Hide Forgot
Description of problem: I had symptoms of 885529 -- AVC denials, replication didn't work. It got fixed after I installed openstack-selinux. Therefore I think it should be a dependency. Version-Release number of selected component (if applicable): openstack-swift-1.8.0-7.el6ost.noarch openstack-selinux-0.1.2-10.el6ost.noarch How reproducible: Steps to Reproduce: 1. Add device on a node. On that node openstack-selinux is missing 2. no data are being transfered, avc denials about lockfiles, errors in /var/log/messages 3. setenforce 0 4. data are passing Actual results: no replication, errors in logs Expected results: replication Additional info:
Advice from SELinux team in the past was always to not have explicit package dependencies on selinux policy packages, since it is always a valid (though not recommended) option to run with Permissive or Disabled mode. It should instead be the responsibility of the deployment software (in this case Packstack or Foreman with perhaps the dependency codified in the Puppet modules) to make sure that openstack-selinux is installed. Given that, this bug would be on openstack-packstack for now (since that is where we put the Puppet modules) but once we separate out the puppet modules it would be moved to something like openstack-puppet dwalsh/mgrepl, do I have that correct or do you recommend setting explicit Requires: on things like openstack-selinux and selinux-policy-targeted to make sure they are installed?
(In reply to Perry Myers from comment #2) > Advice from SELinux team in the past was always to not have explicit package > dependencies on selinux policy packages, since it is always a valid (though > not recommended) option to run with Permissive or Disabled mode. > > It should instead be the responsibility of the deployment software (in this > case Packstack or Foreman with perhaps the dependency codified in the Puppet > modules) to make sure that openstack-selinux is installed. Neither Packstack, nor Puppet was used to deploy this node. > > Given that, this bug would be on openstack-packstack for now (since that is > where we put the Puppet modules) but once we separate out the puppet modules > it would be moved to something like openstack-puppet > > dwalsh/mgrepl, do I have that correct or do you recommend setting explicit > Requires: on things like openstack-selinux and selinux-policy-targeted to > make sure they are installed? Is it possible to have it installed as some optional dependency that would get pulled in if selinux is pulled in? I am OK with closing this as NOTABUG if it cannot.
(In reply to Jaroslav Henner from comment #3) > Neither Packstack, nor Puppet was used to deploy this node. In that case, my understanding is that you just need to manually install openstack-selinux. It's a process/documentation issue > Is it possible to have it installed as some optional dependency that would > get pulled in if selinux is pulled in? I am OK with closing this as NOTABUG > if it cannot. I think I asked SELinux team about this in the past as well, and was told not to go down this route. But I could be misremembering. Let's wait to see what dwalsh or mgrepl have to say on the matter before we close this bug or anything.
Not sure what we can do to fix this. On a RHEL/Fedora box, I would just install openstack-selinux package. There is nothing we can do to require this. If SELinux is disabled then openstack-selinux package should just be a noop other then taking up disk space.