Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1563766 - upgraded foreman-selinux has no label for 2375/tcp
Summary: upgraded foreman-selinux has no label for 2375/tcp
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: SELinux
Version: 6.3.1
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: 6.4.0
Assignee: Lukas Zapletal
QA Contact: Jan Hutař
URL: http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-04 15:53 UTC by Lukas Pramuk
Modified: 2019-11-05 23:14 UTC (History)
4 users (show)

Fixed In Version: foreman-selinux-1.18.0.1-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1624026 (view as bug list)
Environment:
Last Closed: 2018-10-16 18:55:21 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 23127 0 Normal Closed Upgraded foreman-selinux has no label for 2375/tcp 2020-04-13 17:58:05 UTC

Description Lukas Pramuk 2018-04-04 15:53:26 UTC
Description of problem:
Contrary to fresh install the upgraded foreman-selinux has foreman_container_port_t label defined only for 2376/tcp port


Version-Release number of selected component (if applicable):
foreman-selinux-1.15.6.2-1.el7sat.noarch


How reproducible:
upgraded from foreman-selinux-1.11 only


Steps to Reproduce:
1. Have a Sat6.2
# rpm -q foreman-selinux
foreman-selinux-1.11.0.4-1.el7sat.noarch

2. Upgrade foreman-selinux with Sat6.3 foreman-selinux rpm
# yum upgrade foreman-selinux-1.15.6.2-1.el7sat.noarch.rpm

3. Check for foreman_container_port_t label
# semanage port -l |grep container
foreman_container_port_t       tcp      2376


Actual results:
foreman_container_port_t       tcp      2376

Expected results:
foreman_container_port_t       tcp      2375
foreman_container_port_t       tcp      2376

Comment 1 Lukas Pramuk 2018-04-04 15:58:52 UTC
Investigation step by step:

1) old rpm present
# rpm -q foreman-selinux
foreman-selinux-1.11.0.4-1.el7sat.noarch

>>> docker_port_t                  tcp      2375-2376

2) new rpm install
# rpm -ip --noscripts --replacefiles foreman-selinux-1.15.6.2-1.el7sat.noarch.rpm

3) new %post runs:
----
if /usr/sbin/selinuxenabled; then
    # install and upgrade
    /usr/sbin/foreman-selinux-enable
fi
----

>>> foreman_container_port_t       tcp      2376 <<< WRONG

4) old %preun runs:
----
if /usr/sbin/selinuxenabled; then
    # uninstall only
    if [ $1 -eq 0 ]; then
        /usr/sbin/foreman-selinux-disable
    fi
    # upgrade and uninstall
    /usr/sbin/foreman-selinux-relabel

fi
----

Luckily the issue is caused by 6.3 postinstall script and not by 6.2 preuninstall. (no need to fix old 6.2)

Comment 2 Lukas Pramuk 2018-04-04 16:09:59 UTC
Solution:

In /usr/sbin/foreman-selinux-enable there are 2 scripts generated
- $TMP_EXEC_BEFORE (deletes)
- $TMP_EXEC_AFTER (re/creates)
It can't be that they both share the very same file for checking existence of port definitions
- $TMP_PORTS

You check the label exists and - you both don't go creating it(in $TMP_EXEC_AFTER)  while at the same time you go deleting it(in $TMP_EXEC_BEFORE) !!!

The solution is 
- grep first into $TMP_PORTS execute $TMP_EXEC_BEFORE
- and then!! grep into $TMP_PORTS used by $TMP_EXEC_AFTER

Comment 8 Satellite Program 2018-06-28 16:26:34 UTC
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/23127 has been resolved.

Comment 15 Bryan Kearney 2018-10-16 18:55:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2927


Note You need to log in before you can comment on or make changes to this bug.