Bug 1563766

Summary: upgraded foreman-selinux has no label for 2375/tcp
Product: Red Hat Satellite Reporter: Lukas Pramuk <lpramuk>
Component: SELinuxAssignee: Lukas Zapletal <lzap>
Status: CLOSED ERRATA QA Contact: Jan Hutaƙ <jhutar>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.3.1CC: egolov, jhutar, lzap, mmccune
Target Milestone: 6.4.0Keywords: Regression, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: http://projects.theforeman.org/issues/23127
Whiteboard:
Fixed In Version: foreman-selinux-1.18.0.1-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1624026 (view as bug list) Environment:
Last Closed: 2018-10-16 18:55:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukas Pramuk 2018-04-04 15:53:26 UTC 
Description of problem:
Contrary to fresh install the upgraded foreman-selinux has foreman_container_port_t label defined only for 2376/tcp port


Version-Release number of selected component (if applicable):
foreman-selinux-1.15.6.2-1.el7sat.noarch


How reproducible:
upgraded from foreman-selinux-1.11 only


Steps to Reproduce:
1. Have a Sat6.2
# rpm -q foreman-selinux
foreman-selinux-1.11.0.4-1.el7sat.noarch

2. Upgrade foreman-selinux with Sat6.3 foreman-selinux rpm
# yum upgrade foreman-selinux-1.15.6.2-1.el7sat.noarch.rpm

3. Check for foreman_container_port_t label
# semanage port -l |grep container
foreman_container_port_t       tcp      2376


Actual results:
foreman_container_port_t       tcp      2376

Expected results:
foreman_container_port_t       tcp      2375
foreman_container_port_t       tcp      2376
Comment 1 Lukas Pramuk 2018-04-04 15:58:52 UTC 
Investigation step by step:

1) old rpm present
# rpm -q foreman-selinux
foreman-selinux-1.11.0.4-1.el7sat.noarch

>>> docker_port_t                  tcp      2375-2376

2) new rpm install
# rpm -ip --noscripts --replacefiles foreman-selinux-1.15.6.2-1.el7sat.noarch.rpm

3) new %post runs:
----
if /usr/sbin/selinuxenabled; then
    # install and upgrade
    /usr/sbin/foreman-selinux-enable
fi
----

>>> foreman_container_port_t       tcp      2376 <<< WRONG

4) old %preun runs:
----
if /usr/sbin/selinuxenabled; then
    # uninstall only
    if [ $1 -eq 0 ]; then
        /usr/sbin/foreman-selinux-disable
    fi
    # upgrade and uninstall
    /usr/sbin/foreman-selinux-relabel

fi
----

Luckily the issue is caused by 6.3 postinstall script and not by 6.2 preuninstall. (no need to fix old 6.2)
Comment 2 Lukas Pramuk 2018-04-04 16:09:59 UTC 
Solution:

In /usr/sbin/foreman-selinux-enable there are 2 scripts generated
- $TMP_EXEC_BEFORE (deletes)
- $TMP_EXEC_AFTER (re/creates)
It can't be that they both share the very same file for checking existence of port definitions
- $TMP_PORTS

You check the label exists and - you both don't go creating it(in $TMP_EXEC_AFTER)  while at the same time you go deleting it(in $TMP_EXEC_BEFORE) !!!

The solution is 
- grep first into $TMP_PORTS execute $TMP_EXEC_BEFORE
- and then!! grep into $TMP_PORTS used by $TMP_EXEC_AFTER
Comment 8 Satellite Program 2018-06-28 16:26:34 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/23127 has been resolved.
Comment 15 Bryan Kearney 2018-10-16 18:55:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2927