Bug 1548025

Summary: Broken pcp-selinux dependencies
Product: Red Hat Enterprise Linux 7 Reporter: Marko Myllynen <myllynen>
Component: pcpAssignee: Lukas Berk <lberk>
Status: CLOSED WONTFIX QA Contact: qe-baseos-tools-bugs
Severity: medium Docs Contact:
Priority: high    
Version: 7.4CC: baitken, cww, fche, lberk, lvrabec, mcermak, mgoodwin, nathans, nkshirsa
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-04 00:39:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marko Myllynen 2018-02-22 14:39:58 UTC 
Description of problem:
From https://bugzilla.redhat.com/show_bug.cgi?id=1517656#c10:

> After upgrading to the following packages (from latest RHEL 7.4 packages - I
> haven't bisected what's the minimal set of packages needing to be upgraded)
> the error shown in comment 5 is gone when running the command on command
> line (semodule -X 400 -i /var/lib/pcp/selinux/pcpupstream.pp) and all AVCs
> are also gone. Thanks.

I've now traced the minimal list of packages needing update to:

libsemanage-2.5-10.el7
libsemanage-python-2.5-10.el7

With 

libsemanage-2.5-8.el7
libsemanage-python-2.5-8.el7

I get

# semodule -X 400 -i /var/lib/pcp/selinux/pcpupstream.pp
libsemanage.semanage_pipe_data: Child process /usr/libexec/selinux/hll/pp failed with code: 255. (No such file or directory).
pcpupstream: libsepol.policydb_read: policydb module version 19 does not match my version range 4-17
pcpupstream: libsepol.sepol_module_package_read: invalid module in module package (at section 0)
pcpupstream: Failed to read policy package
libsemanage.semanage_direct_commit: Failed to compile hll files into cil files.
 (No such file or directory).
semodule:  Failed!

After upgrading to

libsemanage-2.5-10.el7
libsemanage-python-2.5-10.el7

I see (but see also https://bugzilla.redhat.com/show_bug.cgi?id=1548020):

# semodule -X 400 -i /var/lib/pcp/selinux/pcpupstream.pp
# 

So pcp-selinux should depend on new-enough libsemanage (or, depending on the case, not introduce such dependency on build time, if possible). Thanks.
Comment 11 Nathan Scott 2019-03-04 00:39:06 UTC 
Discussed at length in pcp engr team.  We're going to recommend using the matching versions of pcp (7.x) with the platform selinux that was released for - and not doing piecemeal upgrades - its too complex for us to try to manage the deps and policydb versions within a minor release.

We're also not keen on adding runtime dependencies on selinux-policy-devel (and friends) to base pcp, which was our other angle of attack here.