Red Hat Bugzilla – Bug 1314223
openstack-selinux >= 0.6.52 does not set booleans in %post
Last modified: 2016-03-07 11:52:43 EST
Description of problem:
Installing openstack-selinux >= 0.6.52 on a RHEL 7 system fails to set the SELinux booleans specified in %post.
Version-Release number of selected component (if applicable):
Seen in openstack-selinux between 0.6.52 and 0.6.55
Steps to Reproduce:
1. yum install openstack-selinux
2. getsebool httpd_can_network_connect
Should be on, according to the package spec
In general, the post-installation step seems to happen much faster than with previous versions, which looks like something is silently failing there.
This doesn't reproduce for me with 0.6.55. Install on a clean environment correctly sets httpd_can_network_connect and other booleans.
Some time recently, we reverted a change to rabbitmq-server.spec to remove an explicit dependency on openstack-selinux - could this have been what exposed this?
It's incorrect/inappropriate for RPMs to require openstack-selinux (or selinux-policy), as SELinux usage, while encouraged, is optional. Thus, installers such as packstack/OSP director should install openstack-selinux pretty early on.
I'm also not seeing an issue in my env. Maybe packstack might not be explicitly installing openstack-selinux as lon suggested?
I think I know where the issue comes from. I tested it on RHEL 7.1 and managed to reproduce the issue, but it worked fine on RHEL 7.2. On 7.1, post-install complained with:
libsepol.print_missing_requirements: os-ovs's global requirements were not met: type/attribute ovsdb_port_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
ValueError: Could not commit semanage transaction
Boolean os_nova_use_execmem is not defined
Boolean os_neutron_use_execmem is not defined
Boolean os_swift_use_execmem is not defined
Boolean os_keystone_use_execmem is not defined
It looks like this openstack-selinux version relies on something that is only provided by RHEL 7.2 packages. If it is only meant to be supported on 7.2+, we can close as NOTABUG.
We only support RHEL 7.2 as of November...