Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1117360

Summary: Create SELinux policy module for mmopenshift if needed
Product: OpenShift Container Platform Reporter: Luke Meyer <lmeyer>
Component: InstallerAssignee: Luke Meyer <lmeyer>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: unspecified    
Version: 2.1.0CC: jokerman, libra-bugs, libra-onpremise-devel, mmccomas, xiama
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-09 13:29:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1096155, 1117442    

Description Luke Meyer 2014-07-08 14:07:32 UTC 
Description of problem:

Per bug 1096155 an SELinux policy update is required in order to support proper functioning of the rsyslog7-mmopenshift module. openshift.sh should supply this until it is formally shipped in selinux-policy.

Expected results:
Under the following conditions:
1. Install script is invoked with CONF_SYSLOG including "gears"
2. installed selinux-policy < selinux-policy-3.7.19-237.el6.noarch
... openshift.sh will install a custom policy module rsyslog7-mmopenshift.

Additional info:
https://github.com/openshift/openshift-extras/pull/398
* Can test with "sh openshift.sh action=configure_mmopenshift_selinux_policy"
* Can check "semodule -l | grep mmopenshift" to see if module installed.
Comment 1 Luke Meyer 2014-07-08 14:16:03 UTC 
That should of course be "actions=" not "action=".
Comment 3 Luke Meyer 2014-07-08 14:19:09 UTC 
This can be merged prior to the release of updated rsyslog7 pkg so that hosts are prepared for the update.
Comment 4 Ma xiaoqiang 2014-07-09 05:17:35 UTC 
Check on puddle [2.1.z/2014-07-07.1]
1.get the script from the PR
2.Install the env with following env
export export CONF_SYSLOG="gears"
3.check the module
#semodule -l | grep mmopenshift
Output:
rsyslog7-mmopenshift    1.0
4.Delete capacity from district to make user the two apps have the same uid
#oo-admin-ctl-district -c remove-capacity -n medium -s 5999
5.create an app 
#rhc app create testapp php-5.3
6.delete the app, and create it again
#rhc app delete testapp --confirm; rhc app create phpapp php-5.3
7.check the log 
#tailf /var/log/openshift_gears
Jul  9 01:07:52 broker php[8952]: app=phpapp ns=xiaom appUuid=53bcce1e87704fb5f400006b gearUuid=53bcce1e87704fb5f400006b [Wed Jul 09 01:07:52 2014] [notice] Apache/2.2.15 (Unix) configured -- resuming normal operations
Jul  9 01:09:10 broker php[10501]: app=phpapp ns=xiaom appUuid=53bcce6b87704fb5f400008b gearUuid=53bcce6b87704fb5f400008b [Wed Jul 09 01:09:10 2014] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:openshift_t:s0:c0,c1000


The app have different UUID, so move the issue to VERIFIED
Comment 5 Luke Meyer 2014-07-09 13:29:17 UTC 
Note that the cache bug is fixed only once rsyslog7 update is shipped. But with this change, the installer at least prepares the SELinux policy.