Description of problem: nagios-server-addons should have a dependency on selinux packages in RHEL-6.7 Version-Release number of selected component (if applicable): ctdb2.5-2.5.5-3.el6rhs The packages that Milos mentions [1] as possible candidates for dependent packages list are + policycoreutils package because it brings the setsebool command + libselinux-utils package because it brings the getsebool command + selinux-policy-targeted or selinux-policy-base (virtual package) because it brings the policy where booleans are defined and stored If the semanage command is to be used, I would add to the list + policycoreutils-python package because it brings the semanage command It is also interesting to note that the policycoreutils-python package depends on the policycoreutils package, which further depends on the libselinux-utils package And the selinux-policy-targeted package dependency must have a minimal version restriction for that version which has all the SELinux policy rules for RHGS 3.1. See the following BZ's for more details regarding this decision: https://bugzilla.redhat.com/show_bug.cgi?id=1238055 https://bugzilla.redhat.com/show_bug.cgi?id=1237065 The following SELinux el6 build which has almost all the gluster-SELinux fixes in RHEL-6.7 is what I see as a possible candidate for setting this dependency: ##### https://brewweb.devel.redhat.com/buildinfo?buildID=443534 ##### Miroslav/Milos, please confirm if this is the case.
This decision is wrong. The right thing to do is to check for and use the selinux command line tools during %posttrans and a %triggerpostin for selinux-policy-targeted. I already have a build ready for verification, just need the right flags on this BZ.
With the latest build ctdb2.5-2.5.5-4.el6rhs : As discussed and raised regarding the dependencies for selinux package to be created for ctdb , the specific version of selinux package: selinux-policy-targeted-3.7.19-279.el6.noarch should have been made dependent. As per brew logs it seems we have a generic dependency on following package: selinux-policy-targeted Which may cause issues in certain scenarios where the booleans which we are trying to set are not available in the older selinux package and somebone doesn't upgrade the selinux package. Even though we recommend to do yum update and pull in all latest package but in case if only ctdb and samba packages are updated and not selinux package then the booleans will not get set and the issue will still persist, so as discussed and decided let's have the dependency on specific verison of selinux so that while doing install/upgrade of samba and ctdb package , the selinux is up-to-date and we don't hit any AVC's or issues. Moving the BZ to assigned.
Verified with the latest build ctdb2.5-2.5.5-6.el6rhs.x86_64 The ctdb package is pulling in selinux-policy-targeted-0:3.7.19-279.el6 as dependency and setting the boolean required. Steps performed: 1.Check the boolean initially: getsebool use_fusefs_home_dirs use_fusefs_home_dirs --> off 2. Install/update ctdb without having repo for latest selinux package: The install/update of ctdb fails as the dependent selinux package is not available. http://10.10.160.20/brewroot/packages/ctdb2.5/2.5.5/6.el6rhs/x86_64/ctdb2.5-2.5.5-6.el6rhs.x86_64.rpm Retrieving http://10.10.160.20/brewroot/packages/ctdb2.5/2.5.5/6.el6rhs/x86_64/ctdb2.5-2.5.5-6.el6rhs.x86_64.rpm error: Failed dependencies: selinux-policy-targeted >= 3.7.19-279 is needed by ctdb2.5-2.5.5-6.el6rhs.x86_64 3. Now add the repo with latest selinux package: 4. Yum install/update ctdb Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package ctdb2.5.x86_64 0:2.5.5-6.el6rhs will be installed --> Processing Dependency: selinux-policy-targeted >= 3.7.19-279 for package: ctdb2.5-2.5.5-6.el6rhs.x86_64 --> Running transaction check ---> Package selinux-policy-targeted.noarch 0:3.7.19-279.el6 will be installed --> Processing Dependency: selinux-policy = 3.7.19-279.el6 for package: selinux-policy-targeted-3.7.19-279.el6.noarch --> Running transaction check ---> Package selinux-policy.noarch 0:3.7.19-279.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================== Package Arch Version Repository Size ================================================================================== Installing: ctdb2.5 x86_64 2.5.5-6.el6rhs External-RH-Gluster-3-Server-Repository-3 526 k Installing for dependencies: selinux-policy noarch 3.7.19-279.el6 External-RH-Gluster-3-Server-Repository-1 880 k selinux-policy-targeted noarch 3.7.19-279.el6 External-RH-Gluster-3-Server-Repository-1 3.1 M Transaction Summary ================================================================================== Install 3 Package(s) Total download size: 4.4 M Installed size: 14 M Is this ok [y/N]: y Downloading Packages: (1/3): ctdb2.5-2.5.5-6.el6rhs.x86_64.rpm | 526 kB 00:00 (2/3): selinux-policy-3.7.19-279.el6.noarch.rpm | 880 kB 00:00 (3/3): selinux-policy-targeted-3.7.19-279.el6.noarch.rpm | 3.1 MB 00:00 ---------------------------------------------------------------------------------- Total 3.6 MB/s | 4.4 MB 00:01 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : selinux-policy-3.7.19-279.el6.noarch 1/3 Installing : selinux-policy-targeted-3.7.19-279.el6.noarch 2/3 Installing : ctdb2.5-2.5.5-6.el6rhs.x86_64 3/3 libsemanage.dbase_llist_query: could not query record value (No such file or directory). restorecon reset /var/run/ctdb context unconfined_u:object_r:var_run_t:s0->unconfined_u:object_r:ctdbd_var_run_t:s0 restorecon reset /usr/sbin/ctdbd_wrapper context unconfined_u:object_r:bin_t:s0->unconfined_u:object_r:ctdbd_exec_t:s0 Verifying : selinux-policy-3.7.19-279.el6.noarch 1/3 Verifying : selinux-policy-targeted-3.7.19-279.el6.noarch 2/3 Verifying : ctdb2.5-2.5.5-6.el6rhs.x86_64 3/3 Installed: ctdb2.5.x86_64 0:2.5.5-6.el6rhs Dependency Installed: selinux-policy.noarch 0:3.7.19-279.el6 selinux-policy-targeted.noarch 0:3.7.19-279.el6 Complete! 5. Check the boolean again: getsebool use_fusefs_home_dirs use_fusefs_home_dirs --> on
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-1495.html