| Summary: | Various AVC denial issues with RHUI [RHUI Upgrade] | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Update Infrastructure for Cloud Providers | Reporter: | Kedar Bidarkar <kbidarka> | ||||||
| Component: | Security | Assignee: | James Slagle <jslagle> | ||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Kedar Bidarkar <kbidarka> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 2.0.2 | CC: | jslagle, sghai, whayutin | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2012-03-12 19:38:43 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Attachments: |
|
||||||||
Did you see any errors during the update? Please do 'rpm -qa > qa.txt' and attach qa.txt to this bugzilla. Actually, I think I know what the issue might be here. We need to enable selinux *before* doing the update. There are some steps in the spec file that apply the policy, but they only run if selinux is already enabled. Going to test this and I'll report back. Nevermind, that doesn't appear to be the issue. The policy should still be applied because /usr/sbin/selinuxenabled will report selinux as enabled even when you're in permissive mode, which I was. *** Bug 799495 has been marked as a duplicate of this bug. *** These SELinux issues were caused by the migration of files from /etc/pki/content to /etc/pki/pulp/content. There's actually a migration script that runs as part of pulp-migrate that handles this, but it only works if the config files have already been updated for the new paths. There was a migration needed to move the pulp-protected-repos file to the new location, and I added that as a %post install script in pulp.spec. This will be in pulp-0.263-13 I updated the release notes at https://engineering.redhat.com/trac/mgmt-integrated/wiki/cloude/rhui-202-release-notes to account for this requirement. Please use those release notes when you do the update testing. I'll move this bug to ON_QA once the new iso build is done and the yum repo at cdn.rcm-qa.redhat.com has been updated with the new pulp packages. New ISO: http://download.lab.bos.redhat.com/devel/candidates/RHEL-6.2-RHUI-2.0.2-20120305.0/2.0.2/Server/x86_64/iso/RHEL-6.2-RHUI-2.0.2-20120305.0-Server-x86_64-DVD1.iso The yum repo at http://cdn.rcm-qa.redhat.com/content/dist/rhel/rhui/server/6/6Server/x86_64/rhui/2.0/os/ has also been updated with the new builds. Be sure to follow the update instructions at https://engineering.redhat.com/trac/mgmt-integrated/wiki/cloude/rhui-202-release-notes when updating. Created attachment 567959 [details]
avc denial issues
Upgraded with the latest iso and still face AVC denial issues
s/iso/content from cdn.rcm-qa/ after fixing bug #800485 and bug #800614 I don't see the AVC's in the audit log when I restart the pulp-server service or sync a repo. Can you try going through the upgrade again after today's builds and see if you still see the AVC's? If you do, please let me know what actions you're doing to trigger them. No AVC denial messages observed today from the logs after RHUI upgrade Released in RHUI 2.0.2 |
Created attachment 567148 [details] AVC denial issues Description of problem: Various AVC denial issues found under the log /var/log/audit/audit.log Version-Release number of selected component (if applicable): How reproducible: After Upgrade only Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: Please find the attached logs.