Bug 848948 - katello-selinux package fails to install selinux module; katello-configure fails with selinux enabled
katello-selinux package fails to install selinux module; katello-configure fa...
Product: Red Hat Satellite 6
Classification: Red Hat
Component: SELinux (Show other bugs)
All Linux
unspecified Severity high (vote)
: Unspecified
: --
Assigned To: Lukas Zapletal
Katello QA List
: Triaged
Depends On:
  Show dependency treegraph
Reported: 2012-08-16 18:24 EDT by Vinny Valdez
Modified: 2014-09-18 11:32 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-08-17 10:47:08 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
log of AVC denials from /var/log/audit/audit.og with selinux disabled during katello-configure (13.50 KB, application/octet-stream)
2012-08-16 18:24 EDT, Vinny Valdez
no flags Details

  None (edit)
Description Vinny Valdez 2012-08-16 18:24:50 EDT
Created attachment 605036 [details]
log of AVC denials from /var/log/audit/audit.og with selinux disabled during katello-configure

Description of problem:
katello-selinux error during install and katello-configure fails with selinux enabled.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install F16 GA
2. yum install http://fedorapeople.org/groups/katello/releases/yum/1.0/Fedora/16/x86_64/katello-repos-latest.rpm
3. yum install katello-all
4. katello-configure
Actual results:
During package install, the following error occurs:
  Installing : katello-selinux-1.0.1-1.fc16.noarch                                              278/311 
libsepol.policydb_read: policydb module version 14 does not match my version range 4-13 (No such file or directory).
libsepol.sepol_module_package_read: invalid module in module package (at section 0) (No such file or directory).
libsemanage.semanage_load_module: Error while reading from module file /etc/selinux/targeted/modules/tmp/modules/katello.pp. (No such file or directory).

During katello-configure if selinux is enabled the following error occurs:
err: /Stage[main]/Candlepin::Service/Exec[cpinit]/returns: change from notrun to 0 failed: /usr/bin/wget --timeout=30 --tries=5 --retry-connrefused -qO- http://localhost:8080/candlepin/admin/init >/var/log/katello/katello-configure/cpinit.log 2>&1 && touch /var/lib/katello/cpinit_done returned 8 instead of one of [0] at /usr/share/katello/install/puppet/modules/candlepin/manifests/service.pp:20

The AVC denial from /var/log/audit/audit.log is:
type=AVC msg=audit(1345171049.462:203): avc:  denied  { read } for  pid=30271 comm="httpd" name="webservices.wsgi" dev=dm-0 ino=1053152 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
type=SYSCALL msg=audit(1345171049.462:203): arch=c000003e syscall=2 success=no exit=-13 a0=7fa590719af8 a1=0 a2=1b6 a3=238 items=0 ppid=30270 pid=30271 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

Expected results:
katello-selinux should load the correct module katello.pp, it seems to be looking in /etc/selinux/targeted/modules/tmp/modules/katello.pp

Additional info:
A log of AVC denials will be attached. katello-configure works if a policy module is generated with audit2allow -M katello and loaded.
Comment 1 Lukas Zapletal 2012-08-17 10:47:08 EDT
It's a bug in Fedora 16 that has been already fixed. Update SELinux in Fedora 16 and you will be fine. Fedora 17 is already fixed (we are still not there yet).

There is a note on the https://fedorahosted.org/katello/wiki/Install page.

Please note this is a regression since we changed our build root and koji builds are now built on RHELs. We were using Fedoras for that. That is the reason why the bug was not showing.

Note You need to log in before you can comment on or make changes to this bug.