Bug 1414797 - foreman-selinux in 6.2 lacks elasticsearch removal
Summary: foreman-selinux in 6.2 lacks elasticsearch removal
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: SELinux
Version: 6.2.7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: Unspecified
Assignee: Lukas Zapletal
QA Contact: Lukas Pramuk
URL: http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks: 1417137
TreeView+ depends on / blocked
 
Reported: 2017-01-19 13:30 UTC by Lukas Pramuk
Modified: 2019-09-26 14:48 UTC (History)
5 users (show)

Fixed In Version: foreman-selinux-1.11.0.4-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1417137 (view as bug list)
Environment:
Last Closed: 2017-03-06 15:12:16 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 13014 0 None None None 2017-01-19 15:06:20 UTC

Description Lukas Pramuk 2017-01-19 13:30:54 UTC
Description of problem:
foreman-selinux is conflicting with container-selinux
If you install foreman-selinux first then container-selinux module load fails and vice-versa. If you install container-selinux first then foreman-selinux module load fails.

Version-Release number of selected component (if applicable):
@Sat6.2.7
(generally all sat version, but lets stick to 6.2)
foreman-selinux-1.11.0.2-1.el7sat

How reproducible:
Always on RHEL7.3

Steps to Reproduce:
1. Install docker (with its container-selinux)
2. Install Satellite (with its foreman-selinux)

# yum install foreman-selinux
...

Re-declaration of type docker_port_t
Failed to create node
Bad type declaration at /etc/selinux/targeted/tmp/modules/400/foreman/cil:27
OSError: Error
ValueError: Type elasticsearch_port_t is invalid, must be a port type
warning: %post(foreman-selinux-1.11.0.2-1.el7sat.noarch) scriptlet failed, exit status 1
Non-fatal POSTIN scriptlet failure in rpm package foreman-selinux-1.11.0.2-1.el7sat.noarch

# semanage fcontext -l | grep foreman
/opt/theforeman/tfm/root = /

>>> all? most? of foreman selinux types are missing due to conflict


Actual results:
conflicting selinux modules

Expected results:
modules are able to cope together

Comment 1 Lukas Pramuk 2017-01-19 13:35:52 UTC
Also pls notice that Sat6.2 selinux module tries to mess with elasticsearch_port_t, which was removed in 6.2.

Comment 3 Lukas Zapletal 2017-01-19 14:20:53 UTC
We need to backport elastic policy removal, since in upstream we split foreman-selinux into katello-selinux separate project, the patch must be manual.

http://projects.theforeman.org/issues/13014

Submitting patch:

https://gitlab.sat.lab.tlv.redhat.com/satellite6/foreman-selinux/merge_requests/24

Comment 5 Lukas Pramuk 2017-01-19 14:43:27 UTC
We got two issues per BZ, going to create new BZ for original issue in comment #0.
This BZ will track elasticsearch_port_t removal as mentioned in comment#1.

(since the patch is already linked to this bz#)

Comment 6 pm-sat@redhat.com 2017-01-19 17:15:50 UTC
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/13014 has been resolved.

Comment 7 Sachin Ghai 2017-02-09 11:15:23 UTC
While performing upgrade from 6.1.11 -> 6.2.8, we got below errors after "yum update -y":

[server] out: warning: /etc/pulp/repo_auth.conf created as /etc/pulp/repo_auth.conf.rpmnew
[server] out: libsepol.context_from_record: type elasticsearch_port_t is not defined (No such file or directory).
[server] out: libsepol.context_from_record: could not create context structure (Invalid argument).
[server] out: libsepol.port_from_record: could not create port structure for range 9200:9300 (tcp) (Invalid argument).
[server] out: libsepol.sepol_port_modify: could not load port range 9200 - 9300 (tcp) (Invalid argument).
[server] out: libsemanage.dbase_policydb_modify: could not modify record value (Invalid argument).
[server] out: libsemanage.semanage_base_merge_components: could not merge local modifications into policy (Invalid argument).
[server] out: OSError: Invalid argument


@Lzap: are these errors related to this bug ?

Comment 8 Sachin Ghai 2017-02-13 13:35:07 UTC
Similar error appears while updating capsule 6.1 -> 6.2.8 snap2

Comment 9 Lukas Zapletal 2017-02-15 13:25:40 UTC
Yes this is relevant, Sachin when do you experience this? During yum transaction of some package upgrade? Pulp restart?

Can you email me credentials to upgraded instance and reproducer steps? I can't tell what is wrong here, looks like something in pulp policy (but I don't see anything there).

Comment 10 Sachin Ghai 2017-02-17 13:06:30 UTC
Hey. getting these errors during yum transaction and w/ package upgrade.

I just upgraded sat6.1.11 -> 6.2.8 and it appears while "yum update -y" step.

I'll share the setup.

Comment 11 Lukas Zapletal 2017-02-20 13:27:36 UTC
Sachin, I don't know about the warning message, but verification steps are:

yum -y install setools-console policycoreutils-python policycoreutils selinux-policy-devel

Check there is no elastic search user definition:

/usr/sbin/semanage port -E
port -a -t docker_port_t -p tcp 2375-2376

(No elasticsearch must be present).

Check there is no definition of the port:

sesearch -t elasticsearch_port_t --all

(Must not find it). That's it.

Comment 12 Lukas Pramuk 2017-02-21 12:20:39 UTC
During upgrading from clean Sat6.1.11 to 6.2.8 

# semanage port -E
port -a -t docker_port_t -p tcp 2375-2376
port -a -t elasticsearch_port_t -p tcp 9200-9300

# yum upgrade
...

  Updating   : foreman-selinux-1.11.0.3-2.el7sat.noarch                                   16/438
libsepol.context_from_record: type elasticsearch_port_t is not defined (No such file or directory).
libsepol.context_from_record: could not create context structure (Invalid argument).
libsepol.port_from_record: could not create port structure for range 9200:9300 (tcp) (Invalid argument).
libsepol.sepol_port_modify: could not load port range 9200 - 9300 (tcp) (Invalid argument).
libsemanage.dbase_policydb_modify: could not modify record value (Invalid argument).
libsemanage.semanage_base_merge_components: could not merge local modifications into policy (Invalid argument).
OSError: Invalid argument
  Installing : katello-selinux-3.0.1.2-1.el7sat.noarch                                    17/438
...

# semanage port -E
port -a -t docker_port_t -p tcp 2375-2376

>>> elasticsearch is removed but with errors

>>> unless we know what is going on here during package upgrade we better fail this bz

Comment 13 Lukas Zapletal 2017-02-21 13:12:17 UTC
During upgrade we call foreman-selinux-enable script.

It looks like upgrade was successful, but we see some errors when this script is run. Please run this BEFORE the upgrade:

0) Run foreman-selinux-enable 

Please check this after upgrade:

1) Check if foreman SELinux policy is loaded

If it's loaded, than upgrade was successful.

Additionally check this:

2) Run foreman-selinux-disable
3) Run foreman-selinux-enable 

Please ping me if you are able to reproduce the error messages or when foreman policy is not loaded.

Comment 14 Lukas Pramuk 2017-02-21 14:09:49 UTC
@Sat6.1.11

# rpm -Uvh --noscripts foreman-selinux-1.11.0.3-2.el7sat.noarch.rpm
Preparing...                          ################################# [100%]
Updating / installing...
   1:foreman-selinux-1.11.0.3-2.el7sat################################# [ 50%]
Cleaning up / removing...
   2:foreman-selinux-1.7.2.16-1.el7sat################################# [100%]

# foreman-selinux-enable
libsepol.context_from_record: type elasticsearch_port_t is not defined (No such file or directory).
libsepol.context_from_record: could not create context structure (Invalid argument).
libsepol.port_from_record: could not create port structure for range 9200:9300 (tcp) (Invalid argument).
libsepol.sepol_port_modify: could not load port range 9200 - 9300 (tcp) (Invalid argument).
libsemanage.dbase_policydb_modify: could not modify record value (Invalid argument).
libsemanage.semanage_base_merge_components: could not merge local modifications into policy (Invalid argument).
OSError: Invalid argument

So the problem is with /usr/sbin/foreman-selinux-enable being run in %postin script

Comment 15 Lukas Pramuk 2017-02-21 14:15:39 UTC
After upgrade the module is loaded
# semodule -l |grep foreman
foreman 1.7.2.16.1

Comment 16 Lukas Pramuk 2017-02-21 14:26:08 UTC
Aha old 6.1 module is still loaded

Comment 17 Lukas Pramuk 2017-02-21 14:48:50 UTC
# semodule -l |grep foreman
foreman 1.7.2.16.1

# yum upgrade foreman-selinux-1.11.0.3-2.el7sat.noarch.rpm 

======================================================================================================================================
 Package                    Arch              Version                      Repository                                            Size
======================================================================================================================================
Updating:
 foreman-selinux            noarch            1.11.0.3-2.el7sat            /foreman-selinux-1.11.0.3-2.el7sat.noarch             78 k

Transaction Summary
======================================================================================================================================
Upgrade  1 Package

Total size: 78 k
Is this ok [y/d/N]: y
Warning: RPMDB altered outside of yum.
libsepol.context_from_record: type elasticsearch_port_t is not defined (No such file or directory).
libsepol.context_from_record: could not create context structure (Invalid argument).
libsepol.port_from_record: could not create port structure for range 9200:9300 (tcp) (Invalid argument).
libsepol.sepol_port_modify: could not load port range 9200 - 9300 (tcp) (Invalid argument).
libsemanage.dbase_policydb_modify: could not modify record value (Invalid argument).
libsemanage.semanage_base_merge_components: could not merge local modifications into policy (Invalid argument).
OSError: Invalid argument

Updated:
  foreman-selinux.noarch 0:1.11.0.3-2.el7sat                                                                                          

# semodule -l |grep foreman
foreman 1.7.2.16.1

>>> foreman-selinux fails to upgrade selinux module

Comment 20 Lukas Pramuk 2017-02-27 22:29:25 UTC
VERIFIED.

@satellite-6.2.8-4.0.el7sat.noarch
foreman-selinux-1.11.0.4-1.el7sat.noarch

by manual reproducer:

1. Check situation before the upgrade

# semodule -l | grep foreman
foreman	1.7.2.16.1

# semanage port -E
port -a -t docker_port_t -p tcp 2375-2376
port -a -t elasticsearch_port_t -p tcp 9200-9300


2. Upgrade SAT 6.1.11 > 6.2.8

# yum update
...
  Updating   : foreman-selinux-1.11.0.4-1.el7sat.noarch                                                          13/438 
  Installing : katello-selinux-3.0.1.2-1.el7sat.noarch                                                           14/438 


3. Check situation after the upgrade

# semodule -l | grep foreman
foreman	1.11.0.4

# semanage port -E
port -a -t docker_port_t -p tcp 2375-2376

>>> elasticsearch_port_t definition is removed
>>> foreman selinux module was upgraded successfully (no warnings/errors during upgrade)

Comment 21 Bryan Kearney 2017-03-06 15:12:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0447


Note You need to log in before you can comment on or make changes to this bug.