Bug 1329931

Summary: Error in PREIN scriptlet in rpm package
Product: Red Hat Enterprise Linux 7 Reporter: yanbing du <ydu>
Component: libselinuxAssignee: Petr Lautrbach <plautrba>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.3CC: dapospis, dwalsh, lvrabec, mgrepl, mmalik, plautrba, ssekidde, ydu
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libselinux-2.5-3.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 02:12:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
libselinux: setexecfilecon() to work better in a chroot none

Description yanbing du 2016-04-25 05:08:03 UTC 
Description of problem:
Base on latest policycoreutils and libselinux, yum install with specifies insallroot always fail.

Version-Release number of selected component (if applicable):
# rpm -q policycoreutils libselinux selinux-policy
policycoreutils-2.5-2.el7.x86_64
libselinux-2.5-2.el7.x86_64
selinux-policy-3.13.1-68.el7.noarch


How reproducible:
100%

Steps to Reproduce:
1.
#yum --releasever=/ --installroot=/var/lib/libvirt/filesystems/rhel_x86_64 --nogpgcheck  groupinstall core
...
  Installing : glibc-2.17-105.el7.x86_64                                                                                                                       12/274g
warning: %post(glibc-2.17-105.el7.x86_64) scriptlet failed, exit status 127
Non-fatal POSTIN scriptlet failure in rpm package glibc-2.17-105.el7.x86_64
...

error: %pre(openssh-6.6.1p1-26.el7.x86_64) scriptlet failed, exit status 127
Error in PREIN scriptlet in rpm package openssh-6.6.1p1-26.el7.x86_64
...
...
Failed:
  ca-certificates.noarch 0:2015.2.6-70.1.el7_2  coreutils.x86_64 0:8.22-15.el7_2.1   dbus.x86_64 1:1.6.12-13.el7                     dhclient.x86_64 12:4.2.5-45.el7 
  initscripts.x86_64 0:9.49.30-1.el7_2.2        iptables.x86_64 0:1.4.21-16.el7      libutempter.x86_64 0:1.1.6-4.el7                openssh.x86_64 0:6.6.1p1-26.el7 
  openssh-server.x86_64 0:6.6.1p1-26.el7        pinentry.x86_64 0:0.8.1-17.el7       plymouth.x86_64 0:0.8.9-0.24.20140113.el7       polkit.x86_64 0:0.112-6.el7_2   
  postfix.x86_64 2:2.10.1-6.el7                 ppp.x86_64 0:2.4.5-33.el7            selinux-policy-targeted.noarch 0:3.13.1-68.el7  systemd.x86_64 0:219-20.el7     
  trousers.x86_64 0:0.3.13-1.el7                yum-rhn-plugin.noarch 0:2.0.1-5.el7 

Actual results:
About 18 packages install fail as %pre error, and many %post warning

Expected results:
No warning and error

Additional info:
Downgrade policycoreutils and libselinux can workaround this problem
# rpm -q libselinux policycoreutils
libselinux-2.2.2-6.el7.x86_64
policycoreutils-2.2.5-20.el7.x86_64
Comment 3 yanbing du 2016-04-25 07:11:39 UTC 
I'm not running beaker job to reproduce this bug, just let config a RHEL7 repo and execute yum command. The distro I'm using is: RHEL-7.2-20151030.0
Just let me know what kind of information do you want? I can provide them in bugzilla.
Comment 4 Petr Lautrbach 2016-04-26 15:24:23 UTC 
It's a problem in libselinux: int is_selinux_enabled(void) which was introduced in upstream commit 685f4aeeadc0b60f3770404d4f149610d656e3c8
Comment 5 Petr Lautrbach 2016-04-27 08:59:15 UTC 
Created attachment 1151250 [details]
libselinux: setexecfilecon() to work better in a chroot

    When setexecfilecon() is used in a process which was chrooted after
    libselinux was initialized, is_selinux_enabled() returns 1 but
    security_getenforce() returns -1 as there's no /sys/fs/selinux/enforce
    in the chroot.
    
    Generally, rpm and rpm scripts are run as unconfined domains therefore we
    don't to need to consider this state as a reason not to exec the
    script.
Comment 7 yanbing du 2016-04-27 09:31:34 UTC 
Thanks Petr,
Just test the scratch build and confirm it works fine.
Comment 11 errata-xmlrpc 2016-11-04 02:12:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2276.html