Bug 1563766
Summary: | upgraded foreman-selinux has no label for 2375/tcp | |||
---|---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Lukas Pramuk <lpramuk> | |
Component: | SELinux | Assignee: | Lukas Zapletal <lzap> | |
Status: | CLOSED ERRATA | QA Contact: | Jan HutaĆ <jhutar> | |
Severity: | high | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 6.3.1 | CC: | egolov, jhutar, lzap, mmccune | |
Target Milestone: | 6.4.0 | Keywords: | Regression, Triaged | |
Target Release: | Unused | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
URL: | http://projects.theforeman.org/issues/23127 | |||
Whiteboard: | ||||
Fixed In Version: | foreman-selinux-1.18.0.1-1 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1624026 (view as bug list) | Environment: | ||
Last Closed: | 2018-10-16 18:55:21 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: |
Description
Lukas Pramuk
2018-04-04 15:53:26 UTC
Investigation step by step: 1) old rpm present # rpm -q foreman-selinux foreman-selinux-1.11.0.4-1.el7sat.noarch >>> docker_port_t tcp 2375-2376 2) new rpm install # rpm -ip --noscripts --replacefiles foreman-selinux-1.15.6.2-1.el7sat.noarch.rpm 3) new %post runs: ---- if /usr/sbin/selinuxenabled; then # install and upgrade /usr/sbin/foreman-selinux-enable fi ---- >>> foreman_container_port_t tcp 2376 <<< WRONG 4) old %preun runs: ---- if /usr/sbin/selinuxenabled; then # uninstall only if [ $1 -eq 0 ]; then /usr/sbin/foreman-selinux-disable fi # upgrade and uninstall /usr/sbin/foreman-selinux-relabel fi ---- Luckily the issue is caused by 6.3 postinstall script and not by 6.2 preuninstall. (no need to fix old 6.2) Solution: In /usr/sbin/foreman-selinux-enable there are 2 scripts generated - $TMP_EXEC_BEFORE (deletes) - $TMP_EXEC_AFTER (re/creates) It can't be that they both share the very same file for checking existence of port definitions - $TMP_PORTS You check the label exists and - you both don't go creating it(in $TMP_EXEC_AFTER) while at the same time you go deleting it(in $TMP_EXEC_BEFORE) !!! The solution is - grep first into $TMP_PORTS execute $TMP_EXEC_BEFORE - and then!! grep into $TMP_PORTS used by $TMP_EXEC_AFTER Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/23127 has been resolved. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:2927 |