Bug 1314223

Summary: openstack-selinux >= 0.6.52 does not set booleans in %post
Product: Red Hat OpenStack Reporter: Javier Peña <jpena>
Component: openstack-selinuxAssignee: Ryan Hallisey <rhallise>
Status: CLOSED NOTABUG QA Contact: Udi Shkalim <ushkalim>
Severity: high Docs Contact:
Priority: urgent    
Version: 7.0 (Kilo)CC: dmellado, lhh, mgrepl, pablo.iranzo, rhallise, yeylon
Target Milestone: ---   
Target Release: 8.0 (Liberty)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-07 16:52:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Javier Peña 2016-03-03 09:04:39 UTC 
Description of problem:
Installing openstack-selinux >= 0.6.52 on a RHEL 7 system fails to set the SELinux booleans specified in %post.

Version-Release number of selected component (if applicable):
Seen in openstack-selinux between 0.6.52 and 0.6.55

How reproducible:
Always

Steps to Reproduce:
1. yum install openstack-selinux
2. getsebool httpd_can_network_connect

Actual results:
off

Expected results:
Should be on, according to the package spec

Additional info:
In general, the post-installation step seems to happen much faster than with previous versions, which looks like something is silently failing there.
Comment 5 Lon Hohberger 2016-03-07 14:29:18 UTC 
This doesn't reproduce for me with 0.6.55.  Install on a clean environment correctly sets httpd_can_network_connect and other booleans.
Comment 6 Lon Hohberger 2016-03-07 14:34:28 UTC 
Some time recently, we reverted a change to rabbitmq-server.spec to remove an explicit dependency on openstack-selinux - could this have been what exposed this?

It's incorrect/inappropriate for RPMs to require openstack-selinux (or selinux-policy), as SELinux usage, while encouraged, is optional.  Thus, installers such as packstack/OSP director should install openstack-selinux pretty early on.
Comment 7 Ryan Hallisey 2016-03-07 14:59:28 UTC 
I'm also not seeing an issue in my env.  Maybe packstack might not be explicitly installing openstack-selinux as lon suggested?
Comment 8 Javier Peña 2016-03-07 16:16:50 UTC 
I think I know where the issue comes from. I tested it on RHEL 7.1 and managed to reproduce the issue, but it worked fine on RHEL 7.2. On 7.1, post-install complained with:

libsepol.print_missing_requirements: os-ovs's global requirements were not met: type/attribute ovsdb_port_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
ValueError: Could not commit semanage transaction
Boolean os_nova_use_execmem is not defined
Boolean os_neutron_use_execmem is not defined
Boolean os_swift_use_execmem is not defined
Boolean os_keystone_use_execmem is not defined

It looks like this openstack-selinux version relies on something that is only provided by RHEL 7.2 packages. If it is only meant to be supported on 7.2+, we can close as NOTABUG.
Comment 9 Lon Hohberger 2016-03-07 16:52:43 UTC 
We only support RHEL 7.2 as of November...