Bug 1414130

Summary: Re-declaration of docker_t error when upgrade selinux-policy-targeted
Product: Red Hat Enterprise Linux 7 Reporter: Marko Myllynen <myllynen>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 7.3CC: darcari, dwalsh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, zpytela
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 15:20:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1420851    

Description Marko Myllynen 2017-01-17 20:45:38 UTC
Description of problem:
When updating RHEL 7 with container-selinux-1.10.3-59.el7 (but not docker-selinux nor docker-engine-selinux) installed, I see:

...
  Updating   : selinux-policy-targeted-3.13.1-102.el7_3.13.noarch
Re-declaration of type docker_t
Failed to create node
Bad type declaration at /etc/selinux/targeted/tmp/modules/100/docker/cil:1
/usr/sbin/semodule:  Failed!
...

Update was:

---> Package selinux-policy-targeted.noarch 0:3.13.1-102.el7_3.7 will be updated
---> Package selinux-policy-targeted.noarch 0:3.13.1-102.el7_3.13 will be an update

Thanks.

Comment 1 Daniel Walsh 2017-01-17 20:52:54 UTC
This happened, I belive, because you had a former bad container-selinux package installed.

The latest container-selinux disables docker module, whereas a test version removed it.  Disabling it should not cause this issue, since selinux-policy-targeted will just update the disabled module.  Where as the older version of contianer-selinux which removed the docker module, the updated selinux-policy would re-add it causing this issue.

dnf remove container-selinux
dnf reinstall selinux-policy
dnf install container-selinux

Should fix the issue.

Comment 2 Marko Myllynen 2017-01-17 21:38:48 UTC
(In reply to Daniel Walsh from comment #1)
> This happened, I belive, because you had a former bad container-selinux
> package installed.
> 
> The latest container-selinux disables docker module, whereas a test version
> removed it.  Disabling it should not cause this issue, since
> selinux-policy-targeted will just update the disabled module.  Where as the
> older version of contianer-selinux which removed the docker module, the
> updated selinux-policy would re-add it causing this issue.
> 
> dnf remove container-selinux
> dnf reinstall selinux-policy
> dnf install container-selinux
> 
> Should fix the issue.

Thanks, this it, these steps worked.

Comment 5 Milos Malik 2017-03-01 07:31:13 UTC
I'm going to investigate if the same problem appears after application of the latest batch update.

Comment 7 Daniel Walsh 2017-03-01 13:18:24 UTC
So this is happening if container-selinux is not installed?

Comment 8 Milos Malik 2017-03-01 13:31:18 UTC
Yes, docker* or container* RPM packages were never installed on the machines, which I used for testing.

Comment 9 Daniel Walsh 2017-03-01 13:43:24 UTC
Ok so I guess lukas has removed the docker.pp and replaced it with container.pp in the default install.  On update it seems like it is not removing docker.pp at the same time as it is adding container.pp?

Comment 12 Lukas Vrabec 2017-03-30 10:58:55 UTC
*** Bug 1427296 has been marked as a duplicate of this bug. ***

Comment 15 errata-xmlrpc 2017-08-01 15:20:12 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861