1172547 – Error opening /etc/selinux/targeted/contexts/files/file_contexts.local during Inplace upgrade

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1172547 - Error opening /etc/selinux/targeted/contexts/files/file_contexts.local during Inplace upgrade

Summary: Error opening /etc/selinux/targeted/contexts/files/file_contexts.local during...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	preupgrade-assistant-el6toel7
Sub Component:
Version:	6.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Petr Stodulka
QA Contact:	Alois Mahdal
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1172231
TreeView+	depends on / blocked

Reported:	2014-12-10 10:56 UTC by Marian Ganisin
Modified:	2019-10-10 09:31 UTC (History)
CC List:	16 users (show)
Fixed In Version:	preupgrade-assistant-el6toel7-0.6.44-1.el6
Doc Type:	Bug Fix
Doc Text:	The selinux-policy from Red Hat Enterprise Linux 7 requires the /etc/selinux/targeted/contexts/files/file_contexts.local file, which does not exist on a Red Hat Enterprise Linux 6 system. As a consequence, error messages are produced during upgrade phase. Now, the preupgrade-assistant creates this file during the pre-upgrade phase and such errors no longer occur.
Clone Of:
Environment:
Last Closed:	2016-05-11 08:27:17 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:1020	0	normal	SHIPPED_LIVE	preupgrade-assistant-el6toel7 bug fix and enhancement update	2016-05-11 12:25:34 UTC

Description Marian Ganisin 2014-12-10 10:56:53 UTC

Description of problem:

During inplace upgrade from RHEL6.6 to RHEL7.1 I see following messages:

Dec 09 16:55:22 melfina.lab.eng.rdu.redhat.com upgrade[1330]: [312/480] (51%) installing selinux-policy-3.13.1-12.el7...
Dec 09 16:56:10 melfina.lab.eng.rdu.redhat.com upgrade[1330]: Error opening /etc/selinux/targeted/contexts/files/file_contexts.local: No such file or directory
Dec 09 16:56:10 melfina.lab.eng.rdu.redhat.com upgrade[1330]: libsemanage.sefcontext_compile: sefcontext_compile returned error code 255. Compiling /etc/selinux/targeted/contexts/files/file_contexts.local
Dec 09 16:56:14 melfina.lab.eng.rdu.redhat.com upgrade[1330]: Error opening /etc/selinux/targeted/contexts/files/file_contexts.local: No such file or directory
Dec 09 16:56:14 melfina.lab.eng.rdu.redhat.com upgrade[1330]: libsemanage.sefcontext_compile: sefcontext_compile returned error code 255. Compiling /etc/selinux/targeted/contexts/files/file_contexts.local
Dec 09 16:56:14 melfina.lab.eng.rdu.redhat.com upgrade[1330]: semodule:  Failed!
...
Dec 09 16:59:33 melfina.lab.eng.rdu.redhat.com upgrade[1330]: warning: /etc/selinux/targeted/modules/active/seusers.final created as /etc/selinux/targeted/modules/active/seusers.final.rpmnew
Dec 09 16:59:33 melfina.lab.eng.rdu.redhat.com upgrade[1330]: warning: /etc/selinux/targeted/seusers created as /etc/selinux/targeted/seusers.rpmnew
Dec 09 16:59:41 melfina.lab.eng.rdu.redhat.com upgrade[1330]: libsepol.scope_copy_callback: sandboxX: Duplicate declaration in module: type/attribute sandbox_x_client_t (No such file or directory).
Dec 09 16:59:41 melfina.lab.eng.rdu.redhat.com upgrade[1330]: libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
Dec 09 16:59:41 melfina.lab.eng.rdu.redhat.com upgrade[1330]: /usr/sbin/semodule:  Failed!
Dec 09 16:59:41 melfina.lab.eng.rdu.redhat.com kernel: SELinux: 2048 avtab hash slots, 110631 rules.
Dec 09 16:59:41 melfina.lab.eng.rdu.redhat.com kernel: SELinux: 2048 avtab hash slots, 110631 rules.
Dec 09 16:59:41 melfina.lab.eng.rdu.redhat.com kernel: SELinux:  8 users, 103 roles, 4949 types, 295 bools, 1 sens, 1024 cats
Dec 09 16:59:41 melfina.lab.eng.rdu.redhat.com kernel: SELinux:  83 classes, 110631 rules
Dec 09 16:59:42 melfina.lab.eng.rdu.redhat.com kernel: type=1403 audit(1418144382.002:3): policy loaded auid=4294967295 ses=4294967295
Version-Release number of selected component (if applicable):


How reproducible:
Use preupgrade assistant and redhat-upgrade tool to upgrade RHEL6.6 to RHEL7.1


Actual results:
Failures during installation of selinux-policy packages (I can't qualify impact)

Expected results:
All done without issue

Additional info:
I am ready to assist to reproduce the issue or provide any additional information.

Comment 3 Miroslav Grepl 2014-12-11 09:41:34 UTC

Do we have all SELinux changes here?

Comment 11 Milos Malik 2016-01-13 09:21:23 UTC

Is it possible to create the file before the first RHEL-7 selinux-policy RPM is installed?

# touch /etc/selinux/targeted/contexts/files/file_contexts.local

Comment 13 Terry Bowling 2016-01-13 15:50:18 UTC

(In reply to Milos Malik from comment #11)
> Is it possible to create the file before the first RHEL-7 selinux-policy RPM
> is installed?
> 
> # touch /etc/selinux/targeted/contexts/files/file_contexts.local

I will leave this in need info status as I am not 100% certain, but this solution might avoid the error message but would be missing the file contexts contents.

So I would say it is a really bad solution as you are hiding the problem, not fixing it.  So security concerns remain.

I will ask the customer to verify that the rhel6 version of this package is installed in advance to see if that helps.  I also have an open question to them related to this question that came up in the support case:

  >> ... this file stores contexts to newly created files 
  >> and directories not found in default 
  >> ... policy file_contexts so unless they have a lot of 
  >> file/dir customization this should be harmless.
  >>
  >> After this occurs, do you see many of the files you have 
  >> added by your own processes/applications having the wrong contexts?

Comment 14 Petr Lautrbach 2016-01-13 15:57:59 UTC

I wouldn't say it hides a problem. policycoreutils on rhel-6 doesn't require this file to exist if there's no local fcontext modifications. Therefore this file is not packaged in selinux-policy. But policycoreutils on rhel-7 requires it.

If a system has local file context modifications then the file already exists and the error should not happen.

Comment 15 Petr Stodulka 2016-01-13 17:56:43 UTC

Milos: 
It's possible create files before upgrade (during pre-upgrade phase), which is after download of packages (creating of upgrade transaction) and before reboot.

Anything between isn't possible now. Upgrade itself is made after reboot (made by user or automatically, depends on used option), where we can't do anything else until the upgrade process is completed.

Any other actions are possible during post-upgrade phase, before next reboot and cleaning. Main upgrade is one big transaction and just we can't anything during the upgrade phase.

Comment 16 Petr Stodulka 2016-01-14 19:26:33 UTC

I did some tests and investigation after Milos's tip and some sleep.

1)
(In reply to Terry Bowling from comment #13)
> (In reply to Milos Malik from comment #11)
> > Is it possible to create the file before the first RHEL-7 selinux-policy RPM
> > is installed?
> > 
> > # touch /etc/selinux/targeted/contexts/files/file_contexts.local
> 
> I will leave this in need info status as I am not 100% certain, but this
> solution might avoid the error message but would be missing the file
> contexts contents.
> 
> So I would say it is a really bad solution as you are hiding the problem,
> not fixing it.  So security concerns remain.
...

It seems for me like only possible solution from our side (preupgrade-assistant-contents). Can you someone confirm that the error occurs even during clean new installation of RHEL-7?

The file just doesn't exist (it's not provided by any package) on RHEL-6 and installation of the package "selinux-policy" is required before installation of "selinux-policy-targets", which contains the file. So this will be fixed by just the touch of the file or it must be fixed in selinux-policy on RHEL-7 itself.

2)
...
> Dec 09 16:59:41 melfina.lab.eng.rdu.redhat.com upgrade[1330]: libsepol.scope_copy_callback: sandboxX: Duplicate declaration in module: type/attribute sandbox_x_client_t (No such file or directory).
> Dec 09 16:59:41 melfina.lab.eng.rdu.redhat.com upgrade[1330]: libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
...


Before run of redhat-upgrade-tool, action of user is requested: "semodule -r sandbox". If user do that, the error will not occur.
In addition we created post-upgrade script (as insurance) which resolves this by remove of duplicated file (see bug #1100618), when user will not do that as it was requested. May it's for discussion, if we need two contents instead of one for that.

3)
Before first complete boot to upgraded system is done relabeling of SELinux target policy.

After application of 1) and 2) I didn't see any fail from selinux. If you don't find any other troubles, this bug is only about point 1). What do you think about that Mirku? Should we touch the file or is it solvable in relevant packages on RHEL 7?

Comment 18 Miroslav Grepl 2016-01-18 09:25:12 UTC

Thank you guys for your explanations. I see it as an easy fix to touch the file if it does not exist.

Comment 26 Alois Mahdal 2016-03-03 05:08:56 UTC

restoring qa_ack after component name change

Comment 28 Ondrej Vasik 2016-03-14 18:33:17 UTC

preupgrade-assistant-el6toel7 package can't be used, we'll prepare old-style preupgrade-assistant-contents package as interim fix for Motorola.

Comment 36 errata-xmlrpc 2016-05-11 08:27:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-1020.html

Note You need to log in before you can comment on or make changes to this bug.