Bug 1647789

Summary: Run restorecon and semanage in %posttrans
Product: Red Hat Enterprise Linux 7 Reporter: Jan Stodola <jstodola>
Component: spice-streaming-agentAssignee: Uri Lublin <uril>
Status: CLOSED ERRATA QA Contact: SPICE QE bug list <spice-qe-bugs>
Severity: high Docs Contact:
Priority: urgent    
Version: 7.6CC: rduda, tpelka, uril
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: spice-streaming-agent-0.2-4.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 13:17:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1568427, 1670353    
Attachments:
Description Flags
v1-call-semanage-in-posttrans-not-in-post
none
v2-call-semanage-in-posttrans-no-in-post none

Description Jan Stodola 2018-11-08 11:19:04 UTC 
Description of problem:
%post scriptlet of spice-streaming-agent executes restorecon and semanage:

[root@localhost ~]# rpm -q --scripts spice-streaming-agent
postinstall scriptlet (using /bin/sh):
semanage fcontext -a -t xserver_exec_t /usr/bin/spice-streaming-agent 2>/dev/null || :
restorecon /usr/bin/spice-streaming-agent || :
...

But restorecon and semanage don't work if selinux-policy-* is not yet installed (for example during the installation of a system, see bug 1367433 for details). It was recommended to execute the commands in %posttrans to avoid possible issues with the SELinux policy being installed later in the transaction.
Bug 1367433 comment 14: "You should also hide the stderr output of restorecon for when the package is installed on a system with disabled selinux (or inside a container). In such case the command is expected to fail (and the message is therefore harmless)."

Version-Release number of selected component (if applicable):
RHEL-7.6
spice-streaming-agent-0.2-3.el7

How reproducible:
always

Steps to Reproduce:
1. check rpm scriptlets

Actual results:
restorecon and semanage are executed in %post

Expected results:
restorecon and semanage are executed in %posttrans, stderr is redirected to /dev/null
Comment 3 Uri Lublin 2019-04-10 16:10:47 UTC 
Created attachment 1554301 [details]
v1-call-semanage-in-posttrans-not-in-post

replace %post with %posttrans and also add some checks to scriptlets
Comment 4 Uri Lublin 2019-04-10 16:17:07 UTC 
Created attachment 1554303 [details]
v2-call-semanage-in-posttrans-no-in-post

Replace %post with %posttrans

A simpler patch, without modifying the scriptlets.

Sent upstream as
 https://lists.freedesktop.org/archives/spice-devel/2019-January/047666.html
Comment 6 Jakub Vavra 2019-04-16 11:52:29 UTC 
I still see the issue in nightlies (RHEL-7.7-20190415.n.1), maybe there is some action needed to have the fix in compose?
10:44:19,990 INFO packaging: spice-streaming-agent-0.2-3.el7.x86_64 (1287/1442)
10:44:19,990 INFO packaging: No such file or directory
Comment 7 Jakub Vavra 2019-04-17 06:45:57 UTC 
Ok, the issue is gone. I no longer see it there during the installation (RHEL-7.7-20190416.n.0):
...
16:39:15,942 INFO packaging: spice-streaming-agent-0.2-4.el7.x86_64 (1302/1442)
16:39:15,943 INFO packaging: pm-utils-1.4.1-27.el7.x86_64 (1303/1442)
...
Comment 9 errata-xmlrpc 2019-08-06 13:17:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2309