Description of problem: foreman-selinux is conflicting with container-selinux If you install foreman-selinux first then container-selinux module load fails and vice-versa. If you install container-selinux first then foreman-selinux module load fails. Version-Release number of selected component (if applicable): @Sat6.2.7 (generally all sat version, but lets stick to 6.2) foreman-selinux-1.11.0.2-1.el7sat How reproducible: Always on RHEL7.3 Steps to Reproduce: 1. Install docker (with its container-selinux) 2. Install Satellite (with its foreman-selinux) # yum install foreman-selinux ... Re-declaration of type docker_port_t <<< this is the issue Failed to create node Bad type declaration at /etc/selinux/targeted/tmp/modules/400/foreman/cil:27 OSError: Error ValueError: Type elasticsearch_port_t is invalid, must be a port type warning: %post(foreman-selinux-1.11.0.2-1.el7sat.noarch) scriptlet failed, exit status 1 Non-fatal POSTIN scriptlet failure in rpm package foreman-selinux-1.11.0.2-1.el7sat.noarch # semanage fcontext -l | grep foreman /opt/theforeman/tfm/root = / >>> all? most? of foreman selinux types are missing due to conflict Actual results: conflicting selinux modules Expected results: modules are able to cope together
Yes indeed the type is declared twice. https://github.com/projectatomic/container-selinux/blob/master/container.te#L77 and https://github.com/theforeman/foreman-selinux/blob/2f2a5c3416448c5f0f9e98071c3b5785a5ef5fb5/foreman.te I will submit a pull request that removes it, and another makes container-selinux a dependency of the foreman-selinux package.
Created redmine issue http://projects.theforeman.org/issues/18284 from this bug
Upstream bug assigned to dlobatog
Lukas, can you please re-test with latest stable 6.2? We fixed the elastic search problem there and I believe the redeclaration message might be just warning. The real error that blocked the transaction was elasticsearch which we fixed.
Upstream we will be likely splitting policy into new package, but downstream we might have this quick fix: https://github.com/projectatomic/container-selinux/pull/26#issuecomment-284435882
Lukas, I re-tested with 6.2.9 (having elasticsearch fix) and the issue is very much the same: # rpm -q docker container-selinux docker-1.12.6-16.el7.x86_64 container-selinux-2.10-2.el7.noarch # yum install foreman-selinux ======================================================================================================================== Package Arch Version Repository Size ======================================================================================================================== Installing: foreman-selinux noarch 1.11.0.4-1.el7sat rhel-7-server-satellite-6.2-rpms 43 k Transaction Summary ======================================================================================================================== Install 1 Package Total download size: 43 k Installed size: 78 k Is this ok [y/d/N]: y Re-declaration of type docker_port_t Failed to create node Bad type declaration at /etc/selinux/targeted/tmp/modules/400/foreman/cil:27 OSError: Error ValueError: Type docker_port_t is invalid, must be a port type warning: %post(foreman-selinux-1.11.0.4-1.el7sat.noarch) scriptlet failed, exit status 1 Non-fatal POSTIN scriptlet failure in rpm package foreman-selinux-1.11.0.4-1.el7sat.noarch Installed: foreman-selinux.noarch 0:1.11.0.4-1.el7sat # semanage fcontext -l | grep foreman /opt/theforeman/tfm/root = /
Yeah sorry we definitely need to fix this. Upstream patch did not get it through yet. Daniel, how about downstream only patch?
At this point it's likely going to be downstream only - cherry-picking whatever we do for 1.16
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/18284 has been resolved.
Flipping to QA now, this should be fixed already.
This BZ is tracking 6.2.z fix, flipping back to POST Sat6.3.0 progress is tracked by BZ #1478966 (currently VERIFIED)
Satellite 6.2 has reached maintenance support phase 2 [1]. This bug does not quality for inclusion in a 6.2.z release during this support phase. I am therefore closing this bug out. [1] https://access.redhat.com/support/policy/updates/satellite