Hide Forgot
Description of problem: Running foreman-installer started to fail on RHEL 7.2 composes. Version-Release number of selected component (if applicable): selinux-policy-3.13.1-52.el7.noarch How reproducible: Deterministic. Steps to Reproduce: 1. Run foreman-installer. Actual results: # [ERROR 2015-09-23 02:33:51 verbose] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[foreman.example.com]: Could not evaluate: Proxy foreman.example.com cannot be registered (Could not load data from https://foreman.example.com# [ INFO 2015-09-23 02:33:51 verbose] - is your server down? # [ INFO 2015-09-23 02:33:51 verbose] - was rake apipie:cache run when using apipie cache? (typical production settings)): N/A [...] # Something went wrong! Check the log for ERROR-level output Expected results: No error Additional info: AVC denials: avc: denied { getattr } for pid=23191 comm="httpd" path="/etc/puppet/rack/config.ru" dev="dm-0" ino=815544 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file # sesearch --allow -s httpd_t -t puppet_etc_t Found 2 semantic av rules: allow httpd_t file_type : filesystem getattr ; allow httpd_t file_type : dir { getattr search open } ; On selinux-policy-3.13.1-49.el7.noarch where things work, sesearch says Found 4 semantic av rules: allow httpd_t file_type : filesystem getattr ; allow httpd_t file_type : dir { getattr search open } ; allow httpd_t puppet_etc_t : file { ioctl read getattr lock open } ; allow httpd_t puppet_etc_t : dir { getattr search open } ;
Hi, Related rules comes from foreman-selinux package. [root@dhcp-10-40-3-126 ~]# rpm -q --all | grep selinux libselinux-python-2.2.2-6.el7.x86_64 libselinux-2.2.2-6.el7.x86_64 libselinux-utils-2.2.2-6.el7.x86_64 selinux-policy-devel-3.13.1-49.el7.noarch foreman-selinux-1.9.2-1.el7.noarch selinux-policy-targeted-3.13.1-53.el7.noarch selinux-policy-3.13.1-53.el7.noarch I believe, foreman-selinux is not installed on your system.
(In reply to Milos Malik from comment #3) > > Is it possible that foreman-selinux package did not install successfully? The package is installed but its SELinux module was not loaded. With # rpm -qf /usr/sbin/foreman-selinux-enable foreman-selinux-1.10.0-0.develop.201509210827gitd3a9081.el7.noarch running it fails: # /usr/sbin/foreman-selinux-enable libsepol.print_missing_requirements: foreman's global requirements were not met: type/attribute docker_var_run_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). ValueError: Could not commit semanage transaction ValueError: Type elasticsearch_port_t is invalid, must be a port type With selinux-policy-3.13.1-49.el7.noarch, loading passes: # semanage module -l | grep foreman foreman 1.10.0
The docker_var_run_t type is defined in docker.pp, which is not part of selinux-policy since 3.13.1-51.el7, because docker.pp is shipped within docker-selinux package.
Jan, what does # semodule -l |grep docker on affected system? Thank you.
(In reply to Miroslav Grepl from comment #9) > what does > > # semodule -l |grep docker > > on affected system? # semodule -l |grep docker # On system where things work it outputs # semodule -l |grep docker docker 1.0.0 #
Ok, taking back. This is actually bug in foreman.pp policy. They need to use optional_policy() for docker calling.
Relevant part: https://github.com/theforeman/foreman-selinux/blob/develop/foreman.te#L363-L379 Creating issue: http://projects.theforeman.org/issues/11934 Feel free to close this one.
For the record this build fixes it: http://koji.katello.org/koji/taskinfo?taskID=348626
Bringing this into Satellite 6 as we will cherry pick this into the product.
Moving to POST since upstream bug http://projects.theforeman.org/issues/11934 has been closed ------------- Dominic Cleal The foreman-selinux-enable error: <pre> Installing : foreman-selinux-1.10.0-0.develop.201509210827gitd3a9081.el7.noarch 1/1 libsepol.print_missing_requirements: foreman's global requirements were not met: type/attribute docker_var_run_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). ValueError: Could not commit semanage transaction ValueError: Type elasticsearch_port_t is invalid, must be a port type warning: %post(foreman-selinux-1.10.0-0.develop.201509210827gitd3a9081.el7.noarch) scriptlet failed, exit status 1 </pre> ------------- Anonymous Applied in changeset commit:caf0b6c3000a8d91b677a59c9b41f09a3c4d5169.
Lukas, This failed to build in brew with the following error: """ ENTER do(['bash', '--login', '-c', 'rpmbuild -bb --target noarch --nodeps builddir/build/SPECS/foreman-selinux.spec'], False, '/var/lib/mock/satellite-6.1.0-rhel-6-build-2757029-1361950/root/', None, 86400, True, 0, 251, 276, None, logger=<mock.trace_decorator.getLog object at 0x106fbc50>) Executing command: ['bash', '--login', '-c', 'rpmbuild -bb --target noarch --nodeps builddir/build/SPECS/foreman-selinux.spec'] Building target platforms: noarch Building for target noarch Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.a9Se67 + umask 022 + cd /builddir/build/BUILD + LANG=C + export LANG + unset DISPLAY + cd /builddir/build/BUILD + rm -rf foreman-selinux-1.7.2.15 + /usr/bin/gzip -dc /builddir/build/SOURCES/foreman-selinux-1.7.2.15.tar.gz + /bin/tar -xf - + STATUS=0 + '[' 0 -ne 0 ']' + cd foreman-selinux-1.7.2.15 + /bin/chmod -Rf a+rX,u+w,g-w,o-w . + cat downstream.te.in + exit 0 Executing(%build): /bin/sh -e /var/tmp/rpm-tmp.MgJnZ0 + umask 022 + cd /builddir/build/BUILD + cd foreman-selinux-1.7.2.15 + LANG=C + export LANG + unset DISPLAY + perl -i -pe 'BEGIN { $VER = join ".", grep /^\d+$/, split /\./, "1.7.2.15.1.el6"; } s!\@\@VERSION\@\@!$VER!g;' foreman.te + distver=rhel6 + for selinuxvariant in targeted + make NAME=targeted -f /usr/share/selinux/devel/Makefile DISTRO=rhel6 cat: /selinux/mls: No such file or directory Compiling targeted foreman module /usr/bin/checkmodule: loading policy configuration from tmp/foreman.tmp foreman.te":496:ERROR 'duplicate declaration of type/attribute' at token ';' on line 10057: } type docker_port_t; /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/foreman.mod] Error 1 RPM build errors: error: Bad exit status from /var/tmp/rpm-tmp.MgJnZ0 (%build) Bad exit status from /var/tmp/rpm-tmp.MgJnZ0 (%build) Child returncode was: 1 EXCEPTION: Command failed. See logs for output. # ['bash', '--login', '-c', 'rpmbuild -bb --target noarch --nodeps builddir/build/SPECS/foreman-selinux.spec'] Traceback (most recent call last): File "/usr/lib/python2.4/site-packages/mock/trace_decorator.py", line 70, in trace result = func(*args, **kw) File "/usr/lib/python2.4/site-packages/mock/util.py", line 324, in do raise mock.exception.Error, ("Command failed. See logs for output.\n # %s" % (command,), child.returncode) Error: Command failed. See logs for output. # ['bash', '--login', '-c', 'rpmbuild -bb --target noarch --nodeps builddir/build/SPECS/foreman-selinux.spec'] """ going to move this to a later release as it isn't going to make 6.1.4
Verified with Sat 6.1.4 compose9. Katello-installer succeed. Please see the attached screenshot. I tried rhel7.2 build from beaker (RHEL-7.2-20151106.n.0) [root@cloud-qe-14 ~]# semodule -l | grep foreman foreman 1.7.2.16.1 [root@cloud-qe-14 ~]# rpm -qa | grep foreman-selinux foreman-selinux-1.7.2.16-1.el7sat.noarch
Created attachment 1094883 [details] installer completed successfully in enforcing mode
Moving this to verified as per the results of katello-installer with Sat 6.1.4 downstream compose9
This fix was delivered in 6.1.4 on 19 November in https://access.redhat.com/errata/RHBA-2015:2474.