Bug 1463584 - selinux error on installation
selinux error on installation
Product: ovirt-vmconsole
Classification: oVirt
Component: Packaging.rpm (Show other bugs)
Unspecified Unspecified
unspecified Severity high (vote)
: ovirt-4.2.0
: ---
Assigned To: Francesco Romani
Nikolai Sednev
: Triaged
Depends On:
  Show dependency treegraph
Reported: 2017-06-21 05:18 EDT by Sandro Bonazzola
Modified: 2017-12-20 06:36 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-12-20 06:36:03 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: Virt
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
rule-engine: ovirt‑4.2+
mtessun: planning_ack+
rule-engine: devel_ack+
rule-engine: testing_ack+

Attachments (Terms of Use)
lago logs (891.85 KB, text/plain)
2017-06-21 08:48 EDT, Sandro Bonazzola
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 79842 None None None 2017-10-05 05:18 EDT

  None (edit)
Description Sandro Bonazzola 2017-06-21 05:18:45 EDT
Selinux error while installing engine from master in ovirt-system-test:

  Installing : ovirt-vmconsole-1.0.4-1.el7.centos.noarch                163/345 
Failed to resolve booleanif statement at /etc/selinux/targeted/tmp/modules/400/ovirt_vmconsole/cil:588
semodule:  Failed!
  Installing : ovirt-vmconsole-proxy-1.0.4-1.el7.centos.noarch          164/345 
libsemanage.semanage_read_policydb: Could not open kernel policy /etc/selinux/targeted/active/policy.kern for reading. (No such file or directory).
OSError: No such file or directory

Looks like a dependency is missing, providing /etc/selinux/targeted/active/policy.kern at pre/post stage.

Seen in:
Comment 1 Nikolai Sednev 2017-06-21 07:09:17 EDT
Please provide a full description for this bug, including logs, what you actually did and reproduction steps.
Comment 2 Sandro Bonazzola 2017-06-21 08:48 EDT
Created attachment 1290059 [details]
lago logs
Comment 3 Sandro Bonazzola 2017-06-21 08:51:01 EDT
(In reply to Sandro Bonazzola from comment #2)
> Created attachment 1290059 [details]
> lago logs
Attached logs to preserve them from jenkis cleanups.

full description:
installing ovirt-vmconsole raises selinux issues as in comment #0
due to possible missing dependency in %pre / %post sections of the spec file.

I actually run ovirt-system-test in jenkins: http://jenkins.ovirt.org/job/ovirt-system-tests_manual/664

Step to reproduce: rebuild http://jenkins.ovirt.org/job/ovirt-system-tests_manual/664
Comment 4 Francesco Romani 2017-06-26 04:50:16 EDT
Thanks to the input of Sandro, I believe this happens only when the packages are installed through kickstart (or similar). We need to make sure that the last selinux-policy-targeted is installed when ovirt-vmconsole packages are installed.

This doesn't seem the case in the provided logs, hence the bug.
The fix should be simple: just add the dependency in the spec file to ensure the correct ordering.

This bug should never trigger on installed system (e.g. on CentOS), because the selinux-policy-targeted is part of basesystem.
Comment 5 Tomas Jelinek 2017-06-26 05:08:32 EDT
fix should be trivial, lets try to get it into 4.1.4
Comment 6 Sandro Bonazzola 2017-07-17 07:44:51 EDT
need info provided in comment #3
Comment 7 Tomas Jelinek 2017-08-09 03:46:36 EDT
it is a corner case and it is not so easy to verify - pushing out of z-stream due to capacity
Comment 8 Francesco Romani 2017-10-09 05:30:51 EDT
published on master
Comment 9 Nikolai Sednev 2017-10-16 11:01:55 EDT
Successfully installed ovirt-vmconsole-1.0.4-1.el7.noarch and ovirt-vmconsole-host-1.0.4-1.el7.noarch, during installation of ovirt-hosted-engine-setup-2.2.0-0.0.master.20171009203744.gitd01cc03.el7.centos.noarch on RHEL7.4 host.

Moving to verified.
Comment 10 Sandro Bonazzola 2017-12-20 06:36:03 EST
This bugzilla is included in oVirt 4.2.0 release, published on Dec 20th 2017.

Since the problem described in this bug report should be
resolved in oVirt 4.2.0 release, published on Dec 20th 2017, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.

Note You need to log in before you can comment on or make changes to this bug.