Bug 1154365 - SELinux context of /etc/sysconfig/iptables after a default installation of RHEV-H 7.0 affects registration
Summary: SELinux context of /etc/sysconfig/iptables after a default installation of RH...
Keywords:
Status: CLOSED DUPLICATE of bug 1146689
Alias: None
Product: otopi
Classification: oVirt
Component: Core
Version: 1.0.0
Hardware: x86_64
OS: Linux
low
low
Target Milestone: ---
: ---
Assignee: Alon Bar-Lev
QA Contact: Pavel Stehlik
URL:
Whiteboard: infra
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-10-19 10:33 UTC by Ranjith Rajaram
Modified: 2016-02-10 19:07 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-19 11:19:35 UTC
oVirt Team: Infra
Embargoed:
rrajaram: devel_ack?

Attachments (Terms of Use)
host deploy logs (241.03 KB, text/plain)
2014-10-19 10:33 UTC, Ranjith Rajaram 		no flags Details
View All

Description Ranjith Rajaram 2014-10-19 10:33:33 UTC 
Created attachment 948219 [details]
host deploy logs

Description of problem:

While trying to register RHEVH 7.0 Build from RHEVM 3.5 Beta, I get the following error in the logs


2014-10-19 10:17:46 DEBUG otopi.plugins.otopi.services.systemd plugin.execute:866 execute-output: ('/bin/systemctl', 'start', 'iptables.service') stderr:
Job for iptables.service failed. See 'systemctl status iptables.service' and 'journalctl -xn' for details.

2014-10-19 10:17:46 DEBUG otopi.context context._executeMethod:152 method exception
Traceback (most recent call last):
  File "/tmp/ovirt-At0B3kYt5E/pythonlib/otopi/context.py", line 142, in _executeMethod
    method['method']()
  File "/tmp/ovirt-At0B3kYt5E/otopi-plugins/otopi/network/iptables.py", line 118, in _closeup
    self.services.state('iptables', True)
  File "/tmp/ovirt-At0B3kYt5E/otopi-plugins/otopi/services/systemd.py", line 138, in state
    'start' if state else 'stop'
  File "/tmp/ovirt-At0B3kYt5E/otopi-plugins/otopi/services/systemd.py", line 77, in _executeServiceCommand
    raiseOnError=raiseOnError
  File "/tmp/ovirt-At0B3kYt5E/pythonlib/otopi/plugin.py", line 871, in execute
    command=args[0],
RuntimeError: Command '/bin/systemctl' failed to execute

Attached: ovirt-20141019154746-192.168.0.19-5d2306b4.log

In the hypervisor following messages is noticed

Can't open /etc/sysconfig/iptables: Permission denied

SElinux context of the file /etc/sysconfig/iptables is unconfined_u:object_r:user_tmpfs_t:s0

Ideally the context should be unconfined_u:object_r:system_conf_t:s0

Executing restorecon fixes this issue 

[root@19 ~]# restorecon -Rv /etc/sysconfig/iptables
restorecon reset /etc/sysconfig/iptables context unconfined_u:object_r:user_tmpfs_t:s0->unconfined_u:object_r:system_conf_t:s

But the registration still fails with the problem described in BZ https://bugzilla.redhat.com/show_bug.cgi?id=1128033 #24


Version-Release number of selected component (if applicable):
RHEV-H 7.0 build 20141006.0el7ev

How reproducible:
Always

Steps to Reproduce:
1. Try to register the RHEVH 7.0 from RHEVM 3.5 beta
2.
3.

Actual results:

Registration fails with the message "RuntimeError: Command '/bin/systemctl' failed to execute"

Expected results:

Registration should succeed 

Additional info:
Comment 1 Alon Bar-Lev 2014-10-19 11:18:33 UTC 
already solved in otopi-1.3.0, please repopen if you are using it.

why is this bug marked private?
Comment 2 Alon Bar-Lev 2014-10-19 11:19:35 UTC 

*** This bug has been marked as a duplicate of bug 1146689 ***
Note You need to log in before you can comment on or make changes to this bug.