Description of problem: After LEAPP upgrade katello_candlepin_port_t definition is missing. LEAPP first collects all the custom policy changes and later on it applies them in a bulk. The bulk action containing katello_candlepin_port_t fails as it tries to duplicate candlepin_activemq_port_t definition which is already present: WARNING PID: 681 leapp.workflow.Applications.selinuxapplycustom: Failed to import SELinux customizations: ValueError: Port tcp/61613 already defined Version-Release number of selected component (if applicable): 6.11.0 How reproducible: Steps to Reproduce: 1. LEAPP upgrade Satellite 6.11 # leapp upgrade --reboot 2. Perform LEAPP post-upgrade tasks namely switch back to enforcing selinux # setenforce 1 3. Check for Satellite health # hammer ping database: Status: ok Server Response: Duration: 0ms candlepin: Status: FAIL Server Response: Message: Failed to open TCP connection to localhost:23443 (Permission denied - connect(2) for "localhost" port 23443) candlepin_auth: Status: FAIL Server Response: Message: Failed to open TCP connection to localhost:23443 (Permission denied - connect(2) for "localhost" port 23443) candlepin_events: Status: ok message: 0 Processed, 0 Failed Server Response: Duration: 0ms katello_events: Status: ok message: 0 Processed, 0 Failed Server Response: Duration: 1ms pulp3: Status: ok Server Response: Duration: 360ms pulp3_content: Status: ok Server Response: Duration: 117ms foreman_tasks: Status: ok Server Response: Duration: 5ms # semanage port -l | grep 23443 <empty> vs. @fresh el8 Satellite: # semanage port -l |grep 23443 katello_candlepin_port_t tcp 23443 Actual results: missing katello_candlepin_port_t definition possibly due to duplicate candlepin_activemq_port_t definition Expected results: katello_candlepin_port_t defined, no duplicate definitions of candlepin_activemq_port_t Additional info: 2022-07-25 18:28:32.733 INFO PID: 681 leapp.workflow.Applications.selinuxapplycustom: Importing the following SELinux customizations collected by "semanage export": boolean -D login -D interface -D user -D port -D node -D fcontext -D module -D ibendport -D ibpkey -D boolean -m -1 candlepin_can_bind_activemq_port boolean -m -1 httpd_can_network_connect port -a -t foreman_container_port_t -r 's0' -p tcp 2375 port -a -t foreman_container_port_t -r 's0' -p tcp 2376 port -a -t websm_port_t -r 's0' -p tcp 19090 port -a -t katello_candlepin_port_t -r 's0' -p tcp 23443 port -a -t candlepin_activemq_port_t -r 's0' -p tcp 61613 fcontext -a -f a -t postgresql_exec_t -r 's0' '/usr/libexec/postgresql-ctl' fcontext -a -e / /opt/rh/rh-redis5/root fcontext -a -e /var /var/opt/rh/rh-postgresql12 fcontext -a -e /etc /etc/opt/rh/rh-postgresql12 fcontext -a -e /etc /etc/opt/rh/rh-redis5 fcontext -a -e /var /var/opt/rh/rh-redis5 fcontext -a -e / /opt/theforeman/tfm/root fcontext -a -e /usr/lib/systemd/system/postgresql.service /usr/lib/systemd/system/rh-postgresql12-postgresql.service fcontext -a -e / /opt/rh/rh-postgresql12/root 2022-07-25 18:28:32.887 DEBUG PID: 681 leapp.workflow.Applications.selinuxapplycustom: External command has started: ['semanage', 'import', '-f', '/tmp/selinux/semanage'] 2022-07-25 18:28:36.263 DEBUG PID: 681 leapp.workflow.Applications.selinuxapplycustom: ValueError: Port tcp/61613 already defined 2022-07-25 18:28:37.184 DEBUG PID: 681 leapp.workflow.Applications.selinuxapplycustom: Command ['semanage', 'import', '-f', '/tmp/selinux/semanage'] failed with exit code 1. 2022-07-25 18:28:37.383 DEBUG PID: 681 leapp.workflow.Applications.selinuxapplycustom: External command has finished: ['semanage', 'import', '-f', '/tmp/selinux/semanage'] 2022-07-25 18:28:37.501 WARNING PID: 681 leapp.workflow.Applications.selinuxapplycustom: Failed to import SELinux customizations: ValueError: Port tcp/61613 already defined
I consulted the ways LEAPP handles SELinux with @vmojzis and it turns out that collecting custom rules on RHEL7 and applying them in bulk actions shouldn't replace rpm postscript actions. The rules collection is more meant for the rules setup manually not by rpms. And applying them should fail for all the rules setup by rpms. So, the situation around selinux rpms is vice versa: Only candlepin selinux handles the rules properly - using just %post in spec foreman-selinux, katello-selinux are only setting up rules upon rpm install but not upgrade - though using %post they are excluding upgrade case by specifing %posttrans additionally I will try to prove this situation in a small manual test. Stay tuned... Reassigning the component to SELinux
The new reproducer is just: 1. LEAPP upgrade Satellite 6.11 # leapp upgrade --reboot 2. Check for custom port definitions in foreman-selinux-enable and katello-selinux-enable scripts # grep 'port -a' /usr/sbin/{foreman,katello}-selinux-enable /usr/sbin/foreman-selinux-enable: echo "port -a -t foreman_container_port_t -p tcp 2375" >> $TMP_EXEC_AFTER /usr/sbin/foreman-selinux-enable: echo "port -a -t foreman_container_port_t -p tcp 2376" >> $TMP_EXEC_AFTER /usr/sbin/foreman-selinux-enable: echo "port -a -t websm_port_t -p tcp 19090" >> $TMP_EXEC_AFTER /usr/sbin/katello-selinux-enable: echo "port -a -t katello_candlepin_port_t -p tcp 23443" >> $TMP 3. Check if these port definitions exist in the system # semanage port -l | grep -e foreman_container_port_t -e foreman_container_port_t -e websm_port_t -e katello_candlepin_port_t websm_port_t tcp 9090 websm_port_t udp 9090 >>> for katello-selinux and foreman-selinux none of them is present (websm_port_t is for different port number) >>> for candlepin-selinux everything is ok
Here is a fix for SELinux leapp actors (they will try to import the customizations one by one in case the bulk import fails): https://github.com/oamg/leapp-repository/pull/925
VERIFIED. @Satellite 6.12.0 Snap10 foreman-selinux-3.3.0-2.el8sat.noarch katello-selinux-4.0.2-2.el8sat.noarch SanityOnly. There is no LEAPP upgrade possible for 6.12 which is el8 only At least I verify the same change set went in. REPRO: # rpm -q --scripts foreman-selinux katello-selinux | grep -B2 '-selinux-enable' if /usr/sbin/selinuxenabled; then # install and upgrade /usr/sbin/foreman-selinux-enable -- if /usr/sbin/selinuxenabled; then # install and upgrade /usr/sbin/katello-selinux-enable vs. FIX: # rpm -q --scripts foreman-selinux katello-selinux | grep -B2 '-selinux-enable' postinstall scriptlet (using /bin/sh): # install and upgrade /usr/sbin/foreman-selinux-enable -- postinstall scriptlet (using /bin/sh): # install and upgrade /usr/sbin/katello-selinux-enable >>> foreman-selinux-enable and katello-selinux-enable scripts are now run unconditionally (selinuxenabled check was removed)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Satellite 6.12 Release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:8506