1131575 – selinux relabel after yum update of pulp-selinux

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1131575 - selinux relabel after yum update of pulp-selinux

Summary: selinux relabel after yum update of pulp-selinux

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Pulp
Sub Component:
Version:	6.0.3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	Unspecified
Assignee:	Mike McCune
QA Contact:	Tazim Kolhar
Docs Contact:
URL:
Whiteboard:
Depends On:	1205668
Blocks:	sat6-pulp-future GSS_Sat6Beta_Tracker, GSS_Sat6_Tracker
TreeView+	depends on / blocked

Reported:	2014-08-19 15:16 UTC by Chris Roberts
Modified:	2021-04-06 18:03 UTC (History)
CC List:	22 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1145720 (view as bug list)
Environment:
Last Closed:	2015-08-12 14:02:04 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Pulp Redmine	540	0	Normal	CLOSED - CURRENTRELEASE	Upgrading Pulp with lots of synced content can take hours	Never

Description Chris Roberts 2014-08-19 15:16:20 UTC

Description of problem:
after updating satellite 6 selinux relabels /var/lib/pulp which if there is a lot of packages/channels synced this will take a while and appear to make yum frozen.

this was tested and yum was stuck at cleaning up for 20 minutes while the selinux relabel 

package name is pulp-selinux

[root@sat6-sysmgmt ~]# rpm -q pulp-selinux --scripts
postinstall scriptlet (using /bin/sh):
# Enable SELinux policy modules
if /usr/sbin/selinuxenabled ; then
 /usr/share/pulp/selinux/server/enable.sh /usr/share
fi

# restorcecon wasn't reading new file contexts we added when running under 'post' so moved to 'posttrans'
# Spacewalk saw same issue and filed BZ here: https://bugzilla.redhat.com/show_bug.cgi?id=505066
preuninstall scriptlet (using /bin/sh):
# Clean up after package removal
if [ $1 -eq 0 ]; then
/usr/share/pulp/selinux/server/uninstall.sh
/usr/share/pulp/selinux/server/relabel.sh
fi
exit 0
posttrans scriptlet (using /bin/sh):
if /usr/sbin/selinuxenabled ; then
 /usr/share/pulp/selinux/server/relabel.sh /usr/share
fi

root     16298  0.0  0.0 108340  1768 pts/0    Ss   12:49   0:00  \_ -bash
root     16871  1.4  3.3 511444 177364 pts/0   S+   12:58   0:34      \_ /usr/bin/python /usr/bin/yum update
root     17682  0.0  0.0 106096  1288 pts/0    S+   13:05   0:00          \_ /bin/sh /var/tmp/rpm-tmp.96NFg3 0
root     17684  0.0  0.0 106096  1284 pts/0    S+   13:05   0:00              \_ /bin/sh /usr/share/pulp/selinux/server/relabel.sh /usr/share
root     17691 10.4  2.4 140584 128816 pts/0   D+   13:05   3:13                  \_ /sbin/restorecon -i -R /var/lib/pulp

Comment 1 RHEL Program Management 2014-08-19 15:33:16 UTC

Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

Comment 9 Lukas Zapletal 2015-03-10 17:01:09 UTC

There is other way of fixing this - relabel is not necessary to do every time for every single directory. It would be possible to introduce a special param to the relabel script like --full to do it on /var/lib/pulp. And during upgrade we could skip it.

If there was a bug requiring to relabel it, we could ask users to call enable script with --full.

Comment 10 Brian Bouterse 2015-03-10 19:13:24 UTC

What lzap describes in comment #9 is very similar to the fix that is being put in place. The restorecon statements will run conditionally based on actual needed changes for a fresh install or upgrade instead of all restorecon statements all the time. The upstream Pulp bug is listed on the external tracker. Once the fix is put in place upstream, all downstream should have to do is cherry pick. We'll set the downstream bug at POST when upstream is merged.

Comment 13 Brian Bouterse 2015-03-23 17:00:32 UTC

The Pulp upstream bug status is at POST. Updating the external tracker on this bug.

Comment 14 Brian Bouterse 2015-03-23 22:30:31 UTC

The Pulp upstream bug status is at MODIFIED. Updating the external tracker on this bug.

Comment 15 Brian Bouterse 2015-04-09 14:40:00 UTC

I'm not sure if this is cherry picked or not, but it should be. Without this, a sat6.0 user who has a lot of synced content and is upgrading to sat6.1 will take hours to install. With this patch the SELinux portion will take minutes.

Comment 18 pulp-infra@redhat.com 2015-04-24 15:00:36 UTC

The Pulp upstream bug status is at ON_QA. Updating the external tracker on this bug.

Comment 19 Tazim Kolhar 2015-04-27 09:24:53 UTC

hi

please provide verification steps

thanks

Comment 20 Brian Bouterse 2015-04-27 13:12:34 UTC

Use the verification steps from here [0], except that when it says to upgrade from Pulp 2.5.x you should upgrade from sat 6.0. needsinfo me with more questions if you have them.

[0]:  https://pulp.plan.io/issues/540#note-13

Comment 21 pulp-infra@redhat.com 2015-04-27 20:00:36 UTC

The Pulp upstream bug status is at VERIFIED. Updating the external tracker on this bug.

Comment 22 Tazim Kolhar 2015-04-30 11:16:58 UTC

VERIFIED:

# rpm -qa | grep foreman
puppet-foreman_scap_client-0.3.3-8.el7sat.noarch
ruby193-rubygem-foreman_docker-1.2.0.10-1.el7sat.noarch
ruby193-rubygem-foreman-tasks-0.6.12.4-1.el7sat.noarch
rubygem-hammer_cli_foreman_discovery-0.0.1.8-1.el7sat.noarch
foreman-libvirt-1.7.2.18-1.el7sat.noarch
ruby193-rubygem-foreman_bootdisk-4.0.2.12-1.el7sat.noarch
foreman-compute-1.7.2.18-1.el7sat.noarch
foreman-ovirt-1.7.2.18-1.el7sat.noarch
ruby193-rubygem-foreman_discovery-2.0.0.12-1.el7sat.noarch
rubygem-hammer_cli_foreman_tasks-0.0.3.4-1.el7sat.noarch
foreman-debug-1.7.2.18-1.el7sat.noarch
foreman-postgresql-1.7.2.18-1.el7sat.noarch
qe-sat6-rhel71.usersys.redhat.com-foreman-client-1.0-1.noarch
qe-sat6-rhel71.usersys.redhat.com-foreman-proxy-1.0-1.noarch
ruby193-rubygem-foreman_gutterball-0.0.1.9-1.el7sat.noarch
foreman-1.7.2.18-1.el7sat.noarch
foreman-gce-1.7.2.18-1.el7sat.noarch
ruby193-rubygem-foreman_hooks-0.3.7-2.el7sat.noarch
rubygem-hammer_cli_foreman-0.1.4.10-1.el7sat.noarch
foreman-selinux-1.7.2.13-1.el7sat.noarch
foreman-vmware-1.7.2.18-1.el7sat.noarch
rubygem-hammer_cli_foreman_bootdisk-0.1.2.6-1.el7sat.noarch
foreman-proxy-1.7.2.4-1.el7sat.noarch
qe-sat6-rhel71.usersys.redhat.com-foreman-proxy-client-1.0-1.noarch
ruby193-rubygem-foreman-redhat_access-0.1.0-1.el7sat.noarch

Steps:
$sudo touch /var/lib/pulp/test

$sudo chown apache:apache /var/lib/pulp/test
$sudo chcon 'system_u:object_r:var_run_t:s0' /var/lib/pulp/test
$ls -laZ /var/lib/pulp
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 .
drwxr-xr-x. root   root   system_u:object_r:var_lib_t:s0   ..
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 celery
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 content
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 init.flag
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 nodes
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 packages
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 published
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 sn.dat
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 static
-rw-r--r--. apache apache system_u:object_r:var_run_t:s0   test
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 uploads
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 working

Comment 23 Tazim Kolhar 2015-05-04 12:43:11 UTC

moving it to ON_QA

as this requires upgrade from sat6.0 to sat6.1


the concerned conversation:

<bmbouter> tkolhar: hey. tazim?
<tkolhar> bmbouter, do i need to makes those [0] link changes before i perform upgrade from sat6.0 to sat6.1 for this bz https://bugzilla.redhat.com/show_bug.cgi?id=1131575#c20
<tkolhar> bmbouter, yes
<bmbouter> let me see
<tkolhar> bmbouter, ok thanks
* dcaplan_ (~dcaplan.redhat.com) has joined #satellite6
<bmbouter> yes those link changes need to happen before the 6.0 -> 6.1 upgrade
* walden|afk is now known as walden
<bmbouter> so install 6.0 start it up and ensure everything is good
<bmbouter> make those link changes
<bmbouter> the chcon operations
<bmbouter> then do the upgrade to 6.1
* thomasmckay is now known as thomasmckay|errand
* aladke (~aladke.redhat.com) has joined #satellite6
<bmbouter> then startup 6.1 and make sure everything is ok
<tkolhar> bmbouter, ok got it thanks a lot .  i will move it to ON_QA and retest it
* joeg (~jgiordan.redhat.com) has joined #satellite6
<bmbouter> then verify that the file you created and set the chcon on carries the expected security label
<tkolhar> bmbouter, ok got it
<bmbouter> tkolhar: cool thanks for verifying. ping me with more questions if they come up

Comment 24 Tazim Kolhar 2015-05-05 08:53:33 UTC

FAILEDQA :

# rpm -qa | grep foreman
rubygem-hammer_cli_foreman-0.1.4.10-1.el6_6sat.noarch
foreman-libvirt-1.7.2.18-1.el6_6sat.noarch
ruby193-rubygem-foreman_bootdisk-4.0.2.12-1.el6_6sat.noarch
dell-pe1950-01.rhts.eng.bos.redhat.com-foreman-proxy-1.0-1.noarch
foreman-1.7.2.18-1.el6_6sat.noarch
foreman-debug-1.7.2.18-1.el6_6sat.noarch
rubygem-hammer_cli_foreman_tasks-0.0.3.4-1.el6_6sat.noarch
foreman-selinux-1.7.2.13-1.el6_6sat.noarch
foreman-compute-1.7.2.18-1.el6_6sat.noarch
foreman-vmware-1.7.2.18-1.el6_6sat.noarch
ruby193-rubygem-foreman_hooks-0.3.7-2.el6_6sat.noarch
rubygem-hammer_cli_foreman_bootdisk-0.1.2.6-1.el6_6sat.noarch
foreman-ovirt-1.7.2.18-1.el6_6sat.noarch
foreman-gce-1.7.2.18-1.el6_6sat.noarch
ruby193-rubygem-foreman_discovery-2.0.0.12-1.el6_6sat.noarch
foreman-postgresql-1.7.2.18-1.el6_6sat.noarch
dell-pe1950-01.rhts.eng.bos.redhat.com-foreman-client-1.0-1.noarch
ruby193-rubygem-foreman-redhat_access-0.1.0-1.el6_6sat.noarch
ruby193-rubygem-foreman_gutterball-0.0.1.9-1.el6_6sat.noarch
rubygem-hammer_cli_foreman_discovery-0.0.1.8-1.el6_6sat.noarch
ruby193-rubygem-foreman_docker-1.2.0.10-1.el6_6sat.noarch
ruby193-rubygem-foreman-tasks-0.6.12.4-1.el6_6sat.noarch
foreman-proxy-1.7.2.4-1.el6_6sat.noarch

steps :
$sudo touch /var/lib/pulp/test

$sudo chown apache:apache /var/lib/pulp/test
$sudo chcon 'system_u:object_r:var_run_t:s0' /var/lib/pulp/test
$ls -laZ /var/lib/pulp
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 .
drwxr-xr-x. root   root   system_u:object_r:var_lib_t:s0   ..
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 celery
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 content
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 init.flag
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 nodes
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 packages
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 published
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 sn.dat
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 static
-rw-r--r--. apache apache system_u:object_r:var_run_t:s0   test
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 uploads
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 working

# katello-installer --upgrade
File not found /usr/share/katello-installer/modules/katello_plugin_gutterball/manifests/init.pp, check your answer file

Comment 25 pulp-infra@redhat.com 2015-05-05 13:30:43 UTC

The Pulp upstream bug status is at CLOSED - CURRENTRELEASE. Updating the external tracker on this bug.

Comment 26 Tazim Kolhar 2015-05-18 11:29:27 UTC

VERIFIED:


steps:
# sudo touch /var/lib/pulp/test
# sudo chown apache:apache /var/lib/pulp/test
# sudo chcon 'system_u:object_r:var_run_t:s0' /var/lib/pulp/test
# ls -laZ /var/lib/pulp
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 .
drwxr-xr-x. root   root   system_u:object_r:var_lib_t:s0   ..
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 celery
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 content
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 init.flag
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 nodes
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 packages
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 published
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 sn.dat
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 static
-rw-r--r--. apache apache system_u:object_r:var_run_t:s0   test
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 uploads
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 working
#  yum -y update
#  katello-installer --upgrade
Upgrading...
Upgrade Step: stop_services...
Upgrade Step: start_mongo...
Upgrade Step: migrate_pulp...
Upgrade Step: migrate_candlepin...
Upgrade Step: migrate_foreman...
Upgrade Step: Running installer...
Installing             Info: START 622                                    [0%]                                               [100%] []
  The full log is at /var/log/katello-installer/katello-installer.log
Upgrade Step: Restarting services...
Upgrade Step: db:seed...
Upgrade Step: Running errata import task (this may take a while)...
Katello upgrade completed!

# ls -laZ /var/lib/pulpdrwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 .
drwxr-xr-x. root   root   system_u:object_r:var_lib_t:s0   ..
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 celery
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 content
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 init.flag
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 nodes
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 packages
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 published
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 sn.dat
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 static
-rw-r--r--. apache apache system_u:object_r:var_run_t:s0   test
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 uploads
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0  working

Comment 27 Tazim Kolhar 2015-05-18 11:31:05 UTC

packages

# rpm -qa | grep foreman
rubygem-hammer_cli_foreman_docker-0.0.3.6-1.el6_6sat.noarch
foreman-vmware-1.7.2.21-1.el6_6sat.noarch
ruby193-rubygem-foreman_docker-1.2.0.12-1.el6_6sat.noarch
rubygem-hammer_cli_foreman-0.1.4.11-1.el6_6sat.noarch
foreman-ovirt-1.7.2.21-1.el6_6sat.noarch
ruby193-rubygem-foreman_hooks-0.3.7-2.el6_6sat.noarch
ibm-ls22-01.rhts.eng.brq.redhat.com-foreman-proxy-1.0-1.noarch
rubygem-hammer_cli_foreman_discovery-0.0.1.10-1.el6_6sat.noarch
foreman-libvirt-1.7.2.21-1.el6_6sat.noarch
ruby193-rubygem-foreman-redhat_access-0.1.0-1.el6_6sat.noarch
ruby193-rubygem-foreman-tasks-0.6.12.5-1.el6_6sat.noarch
ruby193-rubygem-foreman_gutterball-0.0.1.9-1.el6_6sat.noarch
ibm-ls22-01.rhts.eng.brq.redhat.com-foreman-proxy-client-1.0-1.noarch
rubygem-hammer_cli_foreman_tasks-0.0.3.4-1.el6_6sat.noarch
foreman-1.7.2.21-1.el6_6sat.noarch
foreman-gce-1.7.2.21-1.el6_6sat.noarch
ruby193-rubygem-foreman_bootdisk-4.0.2.13-1.el6_6sat.noarch
foreman-proxy-1.7.2.4-1.el6_6sat.noarch
rubygem-hammer_cli_foreman_bootdisk-0.1.2.7-1.el6_6sat.noarch
foreman-selinux-1.7.2.13-1.el6_6sat.noarch
foreman-compute-1.7.2.21-1.el6_6sat.noarch
ibm-ls22-01.rhts.eng.brq.redhat.com-foreman-client-1.0-1.noarch
ruby193-rubygem-foreman_discovery-2.0.0.13-1.el6_6sat.noarch
foreman-postgresql-1.7.2.21-1.el6_6sat.noarch
foreman-debug-1.7.2.21-1.el6_6sat.noarch

Comment 28 Bryan Kearney 2015-08-11 13:27:54 UTC

This bug is slated to be released with Satellite 6.1.

Comment 29 Bryan Kearney 2015-08-12 14:02:04 UTC

This bug was fixed in version 6.1.1 of Satellite which was released on 12 August, 2015.

Note You need to log in before you can comment on or make changes to this bug.

bbuckingham
bkearney
bmbouter
chrobert
cwelton
daviddavis
dkliban
ggainey
ipanova
lzap
mhrivnak
mmccune
mmello
nshaik
pcreech
pgervase
rchan
riehecky
shughes
tkolhar
ttereshc
xdmoon