Bug 1443391 - Failure noticed for selinux policy package updation during ipa-upgrade process.
Summary: Failure noticed for selinux policy package updation during ipa-upgrade process.
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.4
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
Depends On:
TreeView+ depends on / blocked
Reported: 2017-04-19 07:38 UTC by Nikhil Dehadrai
Modified: 2017-08-01 15:24 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.13.1-144.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-08-01 15:24:23 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1861 0 normal SHIPPED_LIVE selinux-policy bug fix update 2017-08-01 17:50:24 UTC

Description Nikhil Dehadrai 2017-04-19 07:38:03 UTC
Description of problem:
Failure noticed for selinux policy package updation during ipa-upgrade process from RHEL 7.2.z to RHEL 7.4.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Setup IPA-server at RHEL 7.2.z. (In my case IPA server is setup in Permissive mode)
2. Use the latest repo links for RHEL 7.4
3. Update the ipa server by executing commands:
# yum -y update 'ipa*' sssd

Actual results:
1. After step 3, the yum update process completes, but Failure noticed for selinux policy package updation

Updating   : libselinux-utils-2.5-11.el7.x86_64                                                               70/268 
  Updating   : policycoreutils-2.5-16.el7.x86_64                                                                71/268 
  Updating   : selinux-policy-3.13.1-142.el7.noarch                                                             72/268 
semodule:  Failed on docker!
semodule:  Failed on gear!
  Updating   : selinux-policy-targeted-3.13.1-142.el7.noarch                                                    73/268 
‘/etc/selinux/targeted/modules/active/booleans.local’ -> ‘/etc/selinux/targeted/active/booleans.local’
Re-declaration of type docker_t
Failed to create node
Bad type declaration at /etc/selinux/targeted/tmp/modules/400/docker/cil:1
semodule:  Failed!
  Updating   : bind-dyndb-ldap-11.1-2.el7.x86_64                                                                74/268 
Enabling SELinux boolean named_write_master_zones
  Updating   : httpd-tools-2.4.6-64.el7.x86_64                                                                  75/268 
  Updating   : httpd-2.4.6-64.el7.x86_64

Expected results:
No failures/ errors should be noticed for selinux policy package during IPA upgrade process. 

Additional info:
Similar issue is observed for upgrade from RHEL 7.1.z to RHEL 7.4

Comment 6 Nikhil Dehadrai 2017-04-20 14:10:06 UTC
ipa-server version: ipa-server-4.5.0-7.el7.x86_64
selinux-policy: selinux-policy-3.13.1-144.el7.noarch

Tested the bug with following observations:
1. Verified that during upgrade of selinux-policy package no errors are noticed as reported inside the bug.
2. Verified the process for following upgrade paths:
- 7.1.z > 7.4
- 7.2.z > 7.4
- 7.3 > 7.4
- 7.3.z > 7.4

  Updating   : libselinux-utils-2.5-11.el7.x86_64                                            71/268 
  Updating   : policycoreutils-2.5-16.el7.x86_64                                             72/268 
  Updating   : selinux-policy-3.13.1-144.el7.noarch                                          73/268 
  Updating   : selinux-policy-targeted-3.13.1-144.el7.noarch                                 74/268 
‘/etc/selinux/targeted/modules/active/booleans.local’ -> ‘/etc/selinux/targeted/active/booleans.local’
  Updating   : bind-dyndb-ldap-11.1-2.el7.x86_64                                             75/268 
Enabling SELinux boolean named_write_master_zones
  Updating   : httpd-tools-2.4.6-64.el7.x86_64                                               76/268 
  Updating   : httpd-2.4.6-64.el7.x86_64                                                     77/268 
  Installing : mod_auth_gssapi-1.5.1-2.el7.x86_64                                            78/268 

Thus marking the status of this bug to "VERIFIED"

Comment 7 errata-xmlrpc 2017-08-01 15:24:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.