1265544 – SELinux policy from RHEL 7.2 is not compatible with Satellite 6.1 policy (missing optional block for docker_var_run_t)

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1265544 - SELinux policy from RHEL 7.2 is not compatible with Satellite 6.1 policy (missing optional block for docker_var_run_t)

Summary: SELinux policy from RHEL 7.2 is not compatible with Satellite 6.1 policy (mis...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	SELinux
Sub Component:
Version:	6.1.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	Unspecified
Assignee:	Lukas Zapletal
QA Contact:	Lukas Pramuk
Docs Contact:
URL:	http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-09-23 08:22 UTC by Jan Pazdziora (Red Hat)
Modified:	2019-06-13 21:25 UTC (History)
CC List:	15 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-19 20:32:35 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
installer completed successfully in enforcing mode (74.72 KB, image/png) 2015-11-16 14:17 UTC, Sachin Ghai	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	11934	0	None	None	None	2016-04-22 16:29:41 UTC

Description Jan Pazdziora (Red Hat) 2015-09-23 08:22:39 UTC

Description of problem:

Running foreman-installer started to fail on RHEL 7.2 composes.

Version-Release number of selected component (if applicable):

selinux-policy-3.13.1-52.el7.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. Run foreman-installer.

Actual results:

# [ERROR 2015-09-23 02:33:51 verbose]  /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[foreman.example.com]: Could not evaluate: Proxy foreman.example.com cannot be registered (Could not load data from https://foreman.example.com# [ INFO 2015-09-23 02:33:51 verbose]  - is your server down?
# [ INFO 2015-09-23 02:33:51 verbose]  - was rake apipie:cache run when using apipie cache? (typical production settings)): N/A
[...]
#   Something went wrong! Check the log for ERROR-level output

Expected results:

No error

Additional info:

AVC denials:

avc:  denied  { getattr } for  pid=23191 comm="httpd" path="/etc/puppet/rack/config.ru" dev="dm-0" ino=815544 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file

# sesearch --allow -s httpd_t -t puppet_etc_t
Found 2 semantic av rules:
   allow httpd_t file_type : filesystem getattr ; 
   allow httpd_t file_type : dir { getattr search open } ; 

On selinux-policy-3.13.1-49.el7.noarch where things work, sesearch says

Found 4 semantic av rules:
   allow httpd_t file_type : filesystem getattr ; 
   allow httpd_t file_type : dir { getattr search open } ; 
   allow httpd_t puppet_etc_t : file { ioctl read getattr lock open } ; 
   allow httpd_t puppet_etc_t : dir { getattr search open } ;

Comment 5 Lukas Vrabec 2015-09-23 08:53:55 UTC

Hi, 
Related rules comes from foreman-selinux package. 

[root@dhcp-10-40-3-126 ~]# rpm -q --all | grep selinux
libselinux-python-2.2.2-6.el7.x86_64
libselinux-2.2.2-6.el7.x86_64
libselinux-utils-2.2.2-6.el7.x86_64
selinux-policy-devel-3.13.1-49.el7.noarch
foreman-selinux-1.9.2-1.el7.noarch
selinux-policy-targeted-3.13.1-53.el7.noarch
selinux-policy-3.13.1-53.el7.noarch

I believe, foreman-selinux is not installed on your system.

Comment 7 Jan Pazdziora (Red Hat) 2015-09-23 11:41:30 UTC

(In reply to Milos Malik from comment #3)
> 
> Is it possible that foreman-selinux package did not install successfully?

The package is installed but its SELinux module was not loaded.

With

# rpm -qf /usr/sbin/foreman-selinux-enable
foreman-selinux-1.10.0-0.develop.201509210827gitd3a9081.el7.noarch

running it fails:

# /usr/sbin/foreman-selinux-enable
libsepol.print_missing_requirements: foreman's global requirements were not met: type/attribute docker_var_run_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
ValueError: Could not commit semanage transaction
ValueError: Type elasticsearch_port_t is invalid, must be a port type

With selinux-policy-3.13.1-49.el7.noarch, loading passes:

# semanage module -l | grep foreman
foreman                  1.10.0

Comment 8 Milos Malik 2015-09-23 11:59:42 UTC

The docker_var_run_t type is defined in docker.pp, which is not part of selinux-policy since 3.13.1-51.el7, because docker.pp is shipped within docker-selinux package.

Comment 9 Miroslav Grepl 2015-09-23 12:32:20 UTC

Jan,
what does 

# semodule -l |grep docker

on affected system?

Thank you.

Comment 10 Jan Pazdziora (Red Hat) 2015-09-23 12:36:12 UTC

(In reply to Miroslav Grepl from comment #9)
> what does 
> 
> # semodule -l |grep docker
> 
> on affected system?

# semodule -l |grep docker
#

On system where things work it outputs

# semodule -l |grep docker
docker	1.0.0	
#

Comment 11 Miroslav Grepl 2015-09-23 12:44:19 UTC

Ok, taking back. This is actually bug in foreman.pp policy. They need to use optional_policy() for docker calling.

Comment 12 Lukas Zapletal 2015-09-23 13:32:41 UTC

Relevant part: https://github.com/theforeman/foreman-selinux/blob/develop/foreman.te#L363-L379

Creating issue: http://projects.theforeman.org/issues/11934

Feel free to close this one.

Comment 13 Lukas Zapletal 2015-09-23 13:44:20 UTC

For the record this build fixes it: http://koji.katello.org/koji/taskinfo?taskID=348626

Comment 14 Lukas Zapletal 2015-09-24 07:58:33 UTC

Bringing this into Satellite 6 as we will cherry pick this into the product.

Comment 18 Bryan Kearney 2015-09-28 14:06:09 UTC

Moving to POST since upstream bug http://projects.theforeman.org/issues/11934 has been closed
-------------
Dominic Cleal
The foreman-selinux-enable error:

<pre>
  Installing : foreman-selinux-1.10.0-0.develop.201509210827gitd3a9081.el7.noarch                                                  1/1 
libsepol.print_missing_requirements: foreman's global requirements were not met: type/attribute docker_var_run_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
ValueError: Could not commit semanage transaction
ValueError: Type elasticsearch_port_t is invalid, must be a port type
warning: %post(foreman-selinux-1.10.0-0.develop.201509210827gitd3a9081.el7.noarch) scriptlet failed, exit status 1
</pre>
-------------
Anonymous
Applied in changeset commit:caf0b6c3000a8d91b677a59c9b41f09a3c4d5169.

Comment 22 Mike McCune 2015-11-04 20:12:28 UTC

Lukas,

This failed to build in brew with the following error:

"""
ENTER do(['bash', '--login', '-c', 'rpmbuild -bb --target noarch --nodeps builddir/build/SPECS/foreman-selinux.spec'], False, '/var/lib/mock/satellite-6.1.0-rhel-6-build-2757029-1361950/root/', None, 86400, True, 0, 251, 276, None, logger=<mock.trace_decorator.getLog object at 0x106fbc50>)
Executing command: ['bash', '--login', '-c', 'rpmbuild -bb --target noarch --nodeps builddir/build/SPECS/foreman-selinux.spec']
Building target platforms: noarch
Building for target noarch
Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.a9Se67
+ umask 022
+ cd /builddir/build/BUILD
+ LANG=C
+ export LANG
+ unset DISPLAY
+ cd /builddir/build/BUILD
+ rm -rf foreman-selinux-1.7.2.15
+ /usr/bin/gzip -dc /builddir/build/SOURCES/foreman-selinux-1.7.2.15.tar.gz
+ /bin/tar -xf -
+ STATUS=0
+ '[' 0 -ne 0 ']'
+ cd foreman-selinux-1.7.2.15
+ /bin/chmod -Rf a+rX,u+w,g-w,o-w .
+ cat downstream.te.in
+ exit 0
Executing(%build): /bin/sh -e /var/tmp/rpm-tmp.MgJnZ0
+ umask 022
+ cd /builddir/build/BUILD
+ cd foreman-selinux-1.7.2.15
+ LANG=C
+ export LANG
+ unset DISPLAY
+ perl -i -pe 'BEGIN { $VER = join ".", grep /^\d+$/, split /\./, "1.7.2.15.1.el6"; } s!\@\@VERSION\@\@!$VER!g;' foreman.te
+ distver=rhel6
+ for selinuxvariant in targeted
+ make NAME=targeted -f /usr/share/selinux/devel/Makefile DISTRO=rhel6
cat: /selinux/mls: No such file or directory
Compiling targeted foreman module
/usr/bin/checkmodule:  loading policy configuration from tmp/foreman.tmp
foreman.te":496:ERROR 'duplicate declaration of type/attribute' at token ';' on line 10057:
}
type docker_port_t;
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/foreman.mod] Error 1
RPM build errors:
error: Bad exit status from /var/tmp/rpm-tmp.MgJnZ0 (%build)
    Bad exit status from /var/tmp/rpm-tmp.MgJnZ0 (%build)
Child returncode was: 1
EXCEPTION: Command failed. See logs for output.
 # ['bash', '--login', '-c', 'rpmbuild -bb --target noarch --nodeps builddir/build/SPECS/foreman-selinux.spec']
Traceback (most recent call last):
  File "/usr/lib/python2.4/site-packages/mock/trace_decorator.py", line 70, in trace
    result = func(*args, **kw)
  File "/usr/lib/python2.4/site-packages/mock/util.py", line 324, in do
    raise mock.exception.Error, ("Command failed. See logs for output.\n # %s" % (command,), child.returncode)
Error: Command failed. See logs for output.
 # ['bash', '--login', '-c', 'rpmbuild -bb --target noarch --nodeps builddir/build/SPECS/foreman-selinux.spec']
"""

going to move this to a later release as it isn't going to make 6.1.4

Comment 31 Sachin Ghai 2015-11-16 14:15:28 UTC

Verified with Sat 6.1.4 compose9.

Katello-installer succeed. Please see the attached screenshot. 
I tried rhel7.2 build from beaker (RHEL-7.2-20151106.n.0)


[root@cloud-qe-14 ~]# semodule -l | grep foreman
foreman	1.7.2.16.1	
[root@cloud-qe-14 ~]# rpm -qa | grep foreman-selinux
foreman-selinux-1.7.2.16-1.el7sat.noarch

Comment 32 Sachin Ghai 2015-11-16 14:17:07 UTC

Created attachment 1094883 [details]
installer completed successfully in enforcing mode

Comment 33 Sachin Ghai 2015-11-16 14:18:15 UTC

Moving this to verified as per the results of katello-installer with Sat 6.1.4 downstream compose9

Comment 34 Bryan Kearney 2015-11-19 20:32:35 UTC

This fix was delivered in 6.1.4 on 19 November in https://access.redhat.com/errata/RHBA-2015:2474.

Note You need to log in before you can comment on or make changes to this bug.