Bug 1314223 - openstack-selinux >= 0.6.52 does not set booleans in %post
openstack-selinux >= 0.6.52 does not set booleans in %post
Status: CLOSED NOTABUG
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux (Show other bugs)
7.0 (Kilo)
Unspecified Unspecified
urgent Severity high
: ---
: 8.0 (Liberty)
Assigned To: Ryan Hallisey
Udi Shkalim
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-03-03 04:04 EST by Javier Peña
Modified: 2016-03-07 11:52 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-03-07 11:52:43 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Javier Peña 2016-03-03 04:04:39 EST
Description of problem:
Installing openstack-selinux >= 0.6.52 on a RHEL 7 system fails to set the SELinux booleans specified in %post.

Version-Release number of selected component (if applicable):
Seen in openstack-selinux between 0.6.52 and 0.6.55

How reproducible:
Always

Steps to Reproduce:
1. yum install openstack-selinux
2. getsebool httpd_can_network_connect

Actual results:
off

Expected results:
Should be on, according to the package spec

Additional info:
In general, the post-installation step seems to happen much faster than with previous versions, which looks like something is silently failing there.
Comment 5 Lon Hohberger 2016-03-07 09:29:18 EST
This doesn't reproduce for me with 0.6.55.  Install on a clean environment correctly sets httpd_can_network_connect and other booleans.
Comment 6 Lon Hohberger 2016-03-07 09:34:28 EST
Some time recently, we reverted a change to rabbitmq-server.spec to remove an explicit dependency on openstack-selinux - could this have been what exposed this?

It's incorrect/inappropriate for RPMs to require openstack-selinux (or selinux-policy), as SELinux usage, while encouraged, is optional.  Thus, installers such as packstack/OSP director should install openstack-selinux pretty early on.
Comment 7 Ryan Hallisey 2016-03-07 09:59:28 EST
I'm also not seeing an issue in my env.  Maybe packstack might not be explicitly installing openstack-selinux as lon suggested?
Comment 8 Javier Peña 2016-03-07 11:16:50 EST
I think I know where the issue comes from. I tested it on RHEL 7.1 and managed to reproduce the issue, but it worked fine on RHEL 7.2. On 7.1, post-install complained with:

libsepol.print_missing_requirements: os-ovs's global requirements were not met: type/attribute ovsdb_port_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
ValueError: Could not commit semanage transaction
Boolean os_nova_use_execmem is not defined
Boolean os_neutron_use_execmem is not defined
Boolean os_swift_use_execmem is not defined
Boolean os_keystone_use_execmem is not defined

It looks like this openstack-selinux version relies on something that is only provided by RHEL 7.2 packages. If it is only meant to be supported on 7.2+, we can close as NOTABUG.
Comment 9 Lon Hohberger 2016-03-07 11:52:43 EST
We only support RHEL 7.2 as of November...

Note You need to log in before you can comment on or make changes to this bug.