Created attachment 1044637 [details] install.log_RHGSS-3.1-20150629.n.0-RHS-x86_64-DVD1.iso Description of problem: Following warning message is seen after an ISO install of RHGS-3.1: ##### Installing samba-vfs-glusterfs-4.1.17-7.el6rhs.x86_64 Cannot set persistent booleans without managed policy. warning: %post(samba-vfs-glusterfs-0:4.1.17-7.el6rhs.x86_64) scriptlet failed, exit status 255 Installing samba-common-4.1.17-7.el6rhs.x86_64 Installing samba-4.1.17-7.el6rhs.x86_64 Installing libsmbclient-4.1.17-7.el6rhs.x86_64 Installing samba-winbind-modules-4.1.17-7.el6rhs.x86_64 Installing samba-winbind-4.1.17-7.el6rhs.x86_64 ###### Version-Release number of selected component (if applicable): ----------- RHGSS-3.1-20150629.n.0-RHS-x86_64-DVD1.iso [root@ ~]# cat /etc/redhat-storage-release Red Hat Gluster Storage Server 3.1 [root@ ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.7 (Santiago) [root@ ~]# rpm -qa selinux\* selinux-policy-3.7.19-279.el6.noarch selinux-policy-targeted-3.7.19-279.el6.noarch ----------- How reproducible: 100% Steps to Reproduce: 1. Install RHGS-3.1 using the latest available ISO - RHGSS-3.1-20150629.n.0-RHS-x86_64-DVD1.iso 2. Post installation and reboot, check the install.log 3. Actual results: Warning messages are seen in install.log after the ISO installation. Expected results: No warning messages should be seen after an ISO installation Additional info:
More details: ####### [root@sherrif rpm]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted [root@ ~]# rpm -qa |grep policycoreutils policycoreutils-2.0.83-24.el6.x86_64 policycoreutils-python-2.0.83-24.el6.x86_64 [root@ ~]# getsebool -a | grep samba bacula_use_samba --> off samba_create_home_dirs --> off samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_load_libgfapi --> off samba_portmapper --> off samba_run_unconfined --> off samba_share_fusefs --> off samba_share_nfs --> off sanlock_use_samba --> off use_samba_home_dirs --> off virt_use_samba --> off [root@ ~]# rpm -q --scripts samba-vfs-glusterfs postinstall scriptlet (using /bin/sh): if getsebool samba_load_libgfapi &>/dev/null; then setsebool -P samba_load_libgfapi 1 fi postuninstall scriptlet (using /bin/sh): if getsebool samba_load_libgfapi &>/dev/null; then setsebool -P samba_load_libgfapi 0 fi #########
On further debugging, I strongly believe that this warning is seen because "samba-vfs-glusterfs" postinstall scriptlet is trying to set some required SELinux boo-leans even before "selinux-policy-*" packages are installed in the system. Hence, it fails to set and throws out a warning message. Apart from Samba, some other packages (nagios, ctdb, etc) also might try to set similar booleans during their rpm post installation. So a solution that I can think of to avoid this kind of situation is to re-arrange the packages during the package installation so that selinux-policy* packages are installed first before any gluster related packages.
Sreenath, is it possible to fix it as mentioned in Comment 2? If you also have some other better options to fix this, please suggest that as well.
This is also applicable for nagios plugins. package 'gluster-nagios-addons' should be installed after all the selinux policy rpms.
Hello, why don't you simply set requires in the samba-vfs-glusterfs for require selinux-policy. Please move this to samba-vfs-glusterfs component. This won't be done by releng. Thanks for understanding Lubos rel-eng
This seems to be exactly the same as what I posted in a similar bug against the glusterfs component. Each package that modifies selinux booleans in the rpm scriptlets should have is own dependency on selinux-policy(-targeted). More details in this comment: https://bugzilla.redhat.com/show_bug.cgi?id=1238055#c6
I might be wrong because I'm not a developer, but I would like to help you. Your package should require: + policycoreutils package because it brings the setsebool command + libselinux-utils package because it brings the getsebool command + selinux-policy-targeted or selinux-policy-base (virtual package) because it brings the policy where booleans are defined and stored There are few packages which change SELinux booleans either by setsebool or semanage: # rpm -qa --scripts | grep -e setsebool -e semanage
Verified as fixed in the latest ISO RHGSS-3.1-20150713.n.0-RHS-x86_64-DVD1.iso No error/warning messages are seen in the install.log after selecting ALL the available optional packages including Samba. ############## [root@hamm ~]# cat /etc/redhat-storage-release Red Hat Gluster Storage Server 3.1 [root@hamm ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.7 (Santiago) [root@hamm ~]# rpm -qa selinux\* selinux-policy-targeted-3.7.19-279.el6.noarch selinux-policy-3.7.19-279.el6.noarch [root@hamm ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted [root@hamm ~]# getsebool -a | grep samba bacula_use_samba --> off samba_create_home_dirs --> off samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_load_libgfapi --> on samba_portmapper --> off samba_run_unconfined --> off samba_share_fusefs --> off samba_share_nfs --> off sanlock_use_samba --> off use_samba_home_dirs --> off virt_use_samba --> off [root@hamm ~]# rpm -q --scripts samba-vfs-glusterfs postuninstall scriptlet (using /bin/sh): if type getsebool &>/dev/null && getsebool samba_load_libgfapi &>/dev/null; then setsebool -P samba_load_libgfapi 0 &>/dev/null || true fi posttrans scriptlet (using /bin/sh): if type getsebool &>/dev/null && getsebool samba_load_libgfapi &>/dev/null; then setsebool -P samba_load_libgfapi 1 &>/dev/null || true fi ##############
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-1495.html