Bug 1256916 - selinux-policy-targeted problem when updating mcelog
selinux-policy-targeted problem when updating mcelog
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: rpm (Show other bugs)
6.8
All Linux
unspecified Severity low
: rc
: ---
Assigned To: packaging-team-maint
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-25 13:45 EDT by Paulo Andrade
Modified: 2016-01-05 07:43 EST (History)
13 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-05 07:43:16 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 1554013 None None None Never

  None (edit)
Description Paulo Andrade 2015-08-25 13:45:34 EDT
User reports problems when upgrading from rhel 6.6
to 6.7.
  The problem happened in the mcelog package, that
changed selinux labels.

  In the upgrade, selinux-policy-target was updated
before mcelog, so, selinux-policy-target %postinstall
did not see the changes.

  Since it may affect other packages, my first suggestion
is to change selinux-policy-targeted scriptlets to
%pretrans and %posttrans.

  Another alternative could be for packages that depend
on selinux-policy-target, to have a
Requires(pre): selinux-policy-target
Comment 2 Miroslav Grepl 2015-08-28 10:37:09 EDT
(In reply to Paulo Andrade from comment #0)
> User reports problems when upgrading from rhel 6.6
> to 6.7.
>   The problem happened in the mcelog package, that
> changed selinux labels.

What does it mean exactly? Are there path changes in mcelog rpm payload?

> 
>   In the upgrade, selinux-policy-target was updated
> before mcelog, so, selinux-policy-target %postinstall
> did not see the changes.
> 
>   Since it may affect other packages, my first suggestion
> is to change selinux-policy-targeted scriptlets to
> %pretrans and %posttrans.
> 
>   Another alternative could be for packages that depend
> on selinux-policy-target, to have a
> Requires(pre): selinux-policy-target
Comment 4 Paulo Andrade 2015-09-09 08:47:52 EDT
Cut&paste from part of the previous comment, as needinfo
flag still set:

rhel < 6.7
# semanage fcontext -l| grep mcelog
/dev/mcelog               character device   system_u:object_r:kmsg_device_t:s0 
/etc/mcelog/cache-error-trigger  regular file       system_u:object_r:bin_t:s0 
/etc/mcelog/triggers(/.*)?       all files          system_u:object_r:bin_t:s0 
/usr/sbin/mcelog          regular file       system_u:object_r:mcelog_exec_t:s0 
/var/log/mcelog.*         regular file       system_u:object_r:mcelog_log_t:s0 
/var/run/mcelog.*      all files          system_u:object_r:mcelog_var_run_t:s0 

rhel 6.7
# semanage fcontext -l| grep mcelog
/dev/mcelog            character device   system_u:object_r:kmsg_device_t:s0 
/etc/mcelog/.*-error-trigger  regular file       system_u:object_r:bin_t:s0 
/etc/mcelog/.*\.local         regular file       system_u:object_r:bin_t:s0 
/etc/mcelog/.*\.setup         regular file       system_u:object_r:bin_t:s0 
/etc/mcelog/triggers(/.*)?    all files          system_u:object_r:bin_t:s0 
/usr/sbin/mcelog          regular file       system_u:object_r:mcelog_exec_t:s0 
/var/log/mcelog.*         regular file       system_u:object_r:mcelog_log_t:s0 
/var/run/mcelog.*      all files          system_u:object_r:mcelog_var_run_t:s0 

The problem is the *trigger* file paths, that depend on
order of updates to be relabelled correctly.
Comment 5 Ľuboš Kardoš 2015-10-27 12:39:26 EDT
This is already fixed in upstream and rhel7. We don't plan to backport that fix to rhel6. Also for backporting this fix we need newer version of libselinux which is not available in rhel6.

Note You need to log in before you can comment on or make changes to this bug.