Hide Forgot
Non-fatal POSTIN scriptlet failure in rpm package pulp-selinux-2.8.7.3-1.el7sat.noarch Description of problem: Durring a yum update from capsule: Actualizando : pulp-selinux-2.8.7.3-1.el7sat.noarch 232/657 Failed to resolve roletype statement at /etc/selinux/targeted/tmp/modules/400/pulp-server/cil:2 /usr/sbin/semodule: Failed! Failed to resolve roletype statement at /etc/selinux/targeted/tmp/modules/400/pulp-celery/cil:2 /usr/sbin/semodule: Failed! Failed to resolve roletype statement at /etc/selinux/targeted/tmp/modules/400/pulp-streamer/cil:2 /usr/sbin/semodule: Failed! libsemanage.semanage_read_policydb: Could not open kernel policy /etc/selinux/targeted/active/policy.kern for reading. (No such file or directory). OSError: No such file or directory warning: %post(pulp-selinux-2.8.7.3-1.el7sat.noarch) scriptlet failed, exit status 1 Non-fatal POSTIN scriptlet failure in rpm package pulp-selinux-2.8.7.3-1.el7sat.noarch Version-Release number of selected component (if applicable): 6.2.3 -> 6.2.4 How reproducible: i tried once Steps to Reproduce: 1. yum update on capsule Actual results: yum errors regarding the package mentioned Expected results: no yum errors
# yum history info 32 Complementos cargados:langpacks, package_upload, product-id, search-disabled-repos, subscription-manager ID de transacción : 32 Hora inicial : Thu Oct 27 18:33:47 2016 Rpmdb inicial : 706:4241ac606b798987153c4c14ed00edcb8bfb72a1 Hora final : 18:37:08 2016 (201 segundos) Rpmdb final : 706:807eca281ff376e5791593690aa24b1fc6467de1 Usuario : root <root> Codigo-obtenido : Exito Línea de comando : update Transacción realizada con: Actualizado rpm-4.11.3-17.el7.x86_64 @anaconda/7.2 Actualizado subscription-manager-1.15.9-15.el7.x86_64 @anaconda/7.2 Actualizado yum-3.4.3-132.el7.noarch @anaconda/7.2 Instalado yum-metadata-parser-1.1.4-10.el7.x86_64 @anaconda/7.2 Paquetes modificados: Actualizado bind-32:9.9.4-29.el7_2.3.x86_64 @rhel-7-server-rpms Actualizar 32:9.9.4-29.el7_2.4.x86_64 @rhel-7-server-rpms Actualizado bind-libs-32:9.9.4-29.el7_2.3.x86_64 @rhel-7-server-rpms Actualizar 32:9.9.4-29.el7_2.4.x86_64 @rhel-7-server-rpms Actualizado bind-libs-lite-32:9.9.4-29.el7_2.3.x86_64 @rhel-7-server-rpms Actualizar 32:9.9.4-29.el7_2.4.x86_64 @rhel-7-server-rpms Actualizado bind-license-32:9.9.4-29.el7_2.3.noarch @rhel-7-server-rpms Actualizar 32:9.9.4-29.el7_2.4.noarch @rhel-7-server-rpms Actualizado bind-utils-32:9.9.4-29.el7_2.3.x86_64 @rhel-7-server-rpms Actualizar 32:9.9.4-29.el7_2.4.x86_64 @rhel-7-server-rpms Actualizado foreman-debug-1.11.0.53-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizar 1.11.0.54-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizado foreman-installer-katello-3.0.0.57-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizar 3.0.0.58-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizado katello-capsule-3.0.0-12.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizar 3.0.0-14.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizado katello-debug-3.0.0-12.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizar 3.0.0-14.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizado katello-installer-base-3.0.0.57-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizar 3.0.0.58-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizado katello-service-3.0.0-12.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizar 3.0.0-14.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Eliminar kernel-3.10.0-327.el7.x86_64 @anaconda/7.2 Instalar kernel-3.10.0-327.36.3.el7.x86_64 @rhel-7-server-rpms Actualizado kernel-tools-3.10.0-327.36.1.el7.x86_64 @rhel-7-server-rpms Actualizar 3.10.0-327.36.3.el7.x86_64 @rhel-7-server-rpms Actualizado kernel-tools-libs-3.10.0-327.36.1.el7.x86_64 @rhel-7-server-rpms Actualizar 3.10.0-327.36.3.el7.x86_64 @rhel-7-server-rpms Actualizado libqpid-dispatch-0.4-13.el7sat.x86_64 @rhel-7-server-satellite-capsule-6.2-rpms Actualizar 0.4-16.el7sat.x86_64 @rhel-7-server-satellite-capsule-6.2-rpms Actualizado openssl-1:1.0.1e-51.el7_2.5.x86_64 @rhel-7-server-rpms Actualizar 1:1.0.1e-51.el7_2.7.x86_64 @rhel-7-server-rpms Actualizado openssl-libs-1:1.0.1e-51.el7_2.5.x86_64 @rhel-7-server-rpms Actualizar 1:1.0.1e-51.el7_2.7.x86_64 @rhel-7-server-rpms Actualizado pulp-docker-plugins-2.0.1.1-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizar 2.0.3-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizado pulp-puppet-plugins-2.8.3.3-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizar 2.8.7.1-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizado pulp-rpm-handlers-2.8.3.5-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizar 2.8.7.3-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizado pulp-rpm-plugins-2.8.3.5-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizar 2.8.7.3-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizado pulp-selinux-2.8.3.4-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizar 2.8.7.2-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizado pulp-server-2.8.3.4-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizar 2.8.7.2-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizado python-crane-2.0.0.2-2.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizar 2.0.2.1-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizado python-nectar-1.5.1-3.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizar 1.5.2-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizado python-perf-3.10.0-327.36.1.el7.x86_64 @rhel-7-server-rpms Actualizar 3.10.0-327.36.3.el7.x86_64 @rhel-7-server-rpms Actualizado python-pulp-agent-lib-2.8.3.4-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizar 2.8.7.2-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizado python-pulp-common-2.8.3.4-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizar 2.8.7.2-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizado python-pulp-docker-common-2.0.1.1-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizar 2.0.3-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizado python-pulp-oid_validation-2.8.3.4-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizar 2.8.7.2-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizado python-pulp-puppet-common-2.8.3.3-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizar 2.8.7.1-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizado python-pulp-repoauth-2.8.3.4-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizar 2.8.7.2-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizado python-pulp-rpm-common-2.8.3.5-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizar 2.8.7.3-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizado python-pulp-streamer-2.8.3.4-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizar 2.8.7.2-1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizado python-urllib3-1.10.2-2.el7_1.noarch @rhel-7-server-rpms Actualizar 1.10.2-3.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizado qpid-dispatch-router-0.4-13.el7sat.x86_64 @rhel-7-server-satellite-capsule-6.2-rpms Actualizar 0.4-16.el7sat.x86_64 @rhel-7-server-satellite-capsule-6.2-rpms Actualizado satellite-capsule-6.2.2-1.1.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizar 6.2.3-1.0.el7sat.noarch @rhel-7-server-satellite-capsule-6.2-rpms Actualizado tzdata-2016f-1.el7.noarch @rhel-7-server-rpms Actualizar 2016h-1.el7.noarch @rhel-7-server-rpms history info
Then, reboot and: # yum reinstall pulp-selinux Otherwise, the capsule services will be up, but on the Satellite server there will be issues: hammer> capsule content synchronization-status --id 2 Last sync: 2016/10/27 17:22:40 Estatus: 3 environment(s) can be synchronized: Library, DESA, PROD Currently running sync tasks: Last failure: Task id: 1fde5f37-a6a6-418f-a953-cbae425cf2fd Messages: Connection refused - connect(2) for "sixthsat2cap1.example.com" port 443 Connection refused - connect(2) for "sixthsat2cap1.example.com" port 443 Connection refused - connect(2) for "sixthsat2cap1.example.com" port 443 Connection refused - connect(2) for "sixthsat2cap1.example.com" port 443 Connection refused - connect(2) for "sixthsat2cap1.example.com" port 443 Afer reinstalling the rpm pulp-selinux, restart katello.
All 3 failures are all due to the same roletype not being found. Pulp's selinux policies do not require any roletypes directly so the failure has to be inside SELinux in something that is common to all 3 Pulp SELinux policies (pulp-server, pulp-streamer, pulp-celery). The one statement common to all of them[0][[1][2] is the use of the "policy_module" interface which requires the system_r role. This is an very common, basic role in SELinux which tells me that SELinux on this system was very unhappy prior to installation of the pulp-selinux RPM. So either this was an environmental problem or there is an issue with SELinux itself. On that basis I'm not going to clone it upstream since there is likely little Pulp could do to fix this. The questions I have are: - Is this reproducible? - Is this somehow related to the RHEL 7.3 release? Was this system upgraded to 7.3 prior to installation? [0]: https://github.com/pulp/pulp/blob/030efd459b53bb2e2f8ff0f815b79f485da49745/server/selinux/server/pulp-celery.te#L3 [1]: https://github.com/pulp/pulp/blob/a473ddffb18bab5ed224a40198bf4c7cfaed30cf/server/selinux/server/pulp-server.te#L3 [2]: https://github.com/pulp/pulp/blob/b9307f585323f0686092c26f36eb909e3ff40763/server/selinux/server/pulp-streamer.te#L3
> Failed to resolve roletype statement at > /etc/selinux/targeted/tmp/modules/400/pulp-server/cil:2 > /usr/sbin/semodule: Failed! > Failed to resolve roletype statement at > /etc/selinux/targeted/tmp/modules/400/pulp-celery/cil:2 > /usr/sbin/semodule: Failed! > Failed to resolve roletype statement at > /etc/selinux/targeted/tmp/modules/400/pulp-streamer/cil:2 > /usr/sbin/semodule: Failed! These messages refer to the line 2 in module files translated to cil: $ /usr/libexec/selinux/hll/pp pulp-server.pp.targeted | head -n 2 (type pulp_cert_t) (roletype object_r pulp_cert_t) The statement on the line 2 authorizes object_r role to access pulp_cert_t type and this is correct. All modules have similar statements. libsepol most likely can't resolve object_r role in this statement as the type is defined above. And object_r is defined in base module. So it looks like the module store is somehow broken. > libsemanage.semanage_read_policydb: Could not open kernel policy > /etc/selinux/targeted/active/policy.kern for reading. (No such file or > directory). > OSError: No such file or directory > warning: %post(pulp-selinux-2.8.7.3-1.el7sat.noarch) scriptlet failed, exit > status 1 > Non-fatal POSTIN scriptlet failure in rpm package > pulp-selinux-2.8.7.3-1.el7sat.noarch /etc/selinux/targeted/active/policy.kern is shipped by selinux-policy-targeted and is recreated every time the policy is rebuilt. If it's missing, something wrong has happen after the selinux-policy-targeted was unpackaged. > How reproducible: > i tried once Can you reproduce it? If can you please describe specific steps or provide a system where it can be reproduced?
@Brian Bouterse >- Is this reproducible? yes, i had another sat6 that i had not touched since some time, the one in my laptop. > - Is this somehow related to the RHEL 7.3 release? Was this system upgraded to 7.3 prior to installation? yes, most likely it is. I saw that there were 7.3 packages, but since both sat6 are non-productive / high testing instances, i just tried. On production one might first update the OS, reboot and then update Sat6 packages, obviously. Please ignore my comment #2, it was caused by an unrelated paused/pending task which i later fixed.
I do not have the file "pulp-server.pp.targeted"
I found it: # /usr/libexec/selinux/hll/pp /usr/share/selinux/targeted/pulp-server.pp | head -n 2 (type pulp_cert_t) (roletype object_r pulp_cert_t)
I don't know if this is relevant ... I'm getting a similar error on selinux policies generated using "sepolicy generate" and the RPMs it is generating doesn't include the requirement for "selinux-policy-targeted" which is definitely a requirement. I'm getting this error when I try installing the _selinux rpm before "selinux-policy-targeted". Again, I don't know if this is relevant.
Thank you for your interest in Satellite 6. We have evaluated this request, and we do not expect this to be implemented in the product in the foreseeable future. We are therefore closing this out as WONTFIX. If you have any concerns about this, please feel free to contact Rich Jerrido or Bryan Kearney. Thank you.