1392010 – selinux-policy-targeted: Error during rhel 7.3 Update

Bug 1392010 - selinux-policy-targeted: Error during rhel 7.3 Update

Summary: selinux-policy-targeted: Error during rhel 7.3 Update

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.3
Hardware:	x86_64
OS:	Linux
Priority:	urgent
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:	Mirek Jahoda
URL:
Whiteboard:
Duplicates (1):	1393952 (view as bug list)
Depends On:
Blocks:	1393045
TreeView+	depends on / blocked

Reported:	2016-11-04 15:05 UTC by Klaas Demter
Modified:	2019-12-16 07:18 UTC (History)
CC List:	12 users (show)
Fixed In Version:	selinux-policy-3.13.1-106.el7
Doc Type:	Bug Fix
Doc Text:	Cause: Update from rhel-7.2 (or older) to rhel-7.3 Consequence: Warnings and errors appeared during update Fix: policy-migration script is executed in %postinstall phase only if semanage tool exists on system. Result: Update from rhel-7.2 (or older) to rhel-7.3 is without errors or warning.
Clone Of:
Clones:	1393045 (view as bug list)
Environment:
Last Closed:	2017-08-01 15:17:42 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	2771001	0	None	None	None	2016-11-17 03:59:46 UTC
Red Hat Product Errata	RHBA-2017:1861	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2017-08-01 17:50:24 UTC

Description Klaas Demter 2016-11-04 15:05:22 UTC

Description of problem:
During the rhel 7.2 -> 7.3 update I encountered the following error:
  Updating   : selinux-policy-targeted-3.13.1-102.el7_3.4.noarch                                                                                             228/559 
warning: /etc/selinux/targeted/seusers created as /etc/selinux/targeted/seusers.rpmnew
‘/etc/selinux/targeted/modules/active/seusers’ -> ‘/etc/selinux/targeted/active/seusers.local’
/usr/libexec/selinux/selinux-policy-migrate-local-changes.sh: line 66: semanage: command not found
/usr/libexec/selinux/selinux-policy-migrate-local-changes.sh: line 66: semanage: command not found

my first guess would be that you use semanage in the post script but don't require it as a dependency.


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-102.el7_3.4.noarch


How reproducible:
update to selinux-policy-targeted-3.13.1-102.el7_3.4.noarch without policycoreutils-python installed

Comment 3 Nikhil Dehadrai 2016-11-07 14:01:00 UTC

IPA server version: ipa-server-4.4.0-14.el7_3.x86_64

Noticed similar behavior while running upgrade tests for IPA server from 7.2.z to 7.3.up1.

Following errors were noticed:
  Updating   : selinux-policy-3.13.1-102.el7_3.4.noarch                  38/142 
  Updating   : selinux-policy-targeted-3.13.1-102.el7_3.4.noarch         39/142 
warning: /etc/selinux/targeted/seusers created as /etc/selinux/targeted/seusers.rpmnew
‘/etc/selinux/targeted/modules/active/booleans.local’ -> ‘/etc/selinux/targeted/active/booleans.local’
‘/etc/selinux/targeted/modules/active/seusers’ -> ‘/etc/selinux/targeted/active/seusers.local’
ERROR: policydb version 30 does not match my version range 15-29
ERROR: Unable to open policy //etc/selinux/targeted/policy/policy.30.
ERROR: policydb version 30 does not match my version range 15-29
ERROR: Unable to open policy //etc/selinux/targeted/policy/policy.30.
Traceback (most recent call last):
  File "/sbin/semanage", line 32, in <module>
    import seobject
  File "/usr/lib/python2.7/site-packages/seobject/__init__.py", line 27, in <module>
    import sepolicy
  File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 798, in <module>
    raise e
ValueError: Failed to read //etc/selinux/targeted/policy/policy.30 policy file
Traceback (most recent call last):
  File "/sbin/semanage", line 32, in <module>
    import seobject
  File "/usr/lib/python2.7/site-packages/seobject/__init__.py", line 27, in <module>
    import sepolicy
  File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 798, in <module>
    raise e
ValueError: Failed to read //etc/selinux/targeted/policy/policy.30 policy file
  Updating   : bind-dyndb-ldap-10.0-5.el7.x86_64                         40/142 
Enabling SELinux boolean named_write_master_zones
  Updating   : setools-libs-3.3.8-1.1.el7.x86_64                         41/142 
  Updating   : policycoreutils-python-2.5-9.el7.x86_64                   42/142 
  Installing : 389-ds-base-1.3.5.10-12.el7_3.x86_64                      43/142 


Also received crash mail:

Following is the backtrace

backtrace:
:__init__.py:798:<module>:ValueError: Failed to read //etc/selinux/targeted/policy/policy.30 policy file
:
:Traceback (most recent call last):
:  File "/sbin/semanage", line 32, in <module>
:    import seobject
:  File "/usr/lib/python2.7/site-packages/seobject/__init__.py", line 27, in <module>
:    import sepolicy
:  File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 798, in <module>
:    raise e
:ValueError: Failed to read //etc/selinux/targeted/policy/policy.30 policy file
:
:Local variables in innermost frame:
:selinux_user_list: None
:fcdict: None
:selinux: None
:subprocess: None
:__path__: None
:get_transitions: None
:get_entrypoints: None
:get_login_mappings: None
:read_file_equiv: None
:SOURCE: None
:get_all_entrypoints: None
:get_all_modules: None
:policy: None
:file_types: None
:get_user_types: None
:AUDITALLOW: None
:ROLE_ALLOW: None
:__file__: None
:get_all_bools: None
:get_fcdict: None
:local_files: None
:get_all_entrypoint_domains: None
:find_file: None
:bools: None
:get_writable_files: None
:defaults: None
:SENS: None
:file_type_str: None
:get_file_types: None
:policy_file: None
:get_all_users: None
:methods: None
:get_local_file_paths: None
:DEFAULT_DIRS: None
:get_init_entrypoint_target: None
:USER: None
:NEVERALLOW: None
:all_domains: None
:PORT: None
:login_mappings: None
:DONTAUDIT: None
:PERMS: None
:re: None
:get_conditionals: None
:get_file_transitions: None
:__builtins__: {'bytearray': <type 'bytearray'>, 'IndexError': <type 'exceptions.IndexError'>, 'all': <built-in function all>, 'help': Type help() for interactive help, or help(object) for help about object., 'vars': <built-in function vars>, 'SyntaxError': <type 'exceptions.SyntaxError'>, 'unicode': <type 'unicode'>, 'UnicodeDecodeError': <type 'exceptions.UnicodeDecodeError'>, 'memoryview': <type 'memoryview'>, 'isinstance': <built-in function isinstance>, 'copyright': Copyright (c) 2001-2013 Python Software Foundation.
:All Rights Reserved.
:
:Copyright (c) 2000 BeOpen.com.
:All Rights Reserved.
:
:Copyright (c) 1995-2001 Corporation for National Research Initiatives.
:All Rights Reserved.
:
:Copyright (c) 1991-1995 Stichting Mathematisch Centrum, Amsterdam.
:All Rights Reserved., 'NameError': <type 'exceptions.NameError'>, 'BytesWarning': <type 'exceptions.BytesWarning'>, 'dict': <type 'dict'>, 'input': <built-in function input>, 'oct': <built-in function oct>, 'bin': <built-in function bin>, 'SystemExit': <type 'exceptions.SystemExit'>, 'StandardError': <type 'exceptions.StandardError'>, 'format': <built-in function format>, 'repr': <built-in function repr>, 'sorted': <built-in function sorted>, 'False': False, 'RuntimeWarning': <type 'exceptions.RuntimeWarning'>, 'list': <type 'list'>, 'iter': <built-in function iter>, 'reload': <built-in function reload>, 'Warning': <type 'exceptions.Warning'>, '__package__': None, 'round': <built-in function round>, 'dir': <built-in function dir>, 'cmp': <built-in function cmp>, 'set': <type 'set'>, 'bytes': <type 'str'>, 'reduce': <built-in function reduce>, 'intern': <built-in function intern>, 'issubclass': <built-in function issubclass>, 'Ellipsis': Ellipsis, 'EOFError': <type 'exceptions.EOFError'>, 'locals': <built-in function locals>, 'BufferError': <type 'exceptions.BufferError'>, 'slice': <type 'slice'>, 'FloatingPointError': <type 'exceptions.FloatingPointError'>, 'sum': <built-in function sum>, 'getattr': <built-in function getattr>, 'abs': <built-in function abs>, 'exit': Use exit() or Ctrl-D (i.e. EOF) to exit, 'print': <built-in function print>, 'True': True, 'FutureWarning': <type 'exceptions.FutureWarning'>, 'ImportWarning': <type 'exceptions.ImportWarning'>, 'None': None, 'hash': <built-in function hash>, 'ReferenceError': <type 'exceptions.ReferenceError'>, 'len': <built-in function len>, 'credits':     Thanks to CWI, CNRI, BeOpen.com, Zope Corporation and a cast of thousands
:    for supporting Python development.  See www.python.org for more information., 'frozenset': <type 'frozenset'>, '__name__': '__builtin__', 'ord': <built-in function ord>, 'super': <type 'super'>, '_': <bound method GNUTranslations.ugettext of <gettext.GNUTranslations instance at 0x16fac20>>, 'TypeError': <type 'exceptions.TypeError'>, 'license': See http://www.python.org/2.7/license.html, 'KeyboardInterrupt': <type 'exceptions.KeyboardInterrupt'>, 'UserWarning': <type 'exceptions.UserWarning'>, 'filter': <built-in function filter>, 'range': <built-in function range>, 'staticmethod': <type 'staticmethod'>, 'SystemError': <type 'exceptions.SystemError'>, 'BaseException': <type 'exceptions.BaseException'>, 'pow': <built-in function pow>, 'RuntimeError': <type 'exceptions.RuntimeError'>, 'float': <type 'float'>, 'MemoryError': <type 'exceptions.MemoryError'>, 'StopIteration': <type 'exceptions.StopIteration'>, 'globals': <built-in function globals>, 'divmod': <built-in function divmod>, 'enumerate': <type 'enumerate'>, 'apply': <built-in function apply>, 'LookupError': <type 'exceptions.LookupError'>, 'open': <built-in function open>, 'quit': Use quit() or Ctrl-D (i.e. EOF) to exit, 'basestring': <type 'basestring'>, 'UnicodeError': <type 'exceptions.UnicodeError'>, 'zip': <built-in function zip>, 'hex': <built-in function hex>, 'long': <type 'long'>, 'next': <built-in function next>, 'ImportError': <type 'exceptions.ImportError'>, 'chr': <built-in function chr>, 'xrange': <type 'xrange'>, 'type': <type 'type'>, '__doc__': "Built-in functions, exceptions, and other objects.\n\nNoteworthy: None is the `nil' object; Ellipsis represents `...' in slices.", 'Exception': <type 'exceptions.Exception'>, 'tuple': <type 'tuple'>, 'UnicodeTranslateError': <type 'exceptions.UnicodeTranslateError'>, 'reversed': <type 'reversed'>, 'UnicodeEncodeError': <type 'exceptions.UnicodeEncodeError'>, 'IOError': <type 'exceptions.IOError'>, 'hasattr': <built-in function hasattr>, 'delattr': <built-in function delattr>, 'setattr': <built-in function setattr>, 'raw_input': <built-in function raw_input>, 'SyntaxWarning': <type 'exceptions.SyntaxWarning'>, 'compile': <built-in function compile>, 'ArithmeticError': <type 'exceptions.ArithmeticError'>, 'str': <type 'str'>, 'property': <type 'property'>, 'GeneratorExit': <type 'exceptions.GeneratorExit'>, 'int': <type 'int'>, '__import__': <built-in function __import__>, 'KeyError': <type 'exceptions.KeyError'>, 'coerce': <built-in function coerce>, 'PendingDeprecationWarning': <type 'exceptions.PendingDeprecationWarning'>, 'file': <type 'file'>, 'EnvironmentError': <type 'exceptions.EnvironmentError'>, 'unichr': <built-in function unichr>, 'id': <built-in function id>, 'OSError': <type 'exceptions.OSError'>, 'DeprecationWarning': <type 'exceptions.DeprecationWarning'>, 'min': <built-in function min>, 'UnicodeWarning': <type 'exceptions.UnicodeWarning'>, 'execfile': <built-in function execfile>, 'any': <built-in function any>, 'complex': <type 'complex'>, 'bool': <type 'bool'>, 'ValueError': <type 'exceptions.ValueError'>, 'NotImplemented': NotImplemented, 'map': <built-in function map>, 'buffer': <type 'buffer'>, 'max': <built-in function max>, 'object': <type 'object'>, 'TabError': <type 'exceptions.TabError'>, 'callable': <built-in function callable>, 'ZeroDivisionError': <type 'exceptions.ZeroDivisionError'>, 'eval': <built-in function eval>, '__debug__': True, 'IndentationError': <type 'exceptions.IndentationError'>, 'AssertionError': <type 'exceptions.AssertionError'>, 'classmethod': <type 'classmethod'>, 'UnboundLocalError': <type 'exceptions.UnboundLocalError'>, 'NotImplementedError': <type 'exceptions.NotImplementedError'>, 'AttributeError': <type 'exceptions.AttributeError'>, 'OverflowError': <type 'exceptions.OverflowError'>}
:interfaces: None
:get_all_roles: None
:mls_range: None
:__name__: None
:portrecsbynum: None
:search: None
:file_equiv: None
:get_all_file_types: None
:prettyprint: None
:ATTRIBUTE: None
:_policy: None
:get_installed_policy: None
:gen_port_dict: None
:os: None
:all_types: None
:find_all_files: None
:PROGNAME: None
:get_all_domains: None
:get_file_equiv_modified: None
:get_boolean_rules: None
:get_all_port_types: None
:port_types: None
:gen_interfaces: None
:get_all_modules_from_mod_lst: None
:__doc__: None
:file_equiv_modified: None
:get_types_from_attribute: None
:get_all_attributes: None
:get_all_role_allows: None
:info: None
:TARGET: None
:roles: None
:all_attributes: None
:TRANSITION: None
:role_allows: None
:BOOLEAN: None
:mls_cmp: None
:TYPE: None
:get_methods: None
:get_mls_range: None
:get_init_transtype: None
:portrecs: None
:get_conditionals_format_text: None
:gettext: None
:__package__: None
:TCLASS: None
:CLASS: None
:find_entrypoint_path: None
:trans_file_type_str: None
:get_transitions_into: None
:users: None
:glob: None
:get_entrypoint_types: None
:sys: None
:get_file_equiv: None
:get_init_entrypoint: None
:ALLOW: None
:get_selinux_users: None
:get_description: None
:e: None
:markup: None
:get_all_types: None
:CATS: None
:ROLE: None
:user_types: None

Comment 6 Petr Lautrbach 2016-11-07 16:08:20 UTC

(In reply to Nikhil Dehadrai from comment #3)
> IPA server version: ipa-server-4.4.0-14.el7_3.x86_64
> 
> Noticed similar behavior while running upgrade tests for IPA server from
> 7.2.z to 7.3.up1.


This is most likely a different issue. Apparently you have /sbin/semanage installed on your system. Please file a new bug.

Comment 7 Petr Lautrbach 2016-11-07 17:47:11 UTC

The reported error message is probably harmless and it most likely doesn't break an update translation. But it's definitely wrong.

I would suggest to fix the migrate script instead of adding new requirements to selinux-policy:

--- a/selinux-policy-migrate-local-changes.sh
+++ b/selinux-policy-migrate-local-changes.sh
@@ -63,6 +63,8 @@ if [ $REBUILD = 1 ]; then
     semodule -B -n -s $MIGRATE_SELINUXTYPE
     if [ "$MIGRATE_SELINUXTYPE" = "$SELINUXTYPE" ] && selinuxenabled; then
         load_policy
-        semanage export | semanage import
+        if [ -x /usr/sbin/semanage ]; then
+            /usr/sbin/semanage export | /usr/sbin/semanage import
+        fi
     fi
 fi

This part of script is important for Atomic images where updates are done offline and where migrated local changes need to be imported. It doesn't have any real effect on live systems as all the changes are already loaded in kernel.

Comment 10 Klaas Demter 2016-11-08 08:51:20 UTC

(In reply to Petr Lautrbach from comment #6)
> (In reply to Nikhil Dehadrai from comment #3)
> > IPA server version: ipa-server-4.4.0-14.el7_3.x86_64
> > 
> > Noticed similar behavior while running upgrade tests for IPA server from
> > 7.2.z to 7.3.up1.
> 
> 
> This is most likely a different issue. Apparently you have /sbin/semanage
> installed on your system. Please file a new bug.

/sbin is a link to /usr/sbin on rhel7 :)

Comment 13 Alexander Chuzhoy 2016-11-08 16:35:30 UTC

Reproduce.
Test blocker.

Comment 15 Petr Lautrbach 2016-11-10 20:11:28 UTC

*** Bug 1393952 has been marked as a duplicate of this bug. ***

Comment 16 Zdenek Pytela 2016-12-07 08:02:35 UTC

Please also note a similar issue can happen with semodule command on line 48 of the same script. The semodule binary is part of the policycoreutils package which is also not mandatory part of a rhel install. Maybe this one is just less likely.

Comment 17 Petr Lautrbach 2016-12-12 13:07:49 UTC

(In reply to Zdenek Pytela from comment #16)
> Please also note a similar issue can happen with semodule command on line 48
> of the same script. The semodule binary is part of the policycoreutils
> package which is also not mandatory part of a rhel install. Maybe this one
> is just less likely.

I don't think it's a case. selinux-policy-targeted requires policycoreutils to be installed:

$ rpm -q --requires selinux-policy-targeted
...
policycoreutils >= 2.5

Comment 20 errata-xmlrpc 2017-08-01 15:17:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861

Note You need to log in before you can comment on or make changes to this bug.