Bug 1265544
Summary: | SELinux policy from RHEL 7.2 is not compatible with Satellite 6.1 policy (missing optional block for docker_var_run_t) | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Jan Pazdziora <jpazdziora> | ||||
Component: | SELinux | Assignee: | Lukas Zapletal <lzap> | ||||
Status: | CLOSED ERRATA | QA Contact: | Lukas Pramuk <lpramuk> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 6.1.2 | CC: | bbuckingham, bkearney, chpeters, cwelton, jpazdziora, lpramuk, lvrabec, lzap, mgrepl, mmalik, mmccune, plautrba, pvrabec, sghai, ssekidde | ||||
Target Milestone: | Unspecified | Keywords: | Reopened, Triaged | ||||
Target Release: | Unused | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
URL: | http://projects.theforeman.org/issues/11934 | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2015-11-19 20:32:35 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Jan Pazdziora
2015-09-23 08:22:39 UTC
Hi, Related rules comes from foreman-selinux package. [root@dhcp-10-40-3-126 ~]# rpm -q --all | grep selinux libselinux-python-2.2.2-6.el7.x86_64 libselinux-2.2.2-6.el7.x86_64 libselinux-utils-2.2.2-6.el7.x86_64 selinux-policy-devel-3.13.1-49.el7.noarch foreman-selinux-1.9.2-1.el7.noarch selinux-policy-targeted-3.13.1-53.el7.noarch selinux-policy-3.13.1-53.el7.noarch I believe, foreman-selinux is not installed on your system. (In reply to Milos Malik from comment #3) > > Is it possible that foreman-selinux package did not install successfully? The package is installed but its SELinux module was not loaded. With # rpm -qf /usr/sbin/foreman-selinux-enable foreman-selinux-1.10.0-0.develop.201509210827gitd3a9081.el7.noarch running it fails: # /usr/sbin/foreman-selinux-enable libsepol.print_missing_requirements: foreman's global requirements were not met: type/attribute docker_var_run_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). ValueError: Could not commit semanage transaction ValueError: Type elasticsearch_port_t is invalid, must be a port type With selinux-policy-3.13.1-49.el7.noarch, loading passes: # semanage module -l | grep foreman foreman 1.10.0 The docker_var_run_t type is defined in docker.pp, which is not part of selinux-policy since 3.13.1-51.el7, because docker.pp is shipped within docker-selinux package. Jan, what does # semodule -l |grep docker on affected system? Thank you. (In reply to Miroslav Grepl from comment #9) > what does > > # semodule -l |grep docker > > on affected system? # semodule -l |grep docker # On system where things work it outputs # semodule -l |grep docker docker 1.0.0 # Ok, taking back. This is actually bug in foreman.pp policy. They need to use optional_policy() for docker calling. Relevant part: https://github.com/theforeman/foreman-selinux/blob/develop/foreman.te#L363-L379 Creating issue: http://projects.theforeman.org/issues/11934 Feel free to close this one. For the record this build fixes it: http://koji.katello.org/koji/taskinfo?taskID=348626 Bringing this into Satellite 6 as we will cherry pick this into the product. Moving to POST since upstream bug http://projects.theforeman.org/issues/11934 has been closed ------------- Dominic Cleal The foreman-selinux-enable error: <pre> Installing : foreman-selinux-1.10.0-0.develop.201509210827gitd3a9081.el7.noarch 1/1 libsepol.print_missing_requirements: foreman's global requirements were not met: type/attribute docker_var_run_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). ValueError: Could not commit semanage transaction ValueError: Type elasticsearch_port_t is invalid, must be a port type warning: %post(foreman-selinux-1.10.0-0.develop.201509210827gitd3a9081.el7.noarch) scriptlet failed, exit status 1 </pre> ------------- Anonymous Applied in changeset commit:caf0b6c3000a8d91b677a59c9b41f09a3c4d5169. Lukas, This failed to build in brew with the following error: """ ENTER do(['bash', '--login', '-c', 'rpmbuild -bb --target noarch --nodeps builddir/build/SPECS/foreman-selinux.spec'], False, '/var/lib/mock/satellite-6.1.0-rhel-6-build-2757029-1361950/root/', None, 86400, True, 0, 251, 276, None, logger=<mock.trace_decorator.getLog object at 0x106fbc50>) Executing command: ['bash', '--login', '-c', 'rpmbuild -bb --target noarch --nodeps builddir/build/SPECS/foreman-selinux.spec'] Building target platforms: noarch Building for target noarch Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.a9Se67 + umask 022 + cd /builddir/build/BUILD + LANG=C + export LANG + unset DISPLAY + cd /builddir/build/BUILD + rm -rf foreman-selinux-1.7.2.15 + /usr/bin/gzip -dc /builddir/build/SOURCES/foreman-selinux-1.7.2.15.tar.gz + /bin/tar -xf - + STATUS=0 + '[' 0 -ne 0 ']' + cd foreman-selinux-1.7.2.15 + /bin/chmod -Rf a+rX,u+w,g-w,o-w . + cat downstream.te.in + exit 0 Executing(%build): /bin/sh -e /var/tmp/rpm-tmp.MgJnZ0 + umask 022 + cd /builddir/build/BUILD + cd foreman-selinux-1.7.2.15 + LANG=C + export LANG + unset DISPLAY + perl -i -pe 'BEGIN { $VER = join ".", grep /^\d+$/, split /\./, "1.7.2.15.1.el6"; } s!\@\@VERSION\@\@!$VER!g;' foreman.te + distver=rhel6 + for selinuxvariant in targeted + make NAME=targeted -f /usr/share/selinux/devel/Makefile DISTRO=rhel6 cat: /selinux/mls: No such file or directory Compiling targeted foreman module /usr/bin/checkmodule: loading policy configuration from tmp/foreman.tmp foreman.te":496:ERROR 'duplicate declaration of type/attribute' at token ';' on line 10057: } type docker_port_t; /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/foreman.mod] Error 1 RPM build errors: error: Bad exit status from /var/tmp/rpm-tmp.MgJnZ0 (%build) Bad exit status from /var/tmp/rpm-tmp.MgJnZ0 (%build) Child returncode was: 1 EXCEPTION: Command failed. See logs for output. # ['bash', '--login', '-c', 'rpmbuild -bb --target noarch --nodeps builddir/build/SPECS/foreman-selinux.spec'] Traceback (most recent call last): File "/usr/lib/python2.4/site-packages/mock/trace_decorator.py", line 70, in trace result = func(*args, **kw) File "/usr/lib/python2.4/site-packages/mock/util.py", line 324, in do raise mock.exception.Error, ("Command failed. See logs for output.\n # %s" % (command,), child.returncode) Error: Command failed. See logs for output. # ['bash', '--login', '-c', 'rpmbuild -bb --target noarch --nodeps builddir/build/SPECS/foreman-selinux.spec'] """ going to move this to a later release as it isn't going to make 6.1.4 Verified with Sat 6.1.4 compose9. Katello-installer succeed. Please see the attached screenshot. I tried rhel7.2 build from beaker (RHEL-7.2-20151106.n.0) [root@cloud-qe-14 ~]# semodule -l | grep foreman foreman 1.7.2.16.1 [root@cloud-qe-14 ~]# rpm -qa | grep foreman-selinux foreman-selinux-1.7.2.16-1.el7sat.noarch Created attachment 1094883 [details]
installer completed successfully in enforcing mode
Moving this to verified as per the results of katello-installer with Sat 6.1.4 downstream compose9 This fix was delivered in 6.1.4 on 19 November in https://access.redhat.com/errata/RHBA-2015:2474. |