1314223 – openstack-selinux >= 0.6.52 does not set booleans in %post

Bug 1314223 - openstack-selinux >= 0.6.52 does not set booleans in %post

Summary: openstack-selinux >= 0.6.52 does not set booleans in %post

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux
Sub Component:
Version:	7.0 (Kilo)
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	high
Target Milestone:	---
Target Release:	8.0 (Liberty)
Assignee:	Ryan Hallisey
QA Contact:	Udi Shkalim
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-03-03 09:04 UTC by Javier Peña
Modified:	2016-03-07 16:52 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-03-07 16:52:43 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Javier Peña 2016-03-03 09:04:39 UTC

Description of problem:
Installing openstack-selinux >= 0.6.52 on a RHEL 7 system fails to set the SELinux booleans specified in %post.

Version-Release number of selected component (if applicable):
Seen in openstack-selinux between 0.6.52 and 0.6.55

How reproducible:
Always

Steps to Reproduce:
1. yum install openstack-selinux
2. getsebool httpd_can_network_connect

Actual results:
off

Expected results:
Should be on, according to the package spec

Additional info:
In general, the post-installation step seems to happen much faster than with previous versions, which looks like something is silently failing there.

Comment 5 Lon Hohberger 2016-03-07 14:29:18 UTC

This doesn't reproduce for me with 0.6.55.  Install on a clean environment correctly sets httpd_can_network_connect and other booleans.

Comment 6 Lon Hohberger 2016-03-07 14:34:28 UTC

Some time recently, we reverted a change to rabbitmq-server.spec to remove an explicit dependency on openstack-selinux - could this have been what exposed this?

It's incorrect/inappropriate for RPMs to require openstack-selinux (or selinux-policy), as SELinux usage, while encouraged, is optional.  Thus, installers such as packstack/OSP director should install openstack-selinux pretty early on.

Comment 7 Ryan Hallisey 2016-03-07 14:59:28 UTC

I'm also not seeing an issue in my env.  Maybe packstack might not be explicitly installing openstack-selinux as lon suggested?

Comment 8 Javier Peña 2016-03-07 16:16:50 UTC

I think I know where the issue comes from. I tested it on RHEL 7.1 and managed to reproduce the issue, but it worked fine on RHEL 7.2. On 7.1, post-install complained with:

libsepol.print_missing_requirements: os-ovs's global requirements were not met: type/attribute ovsdb_port_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
ValueError: Could not commit semanage transaction
Boolean os_nova_use_execmem is not defined
Boolean os_neutron_use_execmem is not defined
Boolean os_swift_use_execmem is not defined
Boolean os_keystone_use_execmem is not defined

It looks like this openstack-selinux version relies on something that is only provided by RHEL 7.2 packages. If it is only meant to be supported on 7.2+, we can close as NOTABUG.

Comment 9 Lon Hohberger 2016-03-07 16:52:43 UTC

We only support RHEL 7.2 as of November...

Note You need to log in before you can comment on or make changes to this bug.