Description of problem: Contrary to fresh install the upgraded foreman-selinux has foreman_container_port_t label defined only for 2376/tcp port Version-Release number of selected component (if applicable): foreman-selinux-1.15.6.2-1.el7sat.noarch How reproducible: upgraded from foreman-selinux-1.11 only Steps to Reproduce: 1. Have a Sat6.2 # rpm -q foreman-selinux foreman-selinux-1.11.0.4-1.el7sat.noarch 2. Upgrade foreman-selinux with Sat6.3 foreman-selinux rpm # yum upgrade foreman-selinux-1.15.6.2-1.el7sat.noarch.rpm 3. Check for foreman_container_port_t label # semanage port -l |grep container foreman_container_port_t tcp 2376 Actual results: foreman_container_port_t tcp 2376 Expected results: foreman_container_port_t tcp 2375 foreman_container_port_t tcp 2376
Investigation step by step: 1) old rpm present # rpm -q foreman-selinux foreman-selinux-1.11.0.4-1.el7sat.noarch >>> docker_port_t tcp 2375-2376 2) new rpm install # rpm -ip --noscripts --replacefiles foreman-selinux-1.15.6.2-1.el7sat.noarch.rpm 3) new %post runs: ---- if /usr/sbin/selinuxenabled; then # install and upgrade /usr/sbin/foreman-selinux-enable fi ---- >>> foreman_container_port_t tcp 2376 <<< WRONG 4) old %preun runs: ---- if /usr/sbin/selinuxenabled; then # uninstall only if [ $1 -eq 0 ]; then /usr/sbin/foreman-selinux-disable fi # upgrade and uninstall /usr/sbin/foreman-selinux-relabel fi ---- Luckily the issue is caused by 6.3 postinstall script and not by 6.2 preuninstall. (no need to fix old 6.2)
Solution: In /usr/sbin/foreman-selinux-enable there are 2 scripts generated - $TMP_EXEC_BEFORE (deletes) - $TMP_EXEC_AFTER (re/creates) It can't be that they both share the very same file for checking existence of port definitions - $TMP_PORTS You check the label exists and - you both don't go creating it(in $TMP_EXEC_AFTER) while at the same time you go deleting it(in $TMP_EXEC_BEFORE) !!! The solution is - grep first into $TMP_PORTS execute $TMP_EXEC_BEFORE - and then!! grep into $TMP_PORTS used by $TMP_EXEC_AFTER
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/23127 has been resolved.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:2927