning: %post(foreman-selinux-1.10.0-0.develop.201509210827gitd3a9081.el7.noarch) scriptlet failed, exit status 1
</pre>
-------------
Anonymous
Applied in changeset commit:caf0b6c3000a8d91b677a59c9b41f09a3c4d5169.

Comment 22 Mike McCune 2015-11-04 20:12:28 UTC
Lukas,

This failed to build in brew with the following error:

"""
ENTER do(['bash', '--login', '-c', 'rpmbuild -bb --target noarch --nodeps builddir/build/SPECS/foreman-selinux.spec'], False, '/var/lib/mock/satellite-6.1.0-rhel-6-build-2757029-1361950/root/', None, 86400, True, 0, 251, 276, None, logger=<mock.trace_decorator.getLog object at 0x106fbc50>)
Executing command: ['bash', '--login', '-c', 'rpmbuild -bb --target noarch --nodeps builddir/build/SPECS/foreman-selinux.spec']
Building target platforms: noarch
Building for target noarch
Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.a9Se67
+ umask 022
+ cd /builddir/build/BUILD
+ LANG=C
+ export LANG
+ unset DISPLAY
+ cd /builddir/build/BUILD
+ rm -rf foreman-selinux-1.7.2.15
+ /usr/bin/gzip -dc /builddir/build/SOURCES/foreman-selinux-1.7.2.15.tar.gz
+ /bin/tar -xf -
+ STATUS=0
+ '[' 0 -ne 0 ']'
+ cd foreman-selinux-1.7.2.15
+ /bin/chmod -Rf a+rX,u+w,g-w,o-w .
+ cat downstream.te.in
+ exit 0
Executing(%build): /bin/sh -e /var/tmp/rpm-tmp.MgJnZ0
+ umask 022
+ cd /builddir/build/BUILD
+ cd foreman-selinux-1.7.2.15
+ LANG=C
+ export LANG
+ unset DISPLAY
+ perl -i -pe 'BEGIN { $VER = join ".", grep /^\d+$/, split /\./, "1.7.2.15.1.el6"; } s!\@\@VERSION\@\@!$VER!g;' foreman.te
+ distver=rhel6
+ for selinuxvariant in targeted
+ make NAME=targeted -f /usr/share/selinux/devel/Makefile DISTRO=rhel6
cat: /selinux/mls: No such file or directory
Compiling targeted foreman module
/usr/bin/checkmodule:  loading policy configuration from tmp/foreman.tmp
foreman.te":496:ERROR 'duplicate declaration of type/attribute' at token ';' on line 10057:
}
type docker_port_t;
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/foreman.mod] Error 1
RPM build errors:
error: Bad exit status from /var/tmp/rpm-tmp.MgJnZ0 (%build)
    Bad exit status from /var/tmp/rpm-tmp.MgJnZ0 (%build)
Child returncode was: 1
EXCEPTION: Command failed. See logs for output.
 # ['bash', '--login', '-c', 'rpmbuild -bb --target noarch --nodeps builddir/build/SPECS/foreman-selinux.spec']
Traceback (most recent call last):
  File "/usr/lib/python2.4/site-packages/mock/trace_decorator.py", line 70, in trace
    result = func(*args, **kw)
  File "/usr/lib/python2.4/site-packages/mock/util.py", line 324, in do
    raise mock.exception.Error, ("Command failed. See logs for output.\n # %s" % (command,), child.returncode)
Error: Command failed. See logs for output.
 # ['bash', '--login', '-c', 'rpmbuild -bb --target noarch --nodeps builddir/build/SPECS/foreman-selinux.spec']
"""

going to move this to a later release as it isn't going to make 6.1.4

Comment 31 Sachin Ghai 2015-11-16 14:15:28 UTC
Verified with Sat 6.1.4 compose9.

Katello-installer succeed. Please see the attached screenshot. 
I tried rhel7.2 build from beaker (RHEL-7.2-20151106.n.0)


[root@cloud-qe-14 ~]# semodule -l | grep foreman
foreman	1.7.2.16.1	
[root@cloud-qe-14 ~]# rpm -qa | grep foreman-selinux
foreman-selinux-1.7.2.16-1.el7sat.noarch

Comment 32 Sachin Ghai 2015-11-16 14:17:07 UTC
Created attachment 1094883 [details]
installer completed successfully in enforcing mode

Comment 33 Sachin Ghai 2015-11-16 14:18:15 UTC
Moving this to verified as per the results of katello-installer with Sat 6.1.4 downstream compose9

Comment 34 Bryan Kearney 2015-11-19 20:32:35 UTC
This fix was delivered in 6.1.4 on 19 November in https://access.redhat.com/errata/RHBA-2015:2474.