Description of problem: samba-vfs-glusterfs should have a dependency on selinux packages Version-Release number of selected component (if applicable): samba-vfs-glusterfs-4.1.17-7.el6rhs.x86_64 glusterfs-server-3.7.1-6.el6rhs.x86_64 selinux-policy-3.7.19-279.el6.noarch selinux-policy-targeted-3.7.19-279.el6.noarch The packages that Milos mentions [1] as possible candidates for dependent packages list are + policycoreutils package because it brings the setsebool command + libselinux-utils package because it brings the getsebool command + selinux-policy-targeted or selinux-policy-base (virtual package) because it brings the policy where booleans are defined and stored If the semanage command is to be used, I would add to the list + policycoreutils-python package because it brings the semanage command It is also interesting to note that the policycoreutils-python package depends on the policycoreutils package, which further depends on the libselinux-utils package And the selinux-policy-targeted package dependency must have a minimal version restriction for that version which has all the SELinux policy rules for RHGS 3.1. See the following BZ's for more details regarding this decision: https://bugzilla.redhat.com/show_bug.cgi?id=1238055 https://bugzilla.redhat.com/show_bug.cgi?id=1237065
The following SELinux el6 build which has almost all the gluster-SELinux fixes in RHEL-6.7 is what I see as a possible candidate for setting this dependency: ##### https://brewweb.devel.redhat.com/buildinfo?buildID=443534 ##### Miroslav/Milos, please confirm if this is the case.
This decision is wrong. The right thing to do is to check for and use the selinux command line tools during %posttrans and a %triggerpostin for selinux-policy-targeted. I already have a build ready for verification, just need the right flags on this BZ.
With the latest build of samba: samba-4.1.17-10.el6rhs As discussed and raised regarding the dependencies for selinux package to be created for ctdb , the specific version of selinux package: selinux-policy-targeted-3.7.19-279.el6.noarch should have been made dependent. As per brew logs it seems we have a generic dependency on following package: selinux-policy-targeted Which may cause issues in certain scenarios where the booleans which we are trying to set are not available in the older selinux package and someone doesn't upgrade the selinux package. Even though we recommend to do yum update and pull in all latest package but in case if only ctdb and samba packages are updated and not selinux package then the booleans will not get set and the issue will still persist, so as discussed and decided let's have the dependency on specific verison of selinux so that while doing install/upgrade of samba and ctdb package , the selinux is up-to-date and we don't hit any AVC's or issues. Moving the BZ to assigned.
Verified with latest samba build samba-4.1.17-12.el6rhs that it has dependency on selinux package selinux-policy-targeted >= 3.7.19-279 and it sets the required boolean when samba is installed /updated. Steps performed: 1.Check the boolean: getsebool samba_load_libgfapi Error getting active value for samba_load_libgfapi 2. Install/update samba without having repo for latest selinux package , it fails because of dependencies: --> Running transaction check ---> Package samba-vfs-glusterfs.x86_64 0:4.1.17-12.el6rhs will be installed --> Processing Dependency: selinux-policy-targeted >= 3.7.19-279 for package: samba-vfs-glusterfs-4.1.17-12.el6rhs.x86_64 --> Finished Dependency Resolution Error: Package: samba-vfs-glusterfs-4.1.17-12.el6rhs.x86_64 (RH-Gluster-3-Samba-) Requires: selinux-policy-targeted >= 3.7.19-279 Available: selinux-policy-targeted-3.7.19-54.el6.noarch (rhel-6-server-rpms) selinux-policy-targeted = 3.7.19-54.el6 Available: selinux-policy-targeted-3.7.19-54.el6_0.3.noarch (rhel-6-server-rpms) selinux-policy-targeted = 3.7.19-54.el6_0.3 Available: selinux-policy-targeted-3.7.19-54.el6_0.5.noarch (rhel-6-server-rpms) selinux-policy-targeted = 3.7.19-54.el6_0.5 Available: selinux-policy-targeted-3.7.19-93.el6.noarch (rhel-6-server-rpms) 3. Add the repo for latest selinux package and then do yum install/update samba, the required selinux package gets installed and boolean is set successfully. 4. Check teh boolean again: getsebool samba_load_libgfapi samba_load_libgfapi --> 5. No AVC's seen.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-1495.html