Bug 893065

According to dwalsh we should catch the exception:

  File "/usr/lib64/python2.6/site-packages/vdsm/tool/seboolsetup.py", line 21, in <module>
    import seobject
  File "/usr/lib64/python2.6/site-packages/seobject.py", line 952, in <module>
    class portRecords(semanageRecords):
  File "/usr/lib64/python2.6/site-packages/seobject.py", line 953, in portRecords
    valid_types =  setools.seinfo(setools.ATTRIBUTE,"port_type")[0]["types"]
  File "/usr/lib64/python2.6/site-packages/setools/__init__.py", line 49, in seinfo
    dict_list = _seinfo.seinfo(setype, name)
RuntimeError: No default policy found.

Dan we probably want this ASAP.

What exactly are you doing with seobject?

*** Bug 892316 has been marked as a duplicate of this bug. ***

Here the code:
==================

import seobject

<snip>
def setup_booleans(status):
    sebool_obj = seobject.booleanRecords()
    sebool_status = sebool_obj.get_all()

    sebool_obj.start()

    for sebool_variable in VDSM_SEBOOL_LIST:
        if status and not all(sebool_status[sebool_variable]):
            sebool_obj.modify(sebool_variable, SEBOOL_ENABLED)

        if not status and any(sebool_status[sebool_variable]):
            sebool_obj.modify(sebool_variable, SEBOOL_DISABLED)

    sebool_obj.finish()
</snip>


=============
# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.4 Beta (Santiago)

# rpm -qa | grep -i selinux
libselinux-2.0.94-5.3.el6.x86_64
libselinux-devel-2.0.94-5.3.el6.x86_64
selinux-policy-3.7.19-191.el6.noarch
selinux-policy-targeted-3.7.19-191.el6.noarch
libselinux-python-2.0.94-5.3.el6.x86_64
libselinux-utils-2.0.94-5.3.el6.x86_64

# getenforce 
Disabled

# python -c 'import seobject'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib64/python2.6/site-packages/seobject.py", line 952, in <module>
    class portRecords(semanageRecords):
  File "/usr/lib64/python2.6/site-packages/seobject.py", line 953, in portRecords
    valid_types =  setools.seinfo(setools.ATTRIBUTE,"port_type")[0]["types"]	
  File "/usr/lib64/python2.6/site-packages/setools/__init__.py", line 49, in seinfo
    dict_list = _seinfo.seinfo(setype, name)
RuntimeError: No default policy found.

Hi Daniel,

I cannot see such Traceback on RHEL6.3 or F18, the same test importing seobject:

# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.3 Beta (Santiago)

# rpm -qa | grep selinux
libselinux-2.0.94-5.3.el6.x86_64
selinux-policy-targeted-3.7.19-139.el6.noarch
selinux-policy-3.7.19-139.el6.noarch
libselinux-python-2.0.94-5.3.el6.x86_64
libselinux-utils-2.0.94-5.3.el6.x86_64

# getenforce 
Disabled

# python -c 'import seobject'

=======================================================


# cat /etc/redhat-release 
Fedora release 17 (Beefy Miracle)

# rpm -qa | grep -i selinux
selinux-policy-3.10.0-149.fc17.noarch
libselinux-2.1.10-3.fc17.x86_64
selinux-policy-targeted-3.10.0-149.fc17.noarch
selinux-policy-devel-3.10.0-149.fc17.noarch
libselinux-python-2.1.10-3.fc17.x86_64
libselinux-utils-2.1.10-3.fc17.x86_64

# python -c 'import seobject'
#

=================================

Thanks!

Additional info:

I see the same error for semanage on RHEL 6.4 (not happened on RHEL6.3)

# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.4 Beta (Santiago)

# getenforce 
Disabled

# semanage 
Traceback (most recent call last):
  File "/usr/sbin/semanage", line 25, in <module>
    import seobject
  File "/usr/lib64/python2.6/site-packages/seobject.py", line 952, in <module>
    class portRecords(semanageRecords):
  File "/usr/lib64/python2.6/site-packages/seobject.py", line 953, in portRecords
    valid_types =  setools.seinfo(setools.ATTRIBUTE,"port_type")[0]["types"]	
  File "/usr/lib64/python2.6/site-packages/setools/__init__.py", line 49, in seinfo
    dict_list = _seinfo.seinfo(setype, name)
RuntimeError: No default policy found.

Yes I would say this is a bug in semanage also, and I have changed F18 to only throw an exception if selinux is enabled.  But I am not sure of what the proper way to handle this since the other lines would blow up on you if SELinux is disabled also.

Do you do your code during installation?

What booleans are you turning on?

Hi Daniel,

I see the point, we call the tool in the spec file.

Booleans:
===============
VDSM_SEBOOL_LIST = [
    "virt_use_fusefs",
    "virt_use_nfs",
    "virt_use_samba",
    "virt_use_sanlock",
    "sanlock_use_fusefs",
    "sanlock_use_nfs",
    "sanlock_use_samba",
]


Well, we could do patch the tool as below, is it the way to go Daniel?

diff --git a/vdsm-tool/seboolsetup.py b/vdsm-tool/seboolsetup.py
index 437da68..48184dc 100644
--- a/vdsm-tool/seboolsetup.py
+++ b/vdsm-tool/seboolsetup.py
@@ -18,7 +18,12 @@
 # Refer to the README and COPYING files for full details of the license
 #
 
-import seobject
+try:
+    import seobject
+    _selinuxEnabled = True
+except RuntimeError:
+    _selinuxEnabled = False
+
 from vdsm.tool import expose
 
 SEBOOL_ENABLED = "on"
@@ -36,19 +41,21 @@ VDSM_SEBOOL_LIST = [
 
 
 def setup_booleans(status):
-    sebool_obj = seobject.booleanRecords()
-    sebool_status = sebool_obj.get_all()
 
-    sebool_obj.start()
+    if _selinuxEnabled:
+        sebool_obj = seobject.booleanRecords()
+        sebool_status = sebool_obj.get_all()
+
+        sebool_obj.start()
 
-    for sebool_variable in VDSM_SEBOOL_LIST:
-        if status and not all(sebool_status[sebool_variable]):
-            sebool_obj.modify(sebool_variable, SEBOOL_ENABLED)
+        for sebool_variable in VDSM_SEBOOL_LIST:
+            if status and not all(sebool_status[sebool_variable]):
+                sebool_obj.modify(sebool_variable, SEBOOL_ENABLED)
 
-        if not status and any(sebool_status[sebool_variable]):
-            sebool_obj.modify(sebool_variable, SEBOOL_DISABLED)
+            if not status and any(sebool_status[sebool_variable]):
+                sebool_obj.modify(sebool_variable, SEBOOL_DISABLED)
 
-    sebool_obj.finish()
+        sebool_obj.finish()
 
 


Thanks!

Why not?

def setup_booleans(status):
    import seobject
    sebool_obj = seobject.booleanRecords()
    sebool_status = sebool_obj.get_all()

    sebool_obj.start()

    for sebool_variable in VDSM_SEBOOL_LIST:
        if status and not all(sebool_status[sebool_variable]):
            sebool_obj.modify(sebool_variable, SEBOOL_ENABLED)

        if not status and any(sebool_status[sebool_variable]):
            sebool_obj.modify(sebool_variable, SEBOOL_DISABLED)

    sebool_obj.finish()

...

try:
    setup_booleans(status)
except ValueError, e:
    if selinux.is_selinux_enabled() == 1:
          raise e

Hi Daniel,

Thanks for your patch suggestion but it's showing the exception of importing seobject anyway. Any other idea? I have tested the comment #9 and it worked at least.

Hi Daniel,

   New try and I got a patch that fit, thanks for your help. 
Patch available upstream for review: http://gerrit.ovirt.org/#/c/10892/

As we talked with Daniel today, /me moving the bugzilla to selinux component. 
They are going to implement a similar patch into policycoreutils-python.

We will fix policycoreutils in 6.5.

We cannot wait for 6.5, this is a vdsm blocker on RHEL 6.4 (for RHEV 3.1).
Afaiu, any customer installing new hosts will not be able to work.

My understanding was that vdsm was going to fix the problem for now, and then we would update policycoreutils in the next release.

Hi Daniel,

  The patch received nack on review in upstream, that's why I moved to policycoreutils component. Sorry if I couldn't make it clear to you.

Thanks
Douglas

(In reply to comment #16)
> My understanding was that vdsm was going to fix the problem for now, and
> then we would update policycoreutils in the next release.

There is no way to fix this on the vdsm side without losing a functionality. We need to set the policies also when selinux is disabled. Correct me if I'm wrong but this looks like a regression (on 6.3 it's working).

Created attachment 679453 [details]
seobject.py patch

Dan,
i have found the problem. Basically it is caused by 

valid_types =  setools.seinfo(setools.ATTRIBUTE,"port_type")[0]["types"]

which we added to solve another bug in RHEL6.4.

I attached the patch which solves the problem in policycoreutils for now.

This request was evaluated by Red Hat Product Management for
inclusion in a Red Hat Enterprise Linux release.  Product
Management has requested further review of this request by
Red Hat Engineering, for potential inclusion in a Red Hat
Enterprise Linux release for currently deployed products.
This request is not yet committed for inclusion in a release.

Fixed in policycoreutils-2.0.83-19.30.el6

Kerel, yes. you can find me on IRC under nickname Lesik.

Leonid, could you please try to install the vdsm package with the fixed version of policycoreutils? We have an automated regression test which checks the issue which was fixed and it seems to be ok, but I would like to ensure there is no other issue.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0396.html