848948 – katello-selinux package fails to install selinux module; katello-configure fails with selinux enabled

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 848948 - katello-selinux package fails to install selinux module; katello-configure fails with selinux enabled

Summary: katello-selinux package fails to install selinux module; katello-configure fa...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	SELinux
Sub Component:
Version:	6.0.0
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	Unspecified
Assignee:	Lukas Zapletal
QA Contact:	Katello QA List
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-08-16 22:24 UTC by Vinny Valdez
Modified:	2014-09-18 15:32 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-08-17 14:47:08 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
log of AVC denials from /var/log/audit/audit.og with selinux disabled during katello-configure (13.50 KB, application/octet-stream) 2012-08-16 22:24 UTC, Vinny Valdez	no flags	Details
View All

Description Vinny Valdez 2012-08-16 22:24:50 UTC

Created attachment 605036 [details]
log of AVC denials from /var/log/audit/audit.og with selinux disabled during katello-configure

Description of problem:
katello-selinux error during install and katello-configure fails with selinux enabled.

Version-Release number of selected component (if applicable):
katello-1.0.4-1.fc16.noarch
katello-all-1.0.4-1.fc16.noarch
katello-cli-common-1.0.1-1.fc16.noarch
katello-configure-1.0.1-1.fc16.noarch
katello-common-1.0.4-1.fc16.noarch
katello-selinux-1.0.1-1.fc16.noarch

How reproducible:
Everytime

Steps to Reproduce:
1. Install F16 GA
2. yum install http://fedorapeople.org/groups/katello/releases/yum/1.0/Fedora/16/x86_64/katello-repos-latest.rpm
3. yum install katello-all
4. katello-configure
  
Actual results:
During package install, the following error occurs:
  Installing : katello-selinux-1.0.1-1.fc16.noarch                                              278/311 
libsepol.policydb_read: policydb module version 14 does not match my version range 4-13 (No such file or directory).
libsepol.sepol_module_package_read: invalid module in module package (at section 0) (No such file or directory).
libsemanage.semanage_load_module: Error while reading from module file /etc/selinux/targeted/modules/tmp/modules/katello.pp. (No such file or directory).

During katello-configure if selinux is enabled the following error occurs:
err: /Stage[main]/Candlepin::Service/Exec[cpinit]/returns: change from notrun to 0 failed: /usr/bin/wget --timeout=30 --tries=5 --retry-connrefused -qO- http://localhost:8080/candlepin/admin/init >/var/log/katello/katello-configure/cpinit.log 2>&1 && touch /var/lib/katello/cpinit_done returned 8 instead of one of [0] at /usr/share/katello/install/puppet/modules/candlepin/manifests/service.pp:20

The AVC denial from /var/log/audit/audit.log is:
type=AVC msg=audit(1345171049.462:203): avc:  denied  { read } for  pid=30271 comm="httpd" name="webservices.wsgi" dev=dm-0 ino=1053152 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
type=SYSCALL msg=audit(1345171049.462:203): arch=c000003e syscall=2 success=no exit=-13 a0=7fa590719af8 a1=0 a2=1b6 a3=238 items=0 ppid=30270 pid=30271 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

Expected results:
katello-selinux should load the correct module katello.pp, it seems to be looking in /etc/selinux/targeted/modules/tmp/modules/katello.pp

Additional info:
A log of AVC denials will be attached. katello-configure works if a policy module is generated with audit2allow -M katello and loaded.

Comment 1 Lukas Zapletal 2012-08-17 14:47:08 UTC

It's a bug in Fedora 16 that has been already fixed. Update SELinux in Fedora 16 and you will be fine. Fedora 17 is already fixed (we are still not there yet).

There is a note on the https://fedorahosted.org/katello/wiki/Install page.

Please note this is a regression since we changed our build root and koji builds are now built on RHELs. We were using Fedoras for that. That is the reason why the bug was not showing.

Note You need to log in before you can comment on or make changes to this bug.