Bug 1392010

IPA server version: ipa-server-4.4.0-14.el7_3.x86_64

Noticed similar behavior while running upgrade tests for IPA server from 7.2.z to 7.3.up1.

Following errors were noticed:
  Updating   : selinux-policy-3.13.1-102.el7_3.4.noarch                  38/142 
  Updating   : selinux-policy-targeted-3.13.1-102.el7_3.4.noarch         39/142 
warning: /etc/selinux/targeted/seusers created as /etc/selinux/targeted/seusers.rpmnew
‘/etc/selinux/targeted/modules/active/booleans.local’ -> ‘/etc/selinux/targeted/active/booleans.local’
‘/etc/selinux/targeted/modules/active/seusers’ -> ‘/etc/selinux/targeted/active/seusers.local’
ERROR: policydb version 30 does not match my version range 15-29
ERROR: Unable to open policy //etc/selinux/targeted/policy/policy.30.
ERROR: policydb version 30 does not match my version range 15-29
ERROR: Unable to open policy //etc/selinux/targeted/policy/policy.30.
Traceback (most recent call last):
  File "/sbin/semanage", line 32, in <module>
    import seobject
  File "/usr/lib/python2.7/site-packages/seobject/__init__.py", line 27, in <module>
    import sepolicy
  File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 798, in <module>
    raise e
ValueError: Failed to read //etc/selinux/targeted/policy/policy.30 policy file
Traceback (most recent call last):
  File "/sbin/semanage", line 32, in <module>
    import seobject
  File "/usr/lib/python2.7/site-packages/seobject/__init__.py", line 27, in <module>
    import sepolicy
  File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 798, in <module>
    raise e
ValueError: Failed to read //etc/selinux/targeted/policy/policy.30 policy file
  Updating   : bind-dyndb-ldap-10.0-5.el7.x86_64                         40/142 
Enabling SELinux boolean named_write_master_zones
  Updating   : setools-libs-3.3.8-1.1.el7.x86_64                         41/142 
  Updating   : policycoreutils-python-2.5-9.el7.x86_64                   42/142 
  Installing : 389-ds-base-1.3.5.10-12.el7_3.x86_64                      43/142 


Also received crash mail:

Following is the backtrace

backtrace:
:__init__.py:798:<module>:ValueError: Failed to read //etc/selinux/targeted/policy/policy.30 policy file
:
:Traceback (most recent call last):
:  File "/sbin/semanage", line 32, in <module>
:    import seobject
:  File "/usr/lib/python2.7/site-packages/seobject/__init__.py", line 27, in <module>
:    import sepolicy
:  File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 798, in <module>
:    raise e
:ValueError: Failed to read //etc/selinux/targeted/policy/policy.30 policy file
:
:Local variables in innermost frame:
:selinux_user_list: None
:fcdict: None
:selinux: None
:subprocess: None
:__path__: None
:get_transitions: None
:get_entrypoints: None
:get_login_mappings: None
:read_file_equiv: None
:SOURCE: None
:get_all_entrypoints: None
:get_all_modules: None
:policy: None
:file_types: None
:get_user_types: None
:AUDITALLOW: None
:ROLE_ALLOW: None
:__file__: None
:get_all_bools: None
:get_fcdict: None
:local_files: None
:get_all_entrypoint_domains: None
:find_file: None
:bools: None
:get_writable_files: None
:defaults: None
:SENS: None
:file_type_str: None
:get_file_types: None
:policy_file: None
:get_all_users: None
:methods: None
:get_local_file_paths: None
:DEFAULT_DIRS: None
:get_init_entrypoint_target: None
:USER: None
:NEVERALLOW: None
:all_domains: None
:PORT: None
:login_mappings: None
:DONTAUDIT: None
:PERMS: None
:re: None
:get_conditionals: None
:get_file_transitions: None
:__builtins__: {'bytearray': <type 'bytearray'>, 'IndexError': <type 'exceptions.IndexError'>, 'all': <built-in function all>, 'help': Type help() for interactive help, or help(object) for help about object., 'vars': <built-in function vars>, 'SyntaxError': <type 'exceptions.SyntaxError'>, 'unicode': <type 'unicode'>, 'UnicodeDecodeError': <type 'exceptions.UnicodeDecodeError'>, 'memoryview': <type 'memoryview'>, 'isinstance': <built-in function isinstance>, 'copyright': Copyright (c) 2001-2013 Python Software Foundation.
:All Rights Reserved.
:
:Copyright (c) 2000 BeOpen.com.
:All Rights Reserved.
:
:Copyright (c) 1995-2001 Corporation for National Research Initiatives.
:All Rights Reserved.
:
:Copyright (c) 1991-1995 Stichting Mathematisch Centrum, Amsterdam.
:All Rights Reserved., 'NameError': <type 'exceptions.NameError'>, 'BytesWarning': <type 'exceptions.BytesWarning'>, 'dict': <type 'dict'>, 'input': <built-in function input>, 'oct': <built-in function oct>, 'bin': <built-in function bin>, 'SystemExit': <type 'exceptions.SystemExit'>, 'StandardError': <type 'exceptions.StandardError'>, 'format': <built-in function format>, 'repr': <built-in function repr>, 'sorted': <built-in function sorted>, 'False': False, 'RuntimeWarning': <type 'exceptions.RuntimeWarning'>, 'list': <type 'list'>, 'iter': <built-in function iter>, 'reload': <built-in function reload>, 'Warning': <type 'exceptions.Warning'>, '__package__': None, 'round': <built-in function round>, 'dir': <built-in function dir>, 'cmp': <built-in function cmp>, 'set': <type 'set'>, 'bytes': <type 'str'>, 'reduce': <built-in function reduce>, 'intern': <built-in function intern>, 'issubclass': <built-in function issubclass>, 'Ellipsis': Ellipsis, 'EOFError': <type 'exceptions.EOFError'>, 'locals': <built-in function locals>, 'BufferError': <type 'exceptions.BufferError'>, 'slice': <type 'slice'>, 'FloatingPointError': <type 'exceptions.FloatingPointError'>, 'sum': <built-in function sum>, 'getattr': <built-in function getattr>, 'abs': <built-in function abs>, 'exit': Use exit() or Ctrl-D (i.e. EOF) to exit, 'print': <built-in function print>, 'True': True, 'FutureWarning': <type 'exceptions.FutureWarning'>, 'ImportWarning': <type 'exceptions.ImportWarning'>, 'None': None, 'hash': <built-in function hash>, 'ReferenceError': <type 'exceptions.ReferenceError'>, 'len': <built-in function len>, 'credits':     Thanks to CWI, CNRI, BeOpen.com, Zope Corporation and a cast of thousands
:    for supporting Python development.  See www.python.org for more information., 'frozenset': <type 'frozenset'>, '__name__': '__builtin__', 'ord': <built-in function ord>, 'super': <type 'super'>, '_': <bound method GNUTranslations.ugettext of <gettext.GNUTranslations instance at 0x16fac20>>, 'TypeError': <type 'exceptions.TypeError'>, 'license': See http://www.python.org/2.7/license.html, 'KeyboardInterrupt': <type 'exceptions.KeyboardInterrupt'>, 'UserWarning': <type 'exceptions.UserWarning'>, 'filter': <built-in function filter>, 'range': <built-in function range>, 'staticmethod': <type 'staticmethod'>, 'SystemError': <type 'exceptions.SystemError'>, 'BaseException': <type 'exceptions.BaseException'>, 'pow': <built-in function pow>, 'RuntimeError': <type 'exceptions.RuntimeError'>, 'float': <type 'float'>, 'MemoryError': <type 'exceptions.MemoryError'>, 'StopIteration': <type 'exceptions.StopIteration'>, 'globals': <built-in function globals>, 'divmod': <built-in function divmod>, 'enumerate': <type 'enumerate'>, 'apply': <built-in function apply>, 'LookupError': <type 'exceptions.LookupError'>, 'open': <built-in function open>, 'quit': Use quit() or Ctrl-D (i.e. EOF) to exit, 'basestring': <type 'basestring'>, 'UnicodeError': <type 'exceptions.UnicodeError'>, 'zip': <built-in function zip>, 'hex': <built-in function hex>, 'long': <type 'long'>, 'next': <built-in function next>, 'ImportError': <type 'exceptions.ImportError'>, 'chr': <built-in function chr>, 'xrange': <type 'xrange'>, 'type': <type 'type'>, '__doc__': "Built-in functions, exceptions, and other objects.\n\nNoteworthy: None is the `nil' object; Ellipsis represents `...' in slices.", 'Exception': <type 'exceptions.Exception'>, 'tuple': <type 'tuple'>, 'UnicodeTranslateError': <type 'exceptions.UnicodeTranslateError'>, 'reversed': <type 'reversed'>, 'UnicodeEncodeError': <type 'exceptions.UnicodeEncodeError'>, 'IOError': <type 'exceptions.IOError'>, 'hasattr': <built-in function hasattr>, 'delattr': <built-in function delattr>, 'setattr': <built-in function setattr>, 'raw_input': <built-in function raw_input>, 'SyntaxWarning': <type 'exceptions.SyntaxWarning'>, 'compile': <built-in function compile>, 'ArithmeticError': <type 'exceptions.ArithmeticError'>, 'str': <type 'str'>, 'property': <type 'property'>, 'GeneratorExit': <type 'exceptions.GeneratorExit'>, 'int': <type 'int'>, '__import__': <built-in function __import__>, 'KeyError': <type 'exceptions.KeyError'>, 'coerce': <built-in function coerce>, 'PendingDeprecationWarning': <type 'exceptions.PendingDeprecationWarning'>, 'file': <type 'file'>, 'EnvironmentError': <type 'exceptions.EnvironmentError'>, 'unichr': <built-in function unichr>, 'id': <built-in function id>, 'OSError': <type 'exceptions.OSError'>, 'DeprecationWarning': <type 'exceptions.DeprecationWarning'>, 'min': <built-in function min>, 'UnicodeWarning': <type 'exceptions.UnicodeWarning'>, 'execfile': <built-in function execfile>, 'any': <built-in function any>, 'complex': <type 'complex'>, 'bool': <type 'bool'>, 'ValueError': <type 'exceptions.ValueError'>, 'NotImplemented': NotImplemented, 'map': <built-in function map>, 'buffer': <type 'buffer'>, 'max': <built-in function max>, 'object': <type 'object'>, 'TabError': <type 'exceptions.TabError'>, 'callable': <built-in function callable>, 'ZeroDivisionError': <type 'exceptions.ZeroDivisionError'>, 'eval': <built-in function eval>, '__debug__': True, 'IndentationError': <type 'exceptions.IndentationError'>, 'AssertionError': <type 'exceptions.AssertionError'>, 'classmethod': <type 'classmethod'>, 'UnboundLocalError': <type 'exceptions.UnboundLocalError'>, 'NotImplementedError': <type 'exceptions.NotImplementedError'>, 'AttributeError': <type 'exceptions.AttributeError'>, 'OverflowError': <type 'exceptions.OverflowError'>}
:interfaces: None
:get_all_roles: None
:mls_range: None
:__name__: None
:portrecsbynum: None
:search: None
:file_equiv: None
:get_all_file_types: None
:prettyprint: None
:ATTRIBUTE: None
:_policy: None
:get_installed_policy: None
:gen_port_dict: None
:os: None
:all_types: None
:find_all_files: None
:PROGNAME: None
:get_all_domains: None
:get_file_equiv_modified: None
:get_boolean_rules: None
:get_all_port_types: None
:port_types: None
:gen_interfaces: None
:get_all_modules_from_mod_lst: None
:__doc__: None
:file_equiv_modified: None
:get_types_from_attribute: None
:get_all_attributes: None
:get_all_role_allows: None
:info: None
:TARGET: None
:roles: None
:all_attributes: None
:TRANSITION: None
:role_allows: None
:BOOLEAN: None
:mls_cmp: None
:TYPE: None
:get_methods: None
:get_mls_range: None
:get_init_transtype: None
:portrecs: None
:get_conditionals_format_text: None
:gettext: None
:__package__: None
:TCLASS: None
:CLASS: None
:find_entrypoint_path: None
:trans_file_type_str: None
:get_transitions_into: None
:users: None
:glob: None
:get_entrypoint_types: None
:sys: None
:get_file_equiv: None
:get_init_entrypoint: None
:ALLOW: None
:get_selinux_users: None
:get_description: None
:e: None
:markup: None
:get_all_types: None
:CATS: None
:ROLE: None
:user_types: None

(In reply to Nikhil Dehadrai from comment #3)
> IPA server version: ipa-server-4.4.0-14.el7_3.x86_64
> 
> Noticed similar behavior while running upgrade tests for IPA server from
> 7.2.z to 7.3.up1.


This is most likely a different issue. Apparently you have /sbin/semanage installed on your system. Please file a new bug.

The reported error message is probably harmless and it most likely doesn't break an update translation. But it's definitely wrong.

I would suggest to fix the migrate script instead of adding new requirements to selinux-policy:

--- a/selinux-policy-migrate-local-changes.sh
+++ b/selinux-policy-migrate-local-changes.sh
@@ -63,6 +63,8 @@ if [ $REBUILD = 1 ]; then
     semodule -B -n -s $MIGRATE_SELINUXTYPE
     if [ "$MIGRATE_SELINUXTYPE" = "$SELINUXTYPE" ] && selinuxenabled; then
         load_policy
-        semanage export | semanage import
+        if [ -x /usr/sbin/semanage ]; then
+            /usr/sbin/semanage export | /usr/sbin/semanage import
+        fi
     fi
 fi

This part of script is important for Atomic images where updates are done offline and where migrated local changes need to be imported. It doesn't have any real effect on live systems as all the changes are already loaded in kernel.

(In reply to Petr Lautrbach from comment #6)
> (In reply to Nikhil Dehadrai from comment #3)
> > IPA server version: ipa-server-4.4.0-14.el7_3.x86_64
> > 
> > Noticed similar behavior while running upgrade tests for IPA server from
> > 7.2.z to 7.3.up1.
> 
> 
> This is most likely a different issue. Apparently you have /sbin/semanage
> installed on your system. Please file a new bug.

/sbin is a link to /usr/sbin on rhel7 :)

Reproduce.
Test blocker.

*** Bug 1393952 has been marked as a duplicate of this bug. ***

Please also note a similar issue can happen with semodule command on line 48 of the same script. The semodule binary is part of the policycoreutils package which is also not mandatory part of a rhel install. Maybe this one is just less likely.

(In reply to Zdenek Pytela from comment #16)
> Please also note a similar issue can happen with semodule command on line 48
> of the same script. The semodule binary is part of the policycoreutils
> package which is also not mandatory part of a rhel install. Maybe this one
> is just less likely.

I don't think it's a case. selinux-policy-targeted requires policycoreutils to be installed:

$ rpm -q --requires selinux-policy-targeted
...
policycoreutils >= 2.5

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861