Bug 1631814

Summary: rpm macro %selinux_set_booleans requires selinux-policy-targeted installed
Product: Red Hat Enterprise Linux 7 Reporter: Petr Menšík <pemensik>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.6CC: bugzilla.redhat.com.dev, leshy, lvrabec, mmalik, pemensik, plautrba, pzhukov, ssekidde, vmojzis
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1633198 (view as bug list) Environment:
Last Closed: 2019-08-06 12:52:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1122832, 1614196, 1633108, 1633198, 1647659, 1653106    
Attachments:
Description Flags
proposed patch none

Description Petr Menšík 2018-09-21 15:40:06 UTC 
Description of problem:
We discovered issue in bug #1569466, which uses this macro. If selinux-policy-targeted is not (yet) installed, it would emit tracebacks from semanage. Because that fail happens inside for, any failures are not reported to rpm. It just emits errors to stderr and would not set the variable.


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-166.el7.noarch

How reproducible:
always

Steps to Reproduce:
1. yum remove selinux-policy-targeted
2. yum install bind
3.

Actual results:
Traceback (most recent call last):
  File "/usr/sbin/semanage", line 32, in <module>
    import seobject
  File "/usr/lib64/python2.7/site-packages/seobject/__init__.py", line 36, in <module>
    import sepolicy
  File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 930, in <module>
    raise e
ValueError: No SELinux Policy installed
Traceback (most recent call last):
  File "/usr/sbin/semanage", line 32, in <module>
    import seobject
  File "/usr/lib64/python2.7/site-packages/seobject/__init__.py", line 36, in <module>
    import sepolicy
  File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 930, in <module>
    raise e
ValueError: No SELinux Policy installed
Traceback (most recent call last):
  File "/usr/sbin/semanage", line 32, in <module>
    import seobject
  File "/usr/lib64/python2.7/site-packages/seobject/__init__.py", line 36, in <module>
    import sepolicy
  File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 930, in <module>
    raise e
ValueError: No SELinux Policy installed


Expected results:


Additional info:
Second problem with this macro was found. It relies on text output, but that output is locale dependent. When testing it in 1minutetip with different locale, I found it is not set back to original value on uninstallation. It has different output and output does not contain on and off.

# cat /etc/selinux/targeted/rpmbooleans.custom 
# This file is managed by macros.selinux-policy. Do not edit it manually
boolean -m --named_write_master_zones       (vypnout,vypnout)  Allow named to write master zones named_write_master_zones

That comes from LANG=cs_CZ.UTF-8
Comment 2 Petr Menšík 2018-09-21 15:41:19 UTC 
I am not sure if it is feature. But number of sets has to match number of unsets called. In our case, it would not reset correctly to previous boolean state. Because I require on set in posttrans and post on upgrade. Is such behaviour required?
Comment 3 Petr Menšík 2018-09-21 18:53:27 UTC 
Created attachment 1485765 [details]
proposed patch

Proposed patch to not emit failures and do not fail on different locale.
Comment 4 Petr Menšík 2018-10-11 14:41:18 UTC 
Check libunbound.so version in info page of F29 build.

https://koji.fedoraproject.org/koji/rpminfo?rpmID=15550778
Comment 5 Petr Menšík 2019-02-27 17:18:37 UTC 
I think bug #1609323 is related to this one too. But the macro should not be guarded on selinuxenabled property. I think it would need default state ability, so it reset to default value. Now it is impossible to get back to default value if that was changed over time. It will always return to original value, not default value specified by current policy. It would be required to sometime remove boolean enable macro from bind.
Comment 6 Petr Menšík 2019-02-28 13:11:09 UTC 
Hi, any change on this issue? I would like to fix it in RHEL 7.7, would it be ready?
Comment 7 Petr Menšík 2019-02-28 13:32:40 UTC 
Could you check also bug #1647659 ? Is there way to store boolean when selinux is disabled? When it is reenabled, would it load value set last time? I assume selinuxenabled should be changed only on reboots, unline setenforce? Is that right?
Comment 21 errata-xmlrpc 2019-08-06 12:52:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2127