Description of problem: samba-vfs-glusterfs should have a dependency on selinux packages in RHEL-7.1 Version-Release number of selected component (if applicable): samba-vfs-glusterfs-4.1.17-7.el6rhs.x86_64 The packages that Milos mentions [1] as possible candidates for dependent packages list are + policycoreutils package because it brings the setsebool command + libselinux-utils package because it brings the getsebool command + selinux-policy-targeted or selinux-policy-base (virtual package) because it brings the policy where booleans are defined and stored If the semanage command is to be used, I would add to the list + policycoreutils-python package because it brings the semanage command It is also interesting to note that the policycoreutils-python package depends on the policycoreutils package, which further depends on the libselinux-utils package And the selinux-policy-targeted package dependency must have a minimal version restriction for that version which has all the SELinux policy rules for RHGS 3.1. See the following BZ's for more details regarding this decision: https://bugzilla.redhat.com/show_bug.cgi?id=1238055 https://bugzilla.redhat.com/show_bug.cgi?id=1237065
The only available and latest SELinux RHEL-7.1 build is: https://brewweb.devel.redhat.com/buildinfo?buildID=441837 However, I'm not very sure if this can be considered as the right candidate for setting the above required dependency as it doesn't seems to have all the fixes backported. So either we should wait for a build which has all the fixes backported or get a confirmation from the SELinux team. Miroslav/Milos, Could you please check the above and confirm so that we can proceed further with creating this dependency.
This decision is wrong. The right thing to do is to check for and use the selinux command line tools during %posttrans and a %triggerpostin for selinux-policy-targeted. I already have a build ready for verification, just need the right flags on this BZ.
With the latest build of samba: samba-4.1.17-10.el7rhgs As discussed and raised regarding the dependencies for selinux package to be created for ctdb and samba, the specific version of selinux package: should have been made dependent. As per brew logs it seems we have a generic dependency on following package: selinux-policy-targeted Which may cause issues in certain scenarios where the booleans which we are trying to set are not available in the older selinux package and someone doesn't upgrade the selinux package. Even though we recommend to do yum update and pull in all latest package but in case if only ctdb and samba packages are updated and not selinux package then the booleans will not get set and the issue will still persist, so as discussed and decided let's have the dependency on specific verison of selinux so that while doing install/upgrade of samba and ctdb package , the selinux is up-to-date and we don't hit any AVC's or issues. Moving the BZ to assigned.
With build samba-4.1.17-12.el7rhgs: yum install samba Loaded plugins: product-id, subscription-manager Resolving Dependencies --> Running transaction check ---> Package samba.x86_64 0:4.1.17-12.el7rhgs will be installed --> Processing Dependency: samba-common = 4.1.17-12.el7rhgs for package: samba-4.1.17-12.el7rhgs.x86_64 --> Processing Dependency: libpopt_samba3.so(SAMBA_4.1.17)(64bit) for package: samba-4.1.17-12.el7rhgs.x86_64 --> Processing Dependency: libpopt_samba3.so()(64bit) for package: samba-4.1.17-12.el7rhgs.x86_64 --> Running transaction check ---> Package samba-common.x86_64 0:4.1.17-12.el7rhgs will be installed --> Processing Dependency: samba-vfs-glusterfs = 4.1.17-12.el7rhgs for package: samba-common-4.1.17-12.el7rhgs.x86_64 --> Running transaction check ---> Package samba-vfs-glusterfs.x86_64 0:4.1.17-12.el7rhgs will be installed --> Processing Dependency: selinux-policy-targeted >= 3.13.1-23 for package: samba-vfs-glusterfs-4.1.17-12.el7rhgs.x86_64 --> Running transaction check ---> Package selinux-policy-targeted.noarch 0:3.13.1-23.el7_1.8 will be installed --> Processing Dependency: selinux-policy = 3.13.1-23.el7_1.8 for package: selinux-policy-targeted-3.13.1-23.el7_1.8.noarch --> Processing Dependency: selinux-policy = 3.13.1-23.el7_1.8 for package: selinux-policy-targeted-3.13.1-23.el7_1.8.noarch --> Running transaction check ---> Package selinux-policy.noarch 0:3.13.1-23.el7_1.8 will be installed --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================================================================================== Package Arch Version Repository Size ======================================================================================================================================================================== Installing: samba x86_64 4.1.17-12.el7rhgs Server-RH-Gluster-3-Samba 557 k Installing for dependencies: samba-common x86_64 4.1.17-12.el7rhgs Server-RH-Gluster-3-Samba 708 k samba-vfs-glusterfs x86_64 4.1.17-12.el7rhgs Server-RH-Gluster-3-Samba 80 k selinux-policy noarch 3.13.1-23.el7_1.8 rhel-7-server-rpms 357 k selinux-policy-targeted noarch 3.13.1-23.el7_1.8 rhel-7-server-rpms 3.9 M Transaction Summary ======================================================================================================================================================================== Install 1 Package (+4 Dependent packages) Total download size: 5.6 M Installed size: 13 M Is this ok [y/d/N]: y Downloading packages: (1/5): samba-4.1.17-12.el7rhgs.x86_64.rpm | 557 kB 00:00:00 (2/5): samba-vfs-glusterfs-4.1.17-12.el7rhgs.x86_64.rpm | 80 kB 00:00:00 (3/5): samba-common-4.1.17-12.el7rhgs.x86_64.rpm | 708 kB 00:00:00 (4/5): selinux-policy-3.13.1-23.el7_1.8.noarch.rpm | 357 kB 00:00:01 (5/5): selinux-policy-targeted-3.13.1-23.el7_1.8.noarch.rpm | 3.9 MB 00:00:02 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Total 2.2 MB/s | 5.6 MB 00:00:02 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : selinux-policy-3.13.1-23.el7_1.8.noarch 1/5 warning: Failed to open SELinux handle. semodule: Could not begin transaction: No such file or directory Installing : selinux-policy-targeted-3.13.1-23.el7_1.8.noarch 2/5 Installing : samba-vfs-glusterfs-4.1.17-12.el7rhgs.x86_64 3/5 Installing : samba-common-4.1.17-12.el7rhgs.x86_64 4/5 Installing : samba-4.1.17-12.el7rhgs.x86_64 5/5 Verifying : samba-4.1.17-12.el7rhgs.x86_64 1/5 Verifying : samba-vfs-glusterfs-4.1.17-12.el7rhgs.x86_64 2/5 Verifying : selinux-policy-3.13.1-23.el7_1.8.noarch 3/5 Verifying : selinux-policy-targeted-3.13.1-23.el7_1.8.noarch 4/5 Verifying : samba-common-4.1.17-12.el7rhgs.x86_64 5/5 Installed: samba.x86_64 0:4.1.17-12.el7rhgs Dependency Installed: samba-common.x86_64 0:4.1.17-12.el7rhgs samba-vfs-glusterfs.x86_64 0:4.1.17-12.el7rhgs selinux-policy.noarch 0:3.13.1-23.el7_1.8 selinux-policy-targeted.noarch 0:3.13.1-23.el7_1.8 Complete! The samba package pulls in Selinux package selinux-policy-targeted.noarch 0:3.13.1-23.el7_1.8 as dependency and installs. While doing install and uninstall see some issues with spec files, Will be raising another BZ for the same. I also see issue as follows: Running transaction Installing : selinux-policy-3.13.1-23.el7_1.8.noarch 1/5 warning: Failed to open SELinux handle. semodule: Could not begin transaction: No such file or directory Installing : selinux-policy-targeted-3.13.1-23.el7_1.8.noarch 2/5 Please check if this is due to dependency created for selinux, else will raise a seperate bz for the same.
1. RHEL7 ISO install 2. Subscribe to RHEL channel : 3. Check Selinux package rpm -qa | grep selinux selinux-policy-3.13.1-23.el7.noarch libselinux-python-2.2.2-6.el7.x86_64 libselinux-2.2.2-6.el7.x86_64 selinux-policy-targeted-3.13.1-23.el7.noarch libselinux-utils-2.2.2-6.el7.x86_64 4. Check the boolean: getsebool samba_load_libgfapi Error getting active value for samba_load_libgfapi 5. Add rhs-samba repo , add gluster repo, add external-gluster repo 6. Yum install samba 7. Samba doesn't pulls in latest selinux package 3.13.1-23.el7_1.8 because the dependency is created on 3.13.1-23 which is already present in RHEL7 So the boolean doesn't get set. 8. Once we update selinux package , even then boolean remains unset getsebool samba_load_libgfapi samba_load_libgfapi --> off Installed Packages selinux-policy.noarch 3.13.1-23.el7 @anaconda/7.1 Available Packages selinux-policy.noarch 3.13.1-23.el7_1.8 External-Server-RH-Gluster-3-Server-Repository-1 How do we set the dependency then? Should we take the package higher than 3.13.1-23 ?
The latest build depends on this more specific version of selinux-policy-targeted. My testing indicates that this pulls the right minimum version and sets the SELinux configuration correctly.
The new samba package samba-4.1.17-13.el7rhgs has dependency on Selinux package and gets pulled in once we update or install samba. Also with the specific version dependency the boolean in getting set once we update samba. Marking the BZ as verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-1495.html