Created attachment 1519874 [details] setup log Description of problem: I'm unable to upgrade 4.1 to 4.2 with this error in setup log: 2019-01-10 18:24:42,991+0200 DEBUG otopi.plugins.otopi.packagers.yumpackager yumpackager.verbose:76 Yum Done: ovirt-vmconsole-1.0.4-1. el7ev.noarch 2019-01-10 18:25:03,429+0200 DEBUG otopi.plugins.otopi.packagers.yumpackager yumpackager.verbose:76 Yum Script sink: D: %postun(ovirt- vmconsole-1.0.4-1.el7ev.noarch): scriptlet start D: %postun(ovirt-vmconsole-1.0.4-1.el7ev.noarch): execv(/bin/sh) pid 28106 + '[' 1 -ge 1 ']' + /usr/sbin/selinuxenabled + semodule -i /usr/share/selinux/packages/ovirt-vmconsole/ovirt_vmconsole.pp Failed to resolve allow statement at /etc/selinux/targeted/tmp/modules/400/ovirt_vmconsole/cil:562 semodule: Failed! D: %postun(ovirt-vmconsole-1.0.4-1.el7ev.noarch): waitpid(28106) rc 28106 status 100 warning: %postun(ovirt-vmconsole-1.0.4-1.el7ev.noarch) scriptlet failed, exit status 1 2019-01-10 18:25:03,431+0200 DEBUG otopi.plugins.otopi.packagers.yumpackager yumpackager.verbose:76 Yum Done: ovirt-vmconsole 2019-01-10 18:25:03,467+0200 ERROR otopi.plugins.otopi.packagers.yumpackager yumpackager.error:85 Yum Non-fatal POSTUN scriptlet failu re in rpm package ovirt-vmconsole-1.0.4-1.el7ev.noarch Version-Release number of selected component (if applicable): otopi-1.7.8-1.el7ev.noarch ovirt-engine-4.1.11.2-0.1.el7.noarch ovirt-engine-setup-4.2.8.2-0.1.el7ev.noarch How reproducible: always Steps to Reproduce: 1. install 4.1 2. upgrade to latest 4.2 3. Actual results: failure during engine-setup Expected results: successful upgrade Additional info:
As-is, on otopi, it's not a bug - otopi failed setup by design, see bug 1493160. Actual failure is: Failed to resolve allow statement at /etc/selinux/targeted/tmp/modules/400/ovirt_vmconsole/cil:562 semodule: Failed! I looked on two other machines at this file (a bzip-compressed "CIL" (selinux intermediate language) file), and line 562 is: (allow ovirt_vmconsole_t sysfs_t (dir (getattr search open))) No idea why it failed (or if indeed this is the line that failed it). Petr, please attach this file from the failing machine, as well as whatever else you can find (/var/log/messages or whatever). Some other things we can/might want to do: 1. Patch ovirt-vmconsole's %postun (and %post, probably) scriptlet to not emit errors, e.g.: # semodule -i "%{_datadir}/selinux/packages/%{name}/ovirt_vmconsole.pp" 2>&1 I'd rather not do this, because it will hide the actual bug. 2. Debug further and fix, either in ovirt-vmconsole (I do not think so, might be wrong), or in selinux tooling (perhaps) or elsewhere (if we find root cause elsewhere). Might be possible if we can reproduce or if we get enough logs. Petr - is this reproducible? Otherwise, if trying again engine-setup does work, I tend to close notabug.
Adding Vit, maintainer of policycoreutils. Vit - any idea why this might have failed? Line 562 in the attached cil file is: (allow ovirt_vmconsole_t security_t (lnk_file (read getattr)))
There seems to be a typo in your spec file (line 155 - semodule -i "%{_datadir}/selinux/packages/%{name}/ovirt_vmconsole.pp", it should use "-r" instead of "-i"). Please see the following document (it's written for teams who ship their own selinux policy file): https://fedoraproject.org/wiki/PackagingDrafts/SELinux_Independent_Policy You should at least be using selinux policy macros instead of directly calling "semodule", "fixfiles", etc. %{?selinux_requires} -- will make sure all necessary packages are in place for policy module installation, including proper version of selinux-policy-targeted (old policy version probably caused the error above) %selinux_modules_{install|uninstall} -- will install/uninstall your policy module with proper priority %selinux_relabel_{pre|post} -- will run fixfiles where necessary (only on directories affected by your module installation)
seems it's not reproducible. I didn't reproduce it either with same selinux packages. Either way a workaround would be to upgrade ovirt-vmconsole before running engine-setup
I agree it doesn't seem happen 100% of times. SELinux and automation blockers require high attention, so patches are in progress.
I wouldn't consider this verified as this failed on the latest 4.2 upgrade run again. And the package I used for testing is not included in the latest build anyway.
What is the target milestone for this bug? I see it is not set.
This bug report has Keywords: Regression or TestBlocker. Since no regressions or test blockers are allowed between releases, it is also being identified as a blocker for this release. Please resolve ASAP.
Francesco, can you please review again the usage of postun script in ovirt-vmconsole? I do not quite understand why do we do anything at all. If it is still reproducible we may need an extra step to work around old script failing
Possible relevant issue: https://bugzilla.redhat.com/show_bug.cgi?id=1626215 Which versions of selinux-policy package are involved in the upgrade? This may be explain why I can't reproduce the issue. Furthermore, can we test what happens if we upgrade selinux-policty first and then ovirt-vmconsole?
Petr, Lukas, any chance I can get a box on which the issues reproduce and have a deeper look?
got access to a box, removing NEEDINFO
Re-targeting to 4.3.1 since 4.2.8 is tracked on bug #1671348
This bugzilla is included in oVirt 4.3.1 release, published on February 28th 2019. Since the problem described in this bug report should be resolved in oVirt 4.3.1 release, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report.