Bug 1563766 - upgraded foreman-selinux has no label for 2375/tcp
Summary: upgraded foreman-selinux has no label for 2375/tcp
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: SELinux
Version: 6.3.1
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: 6.4.0
Assignee: Lukas Zapletal
QA Contact: Jan Hutař
URL: http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-04 15:53 UTC by Lukas Pramuk
Modified: 2019-11-05 23:14 UTC (History)
4 users (show)

Fixed In Version: foreman-selinux-1.18.0.1-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1624026 (view as bug list)
Environment:
Last Closed: 2018-10-16 18:55:21 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 23127 0 Normal Closed Upgraded foreman-selinux has no label for 2375/tcp 2020-04-13 17:58:05 UTC

Description Lukas Pramuk 2018-04-04 15:53:26 UTC 
Description of problem:
Contrary to fresh install the upgraded foreman-selinux has foreman_container_port_t label defined only for 2376/tcp port


Version-Release number of selected component (if applicable):
foreman-selinux-1.15.6.2-1.el7sat.noarch


How reproducible:
upgraded from foreman-selinux-1.11 only


Steps to Reproduce:
1. Have a Sat6.2
# rpm -q foreman-selinux
foreman-selinux-1.11.0.4-1.el7sat.noarch

2. Upgrade foreman-selinux with Sat6.3 foreman-selinux rpm
# yum upgrade foreman-selinux-1.15.6.2-1.el7sat.noarch.rpm

3. Check for foreman_container_port_t label
# semanage port -l |grep container
foreman_container_port_t       tcp      2376


Actual results:
foreman_container_port_t       tcp      2376

Expected results:
foreman_container_port_t       tcp      2375
foreman_container_port_t       tcp      2376
Comment 1 Lukas Pramuk 2018-04-04 15:58:52 UTC 
Investigation step by step:

1) old rpm present
# rpm -q foreman-selinux
foreman-selinux-1.11.0.4-1.el7sat.noarch

>>> docker_port_t                  tcp      2375-2376

2) new rpm install
# rpm -ip --noscripts --replacefiles foreman-selinux-1.15.6.2-1.el7sat.noarch.rpm

3) new %post runs:
----
if /usr/sbin/selinuxenabled; then
    # install and upgrade
    /usr/sbin/foreman-selinux-enable
fi
----

>>> foreman_container_port_t       tcp      2376 <<< WRONG

4) old %preun runs:
----
if /usr/sbin/selinuxenabled; then
    # uninstall only
    if [ $1 -eq 0 ]; then
        /usr/sbin/foreman-selinux-disable
    fi
    # upgrade and uninstall
    /usr/sbin/foreman-selinux-relabel

fi
----

Luckily the issue is caused by 6.3 postinstall script and not by 6.2 preuninstall. (no need to fix old 6.2)
Comment 2 Lukas Pramuk 2018-04-04 16:09:59 UTC 
Solution:

In /usr/sbin/foreman-selinux-enable there are 2 scripts generated
- $TMP_EXEC_BEFORE (deletes)
- $TMP_EXEC_AFTER (re/creates)
It can't be that they both share the very same file for checking existence of port definitions
- $TMP_PORTS

You check the label exists and - you both don't go creating it(in $TMP_EXEC_AFTER)  while at the same time you go deleting it(in $TMP_EXEC_BEFORE) !!!

The solution is 
- grep first into $TMP_PORTS execute $TMP_EXEC_BEFORE
- and then!! grep into $TMP_PORTS used by $TMP_EXEC_AFTER
Comment 8 Satellite Program 2018-06-28 16:26:34 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/23127 has been resolved.
Comment 15 Bryan Kearney 2018-10-16 18:55:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2927
Note You need to log in before you can comment on or make changes to this bug.