1414821 – foreman-selinux is conflicting with container-selinux

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1414821 - foreman-selinux is conflicting with container-selinux

Summary: foreman-selinux is conflicting with container-selinux

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	SELinux
Sub Component:
Version:	6.2.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	Unspecified
Assignee:	Daniel Lobato Garcia
QA Contact:	Lukas Pramuk
Docs Contact:
URL:	http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks:	1478966
TreeView+	depends on / blocked

Reported:	2017-01-19 14:49 UTC by Lukas Pramuk
Modified:	2019-06-13 21:25 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1478966 (view as bug list)
Environment:
Last Closed:	2018-11-26 19:32:35 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	18284	0	None	None	None	2017-01-27 14:00:47 UTC

Description Lukas Pramuk 2017-01-19 14:49:08 UTC

Description of problem:
foreman-selinux is conflicting with container-selinux
If you install foreman-selinux first then container-selinux module load fails and vice-versa. If you install container-selinux first then foreman-selinux module load fails.

Version-Release number of selected component (if applicable):
@Sat6.2.7
(generally all sat version, but lets stick to 6.2)
foreman-selinux-1.11.0.2-1.el7sat

How reproducible:
Always on RHEL7.3

Steps to Reproduce:
1. Install docker (with its container-selinux)
2. Install Satellite (with its foreman-selinux)

# yum install foreman-selinux
...

Re-declaration of type docker_port_t            <<< this is the issue
Failed to create node
Bad type declaration at /etc/selinux/targeted/tmp/modules/400/foreman/cil:27
OSError: Error
ValueError: Type elasticsearch_port_t is invalid, must be a port type
warning: %post(foreman-selinux-1.11.0.2-1.el7sat.noarch) scriptlet failed, exit status 1
Non-fatal POSTIN scriptlet failure in rpm package foreman-selinux-1.11.0.2-1.el7sat.noarch

# semanage fcontext -l | grep foreman
/opt/theforeman/tfm/root = /

>>> all? most? of foreman selinux types are missing due to conflict


Actual results:
conflicting selinux modules

Expected results:
modules are able to cope together

Comment 2 Daniel Lobato Garcia 2017-01-27 13:05:15 UTC

Yes indeed the type is declared twice. 

https://github.com/projectatomic/container-selinux/blob/master/container.te#L77
and 
https://github.com/theforeman/foreman-selinux/blob/2f2a5c3416448c5f0f9e98071c3b5785a5ef5fb5/foreman.te

I will submit a pull request that removes it, and another makes container-selinux a dependency of the foreman-selinux package.

Comment 3 Daniel Lobato Garcia 2017-01-27 13:06:48 UTC

Created redmine issue http://projects.theforeman.org/issues/18284 from this bug

Comment 4 Satellite Program 2017-01-27 15:00:54 UTC

Upstream bug assigned to dlobatog

Comment 5 Satellite Program 2017-01-27 15:00:57 UTC

Upstream bug assigned to dlobatog

Comment 9 Lukas Zapletal 2017-03-06 14:27:29 UTC

Lukas, can you please re-test with latest stable 6.2? We fixed the elastic search problem there and I believe the redeclaration message might be just warning. The real error that blocked the transaction was elasticsearch which we fixed.

Comment 10 Lukas Zapletal 2017-03-08 14:20:19 UTC

Upstream we will be likely splitting policy into new package, but downstream we might have this quick fix:

https://github.com/projectatomic/container-selinux/pull/26#issuecomment-284435882

Comment 11 Lukas Pramuk 2017-05-05 12:50:10 UTC

Lukas,

I re-tested with 6.2.9 (having elasticsearch fix) and the issue is very much the same:

# rpm -q docker container-selinux
docker-1.12.6-16.el7.x86_64
container-selinux-2.10-2.el7.noarch

# yum install foreman-selinux

========================================================================================================================
 Package                  Arch            Version                       Repository                                 Size
========================================================================================================================
Installing:
 foreman-selinux          noarch          1.11.0.4-1.el7sat             rhel-7-server-satellite-6.2-rpms           43 k

Transaction Summary
========================================================================================================================
Install  1 Package

Total download size: 43 k
Installed size: 78 k
Is this ok [y/d/N]: y
Re-declaration of type docker_port_t
Failed to create node
Bad type declaration at /etc/selinux/targeted/tmp/modules/400/foreman/cil:27
OSError: Error
ValueError: Type docker_port_t is invalid, must be a port type
warning: %post(foreman-selinux-1.11.0.4-1.el7sat.noarch) scriptlet failed, exit status 1
Non-fatal POSTIN scriptlet failure in rpm package foreman-selinux-1.11.0.4-1.el7sat.noarch

Installed:
  foreman-selinux.noarch 0:1.11.0.4-1.el7sat                                                

# semanage fcontext -l | grep foreman
/opt/theforeman/tfm/root = /

Comment 12 Lukas Zapletal 2017-05-05 12:54:17 UTC

Yeah sorry we definitely need to fix this. Upstream patch did not get it through yet.

Daniel, how about downstream only patch?

Comment 13 Daniel Lobato Garcia 2017-06-05 21:40:07 UTC

At this point it's likely going to be downstream only - cherry-picking whatever we do for 1.16

Comment 14 Satellite Program 2017-09-08 14:01:14 UTC

Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/18284 has been resolved.

Comment 20 Lukas Zapletal 2017-11-29 12:14:41 UTC

Flipping to QA now, this should be fixed already.

Comment 21 Lukas Pramuk 2017-12-19 15:58:29 UTC

This BZ is tracking 6.2.z fix, flipping back to POST

Sat6.3.0 progress is tracked by BZ #1478966 (currently VERIFIED)

Comment 25 Bryan Kearney 2018-11-26 19:32:35 UTC

Satellite 6.2 has reached maintenance support phase 2 [1]. This bug does not quality for inclusion in a 6.2.z release during this support phase. I am therefore closing this bug out.

[1] https://access.redhat.com/support/policy/updates/satellite

Note You need to log in before you can comment on or make changes to this bug.