Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1563766

Summary:	upgraded foreman-selinux has no label for 2375/tcp
Product:	Red Hat Satellite	Reporter:	Lukas Pramuk <lpramuk>
Component:	SELinux	Assignee:	Lukas Zapletal <lzap>
Status:	CLOSED ERRATA	QA Contact:	Jan Hutař <jhutar>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	6.3.1	CC:	egolov, jhutar, lzap, mmccune
Target Milestone:	6.4.0	Keywords:	Regression, Triaged
Target Release:	Unused
Hardware:	Unspecified
OS:	Unspecified
URL:	http://projects.theforeman.org/issues/23127
Whiteboard:
Fixed In Version:	foreman-selinux-1.18.0.1-1	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:
Clones:	1624026 (view as bug list)		Environment:
Last Closed:	2018-10-16 18:55:21 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Lukas Pramuk 2018-04-04 15:53:26 UTC

Description of problem:
Contrary to fresh install the upgraded foreman-selinux has foreman_container_port_t label defined only for 2376/tcp port


Version-Release number of selected component (if applicable):
foreman-selinux-1.15.6.2-1.el7sat.noarch


How reproducible:
upgraded from foreman-selinux-1.11 only


Steps to Reproduce:
1. Have a Sat6.2
# rpm -q foreman-selinux
foreman-selinux-1.11.0.4-1.el7sat.noarch

2. Upgrade foreman-selinux with Sat6.3 foreman-selinux rpm
# yum upgrade foreman-selinux-1.15.6.2-1.el7sat.noarch.rpm

3. Check for foreman_container_port_t label
# semanage port -l |grep container
foreman_container_port_t       tcp      2376


Actual results:
foreman_container_port_t       tcp      2376

Expected results:
foreman_container_port_t       tcp      2375
foreman_container_port_t       tcp      2376

Comment 1 Lukas Pramuk 2018-04-04 15:58:52 UTC

Investigation step by step:

1) old rpm present
# rpm -q foreman-selinux
foreman-selinux-1.11.0.4-1.el7sat.noarch

>>> docker_port_t                  tcp      2375-2376

2) new rpm install
# rpm -ip --noscripts --replacefiles foreman-selinux-1.15.6.2-1.el7sat.noarch.rpm

3) new %post runs:
----
if /usr/sbin/selinuxenabled; then
    # install and upgrade
    /usr/sbin/foreman-selinux-enable
fi
----

>>> foreman_container_port_t       tcp      2376 <<< WRONG

4) old %preun runs:
----
if /usr/sbin/selinuxenabled; then
    # uninstall only
    if [ $1 -eq 0 ]; then
        /usr/sbin/foreman-selinux-disable
    fi
    # upgrade and uninstall
    /usr/sbin/foreman-selinux-relabel

fi
----

Luckily the issue is caused by 6.3 postinstall script and not by 6.2 preuninstall. (no need to fix old 6.2)

Comment 2 Lukas Pramuk 2018-04-04 16:09:59 UTC

Solution:

In /usr/sbin/foreman-selinux-enable there are 2 scripts generated
- $TMP_EXEC_BEFORE (deletes)
- $TMP_EXEC_AFTER (re/creates)
It can't be that they both share the very same file for checking existence of port definitions
- $TMP_PORTS

You check the label exists and - you both don't go creating it(in $TMP_EXEC_AFTER)  while at the same time you go deleting it(in $TMP_EXEC_BEFORE) !!!

The solution is 
- grep first into $TMP_PORTS execute $TMP_EXEC_BEFORE
- and then!! grep into $TMP_PORTS used by $TMP_EXEC_AFTER

Comment 8 Satellite Program 2018-06-28 16:26:34 UTC

Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/23127 has been resolved.

Comment 15 Bryan Kearney 2018-10-16 18:55:21 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2927