Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1665197

Summary: Unable to upgrade 4.1 to 4.2 with 'POSTUN scriptlet failure in rpm package ovirt-vmconsole'
Product: [oVirt] ovirt-vmconsole Reporter: Petr Matyáš <pmatyas>
Component: GeneralAssignee: Francesco Romani <fromani>
Status: CLOSED CURRENTRELEASE QA Contact: Lukas Svaty <lsvaty>
Severity: high Docs Contact:
Priority: unspecified    
Version: ---CC: aperotti, bugs, dagur, fromani, michal.skrivanek, mkalinin, pbalogh, pmatyas, rbarry, vmojzis
Target Milestone: ovirt-4.3.1Keywords: Automation, AutomationBlocker, Regression
Target Release: ---Flags: sbonazzo: ovirt-4.3?
rule-engine: blocker+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: ovirt-vmconsole-1.0.7-1 (view as bug list) Environment:
Last Closed: 2019-03-01 10:17:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Virt RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1671348    
Attachments:
Description Flags
setup log none

Description Petr Matyáš 2019-01-10 16:42:57 UTC 
Created attachment 1519874 [details]
setup log

Description of problem:
I'm unable to upgrade 4.1 to 4.2 with this error in setup log:
2019-01-10 18:24:42,991+0200 DEBUG otopi.plugins.otopi.packagers.yumpackager yumpackager.verbose:76 Yum Done: ovirt-vmconsole-1.0.4-1.
el7ev.noarch
2019-01-10 18:25:03,429+0200 DEBUG otopi.plugins.otopi.packagers.yumpackager yumpackager.verbose:76 Yum Script sink: D: %postun(ovirt-
vmconsole-1.0.4-1.el7ev.noarch): scriptlet start
D: %postun(ovirt-vmconsole-1.0.4-1.el7ev.noarch): execv(/bin/sh) pid 28106
+ '[' 1 -ge 1 ']'
+ /usr/sbin/selinuxenabled
+ semodule -i /usr/share/selinux/packages/ovirt-vmconsole/ovirt_vmconsole.pp
Failed to resolve allow statement at /etc/selinux/targeted/tmp/modules/400/ovirt_vmconsole/cil:562
semodule:  Failed!
D: %postun(ovirt-vmconsole-1.0.4-1.el7ev.noarch): waitpid(28106) rc 28106 status 100
warning: %postun(ovirt-vmconsole-1.0.4-1.el7ev.noarch) scriptlet failed, exit status 1

2019-01-10 18:25:03,431+0200 DEBUG otopi.plugins.otopi.packagers.yumpackager yumpackager.verbose:76 Yum Done: ovirt-vmconsole
2019-01-10 18:25:03,467+0200 ERROR otopi.plugins.otopi.packagers.yumpackager yumpackager.error:85 Yum Non-fatal POSTUN scriptlet failu
re in rpm package ovirt-vmconsole-1.0.4-1.el7ev.noarch


Version-Release number of selected component (if applicable):
otopi-1.7.8-1.el7ev.noarch
ovirt-engine-4.1.11.2-0.1.el7.noarch
ovirt-engine-setup-4.2.8.2-0.1.el7ev.noarch

How reproducible:
always

Steps to Reproduce:
1. install 4.1
2. upgrade to latest 4.2
3.

Actual results:
failure during engine-setup

Expected results:
successful upgrade

Additional info:
Comment 1 Yedidyah Bar David 2019-01-14 10:18:33 UTC 
As-is, on otopi, it's not a bug - otopi failed setup by design, see bug 1493160.

Actual failure is:

    Failed to resolve allow statement at /etc/selinux/targeted/tmp/modules/400/ovirt_vmconsole/cil:562
    semodule:  Failed!

I looked on two other machines at this file (a bzip-compressed "CIL" (selinux intermediate language) file), and line 562 is:

    (allow ovirt_vmconsole_t sysfs_t (dir (getattr search open)))

No idea why it failed (or if indeed this is the line that failed it).

Petr, please attach this file from the failing machine, as well as whatever else you can find (/var/log/messages or whatever).

Some other things we can/might want to do:

1. Patch ovirt-vmconsole's %postun (and %post, probably) scriptlet to not emit errors, e.g.:
    # semodule -i "%{_datadir}/selinux/packages/%{name}/ovirt_vmconsole.pp" 2>&1
I'd rather not do this, because it will hide the actual bug.

2. Debug further and fix, either in ovirt-vmconsole (I do not think so, might be wrong), or in selinux tooling (perhaps) or elsewhere (if we find root cause elsewhere). Might be possible if we can reproduce or if we get enough logs. Petr - is this reproducible?

Otherwise, if trying again engine-setup does work, I tend to close notabug.
Comment 3 Yedidyah Bar David 2019-01-16 09:49:47 UTC 
Adding Vit, maintainer of policycoreutils. Vit - any idea why this might have failed?

Line 562 in the attached cil file is:

(allow ovirt_vmconsole_t security_t (lnk_file (read getattr)))
Comment 4 Vit Mojzis 2019-01-17 12:12:56 UTC 
There seems to be a typo in your spec file (line 155 - semodule -i "%{_datadir}/selinux/packages/%{name}/ovirt_vmconsole.pp", it should use "-r" instead of "-i"). 

Please see the following document (it's written for teams who ship their own selinux policy file):
https://fedoraproject.org/wiki/PackagingDrafts/SELinux_Independent_Policy

You should at least be using selinux policy macros instead of directly calling "semodule", "fixfiles", etc. 
%{?selinux_requires} -- will make sure all necessary packages are in place for policy module installation, including proper version of selinux-policy-targeted (old policy version probably caused the error above) 

%selinux_modules_{install|uninstall} -- will install/uninstall your policy module with proper priority
%selinux_relabel_{pre|post} -- will run fixfiles where necessary (only on directories affected by your module installation)
Comment 5 Michal Skrivanek 2019-01-18 12:12:41 UTC 
seems it's not reproducible. I didn't reproduce it either with same selinux packages. Either way a workaround would be to upgrade ovirt-vmconsole before running engine-setup
Comment 6 Francesco Romani 2019-01-18 12:29:21 UTC 
I agree it doesn't seem happen 100% of times. SELinux and automation blockers require high attention, so patches are in progress.
Comment 8 Petr Matyáš 2019-01-31 13:52:06 UTC 
I wouldn't consider this verified as this failed on the latest 4.2 upgrade run again. And the package I used for testing is not included in the latest build anyway.
Comment 9 Daniel Gur 2019-02-07 12:57:17 UTC 
What is the target milestone for this bug? I see it is not set.
Comment 10 Red Hat Bugzilla Rules Engine 2019-02-07 13:23:35 UTC 
This bug report has Keywords: Regression or TestBlocker.
Since no regressions or test blockers are allowed between releases, it is also being identified as a blocker for this release. Please resolve ASAP.
Comment 14 Michal Skrivanek 2019-02-11 13:31:00 UTC 
Francesco, can you please review again the usage of postun script in ovirt-vmconsole? I do not quite understand why do we do anything at all. If it is still reproducible we may need an extra step to work around old script failing
Comment 18 Francesco Romani 2019-02-14 08:32:12 UTC 
Possible relevant issue: https://bugzilla.redhat.com/show_bug.cgi?id=1626215

Which versions of selinux-policy package are involved in the upgrade? This may be explain why I can't reproduce the issue.
Furthermore, can we test what happens if we upgrade selinux-policty first and then ovirt-vmconsole?
Comment 19 Francesco Romani 2019-02-14 08:43:52 UTC 
Petr, Lukas, any chance I can get a box on which the issues reproduce and have a deeper look?
Comment 20 Francesco Romani 2019-02-14 09:57:41 UTC 
got access to a box, removing NEEDINFO
Comment 23 Sandro Bonazzola 2019-02-15 14:16:43 UTC 
Re-targeting to 4.3.1 since 4.2.8 is tracked on bug #1671348
Comment 24 Sandro Bonazzola 2019-03-01 10:17:54 UTC 
This bugzilla is included in oVirt 4.3.1 release, published on February 28th 2019.

Since the problem described in this bug report should be
resolved in oVirt 4.3.1 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.