Bug 1443391

Summary: Failure noticed for selinux policy package updation during ipa-upgrade process.
Product: Red Hat Enterprise Linux 7 Reporter: Nikhil Dehadrai <ndehadra>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 7.4CC: lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-144.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 15:24:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nikhil Dehadrai 2017-04-19 07:38:03 UTC 
Description of problem:
Failure noticed for selinux policy package updation during ipa-upgrade process from RHEL 7.2.z to RHEL 7.4.

Version-Release number of selected component (if applicable):
ipa-server-4.5.0-6.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Setup IPA-server at RHEL 7.2.z. (In my case IPA server is setup in Permissive mode)
2. Use the latest repo links for RHEL 7.4
3. Update the ipa server by executing commands:
# yum -y update 'ipa*' sssd

Actual results:
1. After step 3, the yum update process completes, but Failure noticed for selinux policy package updation


Updating   : libselinux-utils-2.5-11.el7.x86_64                                                               70/268 
  Updating   : policycoreutils-2.5-16.el7.x86_64                                                                71/268 
  Updating   : selinux-policy-3.13.1-142.el7.noarch                                                             72/268 
semodule:  Failed on docker!
semodule:  Failed on gear!
  Updating   : selinux-policy-targeted-3.13.1-142.el7.noarch                                                    73/268 
‘/etc/selinux/targeted/modules/active/booleans.local’ -> ‘/etc/selinux/targeted/active/booleans.local’
Re-declaration of type docker_t
Failed to create node
Bad type declaration at /etc/selinux/targeted/tmp/modules/400/docker/cil:1
semodule:  Failed!
  Updating   : bind-dyndb-ldap-11.1-2.el7.x86_64                                                                74/268 
Enabling SELinux boolean named_write_master_zones
  Updating   : httpd-tools-2.4.6-64.el7.x86_64                                                                  75/268 
  Updating   : httpd-2.4.6-64.el7.x86_64

Expected results:
No failures/ errors should be noticed for selinux policy package during IPA upgrade process. 

Additional info:
Similar issue is observed for upgrade from RHEL 7.1.z to RHEL 7.4
Comment 6 Nikhil Dehadrai 2017-04-20 14:10:06 UTC 
ipa-server version: ipa-server-4.5.0-7.el7.x86_64
selinux-policy: selinux-policy-3.13.1-144.el7.noarch

Tested the bug with following observations:
1. Verified that during upgrade of selinux-policy package no errors are noticed as reported inside the bug.
2. Verified the process for following upgrade paths:
- 7.1.z > 7.4
- 7.2.z > 7.4
- 7.3 > 7.4
- 7.3.z > 7.4

Console:
  Updating   : libselinux-utils-2.5-11.el7.x86_64                                            71/268 
  Updating   : policycoreutils-2.5-16.el7.x86_64                                             72/268 
  Updating   : selinux-policy-3.13.1-144.el7.noarch                                          73/268 
  Updating   : selinux-policy-targeted-3.13.1-144.el7.noarch                                 74/268 
‘/etc/selinux/targeted/modules/active/booleans.local’ -> ‘/etc/selinux/targeted/active/booleans.local’
  Updating   : bind-dyndb-ldap-11.1-2.el7.x86_64                                             75/268 
Enabling SELinux boolean named_write_master_zones
  Updating   : httpd-tools-2.4.6-64.el7.x86_64                                               76/268 
  Updating   : httpd-2.4.6-64.el7.x86_64                                                     77/268 
  Installing : mod_auth_gssapi-1.5.1-2.el7.x86_64                                            78/268 


Thus marking the status of this bug to "VERIFIED"
Comment 7 errata-xmlrpc 2017-08-01 15:24:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861