| Summary: | Non-fatal POSTIN scriptlet failure in rpm package pulp-selinux-2.8.7.3-1.el7sat.noarch | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Reartes Guillermo <greartes> |
| Component: | Packaging | Assignee: | satellite6-bugs <satellite6-bugs> |
| Status: | CLOSED WONTFIX | QA Contact: | Katello QA List <katello-qa-list> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.2.4 | CC: | jcallaha, mhrivnak, Molly.Jo.Bault, oshtaier, plautrba |
| Target Milestone: | Unspecified | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-09-04 18:03:07 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Reartes Guillermo
2016-11-12 21:11:06 UTC
# yum history info 32
Complementos cargados:langpacks, package_upload, product-id, search-disabled-repos, subscription-manager
ID de transacción : 32
Hora inicial : Thu Oct 27 18:33:47 2016
Rpmdb inicial : 706:4241ac606b798987153c4c14ed00edcb8bfb72a1
Hora final : 18:37:08 2016 (201 segundos)
Rpmdb final : 706:807eca281ff376e5791593690aa24b1fc6467de1
Usuario : root <root>
Codigo-obtenido : Exito
Línea de comando : update
Transacción realizada con:
Actualizado rpm-4.11.3-17.el7.x86_64 @anaconda/7.2
Actualizado subscription-manager-1.15.9-15.el7.x86_64 @anaconda/7.2
Actualizado yum-3.4.3-132.el7.noarch @anaconda/7.2
Instalado yum-metadata-parser-1.1.4-10.el7.x86_64 @anaconda/7.2
Paquetes modificados:
Actualizado bind-32:9.9.4-29.el7_2.3.x86_64 @rhel-7-server-rpms
Actualizar 32:9.9.4-29.el7_2.4.x86_64 @rhel-7-server-rpms
Actualizado bind-libs-32:9.9.4-29.el7_2.3.x86_64 @rhel-7-server-rpms
Actualizar 32:9.9.4-29.el7_2.4.x86_64 @rhel-7-server-rpms
Actualizado bind-libs-lite-32:9.9.4-29.el7_2.3.x86_64 @rhel-7-server-rpms
Actualizar 32:9.9.4-29.el7_2.4.x86_64 @rhel-7-server-rpms
Actualizado bind-license-32:9.9.4-29.el7_2.3.noarch @rhel-7-server-rpms
Actualizar 32:9.9.4-29.el7_2.4.noarch @rhel-7-server-rpms
Actualizado bind-utils-32:9.9.4-29.el7_2.3.x86_64 @rhel-7-server-rpms
Actualizar 32:9.9.4-29.el7_2.4.x86_64 @rhel-7-server-rpms
Actualizado foreman-debug-1.11.0.53-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizar 1.11.0.54-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizado foreman-installer-katello-3.0.0.57-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizar 3.0.0.58-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizado katello-capsule-3.0.0-12.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizar 3.0.0-14.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizado katello-debug-3.0.0-12.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizar 3.0.0-14.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizado katello-installer-base-3.0.0.57-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizar 3.0.0.58-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizado katello-service-3.0.0-12.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizar 3.0.0-14.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Eliminar kernel-3.10.0-327.el7.x86_64 @anaconda/7.2
Instalar kernel-3.10.0-327.36.3.el7.x86_64 @rhel-7-server-rpms
Actualizado kernel-tools-3.10.0-327.36.1.el7.x86_64 @rhel-7-server-rpms
Actualizar 3.10.0-327.36.3.el7.x86_64 @rhel-7-server-rpms
Actualizado kernel-tools-libs-3.10.0-327.36.1.el7.x86_64 @rhel-7-server-rpms
Actualizar 3.10.0-327.36.3.el7.x86_64 @rhel-7-server-rpms
Actualizado libqpid-dispatch-0.4-13.el7sat.x86_64 @rhel-7-server-satellite-capsule-6.2-rpms
Actualizar 0.4-16.el7sat.x86_64 @rhel-7-server-satellite-capsule-6.2-rpms
Actualizado openssl-1:1.0.1e-51.el7_2.5.x86_64 @rhel-7-server-rpms
Actualizar 1:1.0.1e-51.el7_2.7.x86_64 @rhel-7-server-rpms
Actualizado openssl-libs-1:1.0.1e-51.el7_2.5.x86_64 @rhel-7-server-rpms
Actualizar 1:1.0.1e-51.el7_2.7.x86_64 @rhel-7-server-rpms
Actualizado pulp-docker-plugins-2.0.1.1-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizar 2.0.3-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizado pulp-puppet-plugins-2.8.3.3-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizar 2.8.7.1-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizado pulp-rpm-handlers-2.8.3.5-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizar 2.8.7.3-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizado pulp-rpm-plugins-2.8.3.5-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizar 2.8.7.3-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizado pulp-selinux-2.8.3.4-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizar 2.8.7.2-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizado pulp-server-2.8.3.4-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizar 2.8.7.2-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizado python-crane-2.0.0.2-2.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizar 2.0.2.1-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizado python-nectar-1.5.1-3.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizar 1.5.2-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizado python-perf-3.10.0-327.36.1.el7.x86_64 @rhel-7-server-rpms
Actualizar 3.10.0-327.36.3.el7.x86_64 @rhel-7-server-rpms
Actualizado python-pulp-agent-lib-2.8.3.4-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizar 2.8.7.2-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizado python-pulp-common-2.8.3.4-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizar 2.8.7.2-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizado python-pulp-docker-common-2.0.1.1-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizar 2.0.3-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizado python-pulp-oid_validation-2.8.3.4-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizar 2.8.7.2-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizado python-pulp-puppet-common-2.8.3.3-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizar 2.8.7.1-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizado python-pulp-repoauth-2.8.3.4-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizar 2.8.7.2-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizado python-pulp-rpm-common-2.8.3.5-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizar 2.8.7.3-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizado python-pulp-streamer-2.8.3.4-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizar 2.8.7.2-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizado python-urllib3-1.10.2-2.el7_1.noarch @rhel-7-server-rpms
Actualizar 1.10.2-3.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizado qpid-dispatch-router-0.4-13.el7sat.x86_64 @rhel-7-server-satellite-capsule-6.2-rpms
Actualizar 0.4-16.el7sat.x86_64 @rhel-7-server-satellite-capsule-6.2-rpms
Actualizado satellite-capsule-6.2.2-1.1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizar 6.2.3-1.0.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms
Actualizado tzdata-2016f-1.el7.noarch @rhel-7-server-rpms
Actualizar 2016h-1.el7.noarch @rhel-7-server-rpms
history info
Then, reboot and:
# yum reinstall pulp-selinux
Otherwise, the capsule services will be up, but on the Satellite server there will be issues:
hammer> capsule content synchronization-status --id 2
Last sync: 2016/10/27 17:22:40
Estatus: 3 environment(s) can be synchronized: Library, DESA, PROD
Currently running sync tasks:
Last failure:
Task id: 1fde5f37-a6a6-418f-a953-cbae425cf2fd
Messages:
Connection refused - connect(2) for "sixthsat2cap1.example.com" port 443
Connection refused - connect(2) for "sixthsat2cap1.example.com" port 443
Connection refused - connect(2) for "sixthsat2cap1.example.com" port 443
Connection refused - connect(2) for "sixthsat2cap1.example.com" port 443
Connection refused - connect(2) for "sixthsat2cap1.example.com" port 443
Afer reinstalling the rpm pulp-selinux, restart katello.
All 3 failures are all due to the same roletype not being found. Pulp's selinux policies do not require any roletypes directly so the failure has to be inside SELinux in something that is common to all 3 Pulp SELinux policies (pulp-server, pulp-streamer, pulp-celery). The one statement common to all of them[0][[1][2] is the use of the "policy_module" interface which requires the system_r role. This is an very common, basic role in SELinux which tells me that SELinux on this system was very unhappy prior to installation of the pulp-selinux RPM. So either this was an environmental problem or there is an issue with SELinux itself. On that basis I'm not going to clone it upstream since there is likely little Pulp could do to fix this. The questions I have are: - Is this reproducible? - Is this somehow related to the RHEL 7.3 release? Was this system upgraded to 7.3 prior to installation? [0]: https://github.com/pulp/pulp/blob/030efd459b53bb2e2f8ff0f815b79f485da49745/server/selinux/server/pulp-celery.te#L3 [1]: https://github.com/pulp/pulp/blob/a473ddffb18bab5ed224a40198bf4c7cfaed30cf/server/selinux/server/pulp-server.te#L3 [2]: https://github.com/pulp/pulp/blob/b9307f585323f0686092c26f36eb909e3ff40763/server/selinux/server/pulp-streamer.te#L3 > Failed to resolve roletype statement at > /etc/selinux/targeted/tmp/modules/400/pulp-server/cil:2 > /usr/sbin/semodule: Failed! > Failed to resolve roletype statement at > /etc/selinux/targeted/tmp/modules/400/pulp-celery/cil:2 > /usr/sbin/semodule: Failed! > Failed to resolve roletype statement at > /etc/selinux/targeted/tmp/modules/400/pulp-streamer/cil:2 > /usr/sbin/semodule: Failed! These messages refer to the line 2 in module files translated to cil: $ /usr/libexec/selinux/hll/pp pulp-server.pp.targeted | head -n 2 (type pulp_cert_t) (roletype object_r pulp_cert_t) The statement on the line 2 authorizes object_r role to access pulp_cert_t type and this is correct. All modules have similar statements. libsepol most likely can't resolve object_r role in this statement as the type is defined above. And object_r is defined in base module. So it looks like the module store is somehow broken. > libsemanage.semanage_read_policydb: Could not open kernel policy > /etc/selinux/targeted/active/policy.kern for reading. (No such file or > directory). > OSError: No such file or directory > warning: %post(pulp-selinux-2.8.7.3-1.el7sat.noarch) scriptlet failed, exit > status 1 > Non-fatal POSTIN scriptlet failure in rpm package > pulp-selinux-2.8.7.3-1.el7sat.noarch /etc/selinux/targeted/active/policy.kern is shipped by selinux-policy-targeted and is recreated every time the policy is rebuilt. If it's missing, something wrong has happen after the selinux-policy-targeted was unpackaged. > How reproducible: > i tried once Can you reproduce it? If can you please describe specific steps or provide a system where it can be reproduced? @Brian Bouterse >- Is this reproducible? yes, i had another sat6 that i had not touched since some time, the one in my laptop. > - Is this somehow related to the RHEL 7.3 release? Was this system upgraded to 7.3 prior to installation? yes, most likely it is. I saw that there were 7.3 packages, but since both sat6 are non-productive / high testing instances, i just tried. On production one might first update the OS, reboot and then update Sat6 packages, obviously. Please ignore my comment #2, it was caused by an unrelated paused/pending task which i later fixed. I do not have the file "pulp-server.pp.targeted" I found it: # /usr/libexec/selinux/hll/pp /usr/share/selinux/targeted/pulp-server.pp | head -n 2 (type pulp_cert_t) (roletype object_r pulp_cert_t) I don't know if this is relevant ... I'm getting a similar error on selinux policies generated using "sepolicy generate" and the RPMs it is generating doesn't include the requirement for "selinux-policy-targeted" which is definitely a requirement. I'm getting this error when I try installing the _selinux rpm before "selinux-policy-targeted". Again, I don't know if this is relevant. Thank you for your interest in Satellite 6. We have evaluated this request, and we do not expect this to be implemented in the product in the foreseeable future. We are therefore closing this out as WONTFIX. If you have any concerns about this, please feel free to contact Rich Jerrido or Bryan Kearney. Thank you. |