Bug 1388617

Summary:	[SELinux] Bad boolean declaration at /etc/selinux/targeted/tmp/modules/100/virt/cil:159
Product:	Red Hat Enterprise Linux 7	Reporter:	Prasanth <pprakash>
Component:	docker	Assignee:	Lokesh Mandvekar <lsm5>
Status:	CLOSED CURRENTRELEASE	QA Contact:	atomic-bugs <atomic-bugs>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	7.3	CC:	amurdaca, annair, dwalsh, hchiramm, joedward, lpabon, lsm5, lvrabec, mgrepl, mliyazud, mmalik, plautrba, pprakash, pvrabec, rcyriac, rhs-bugs, sankarshan, ssekidde, stwalter
Target Milestone:	rc	Keywords:	Extras, Reopened
Target Release:	---	Flags:	pprakash: needinfo? (lsm5)
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:	1388616	Environment:
Last Closed:	2017-06-30 15:08:00 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Bug Depends On:
Bug Blocks:	1388616

Description Prasanth 2016-10-25 18:48:31 UTC

+++ This bug was initially created as a clone of Bug #1388616 +++

Description of problem:

I'm seeing the following warning/error while installing docker:

##########

  Installing : policycoreutils-python-2.5-8.el7.x86_64              11/15 
  Installing : docker-selinux-1.10.3-46.el7.14.x86_64               12/15 
Re-declaration of boolean virt_sandbox_use_fusefs
Failed to create node
Bad boolean declaration at /etc/selinux/targeted/tmp/modules/100/virt/cil:159
/usr/sbin/semodule:  Failed!
libsemanage.semanage_direct_install_info: Overriding docker module at lower priority 100 with module at priority 400.
  Installing : docker-common-1.10.3-46.el7.14.x86_64                13/15 
##########

Version-Release number of selected component (if applicable):
docker-selinux-1.10.3-46.el7.14.x86_64
docker-1.10.3-46.el7.14.x86_64
selinux-policy-3.13.1-102.el7.noarch

How reproducible: Always


Steps to Reproduce:
1. Install RHEL 7.3 RC build
2. Subscribe to the relevant repos 
3. #yum install docker

Actual results: 


Expected results:


Additional info:

--- Additional comment from Red Hat Bugzilla Rules Engine on 2016-10-25 14:45:21 EDT ---

This bug is automatically being proposed for the current release of Red Hat Gluster Storage 3 under active development, by setting the release flag 'rhgs‑3.2.0' to '?'. 

If this bug should be proposed for a different release, please manually change the proposed release flag.

Comment 1 Milos Malik 2016-10-26 13:17:52 UTC

This should be fixed in docker-selinux package, right?

Comment 2 Prasanth 2016-11-02 14:02:35 UTC

(In reply to Milos Malik from comment #1)
> This should be fixed in docker-selinux package, right?

Yea, looks like. Is that handled by a different team? If so, please feel free to re-assign this BZ to the appropriate team or let me know to whom it should be assigned to.

Comment 3 Lukas Vrabec 2016-11-04 12:16:42 UTC

Yes, docker policy is shipped by docker team.

Comment 4 Daniel Walsh 2016-11-04 12:37:20 UTC

Lokesh I thought we were shipping a later version of docker and docker-selinux with a fix for this. Is this a problem with the release?

Comment 5 Lokesh Mandvekar 2016-11-07 13:56:21 UTC

7.2.7 had 1.10.3-46, 7.3.0 has 1.10.3-57

Comment 6 Prasanth 2016-11-08 07:04:56 UTC

This works for me with the latest docker-selinux build. Hence closing this BZ.

Comment 9 Daniel Walsh 2017-01-13 13:38:12 UTC

Yes this is an ordering problem.  container-selinux disables docker.pp when it installs.  This looks like you had a previous bad container-selinux installed.

Older versions of container SELinux would remove the docker.pp file, which would just get installed on the next selinux-policy update.  The latest container-selinux should disable docker.pp and replace it with container.pp.  Then if a new update of selinux-policy comes along with docker.pp, it will get installed but still be disabled, preventing this issue.

You can verify this by looking at 

# semanage module --list -C

You can also reinstall selinux-policy

dnf -y reinstall selinux-policy-targeted

And see that it does not complain about docker module.

Bottom line, I think this is fixed and on a fresh install it should not happen.

If this is not true then this is a bug.