893065 – vdsm package can not be installed on RHEL 6.4 if selinux disabled.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 893065 - vdsm package can not be installed on RHEL 6.4 if selinux disabled.

Summary: vdsm package can not be installed on RHEL 6.4 if selinux disabled.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	policycoreutils
Sub Component:
Version:	6.4
Hardware:	Unspecified
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Michal Trunecka
Docs Contact:
URL:
Whiteboard:	infra
Duplicates (1):	892316 (view as bug list)
Depends On:
Blocks:	862738 902691
TreeView+	depends on / blocked

Reported:	2013-01-08 14:11 UTC by Leonid Natapov
Modified:	2014-09-30 23:34 UTC (History)
CC List:	20 users (show)
Fixed In Version:	policycoreutils-2.0.83-19.30.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-02-21 10:15:43 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
seobject.py patch (4.52 KB, patch) 2013-01-16 10:07 UTC, Miroslav Grepl	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:0396	0	normal	SHIPPED_LIVE	policycoreutils bug fix and enhancement update	2013-02-20 20:51:18 UTC

Description Leonid Natapov 2013-01-08 14:11:28 UTC

vdsm package can not be installed on RHEL 6.4 if selinux disabled.
Was trying to install vdsm package while testing preintegration ticket https://engineering.redhat.com/trac/preint/ticket/847

cli,python and xmlrpc packages were installed without problem but vdsm package failed to install.

The host was with all current updates.

Here is the console output:

[root@purple-vds2 yum.repos.d]# rpm -i http://file.rdu.redhat.com/~fsimonce/vdsm-gitc4e61b9.el6/vdsm-4.10.2-3.0.5.gitc4e61b9.el6.x86_64.rpm
Traceback (most recent call last):
  File "/usr/bin/vdsm-tool", line 143, in <module>
    sys.exit(main())
  File "/usr/bin/vdsm-tool", line 125, in main
    load_modules()
  File "/usr/bin/vdsm-tool", line 74, in load_modules
    module = imp.load_module(mod_name, mod_fobj, mod_absp, mod_desc)
  File "/usr/lib64/python2.6/site-packages/vdsm/tool/seboolsetup.py", line 21, in <module>
    import seobject
  File "/usr/lib64/python2.6/site-packages/seobject.py", line 952, in <module>
    class portRecords(semanageRecords):
  File "/usr/lib64/python2.6/site-packages/seobject.py", line 953, in portRecords
    valid_types =  setools.seinfo(setools.ATTRIBUTE,"port_type")[0]["types"]
  File "/usr/lib64/python2.6/site-packages/setools/__init__.py", line 49, in seinfo
    dict_list = _seinfo.seinfo(setype, name)
RuntimeError: No default policy found.
Traceback (most recent call last):
  File "/usr/bin/vdsm-tool", line 143, in <module>
    sys.exit(main())
  File "/usr/bin/vdsm-tool", line 125, in main
    load_modules()
  File "/usr/bin/vdsm-tool", line 74, in load_modules
    module = imp.load_module(mod_name, mod_fobj, mod_absp, mod_desc)
  File "/usr/lib64/python2.6/site-packages/vdsm/tool/seboolsetup.py", line 21, in <module>
    import seobject
  File "/usr/lib64/python2.6/site-packages/seobject.py", line 952, in <module>
    class portRecords(semanageRecords):
  File "/usr/lib64/python2.6/site-packages/seobject.py", line 953, in portRecords
    valid_types =  setools.seinfo(setools.ATTRIBUTE,"port_type")[0]["types"]
  File "/usr/lib64/python2.6/site-packages/setools/__init__.py", line 49, in seinfo
    dict_list = _seinfo.seinfo(setype, name)
RuntimeError: No default policy found.

Comment 2 Federico Simoncelli 2013-01-08 15:54:29 UTC

According to dwalsh we should catch the exception:

  File "/usr/lib64/python2.6/site-packages/vdsm/tool/seboolsetup.py", line 21, in <module>
    import seobject
  File "/usr/lib64/python2.6/site-packages/seobject.py", line 952, in <module>
    class portRecords(semanageRecords):
  File "/usr/lib64/python2.6/site-packages/seobject.py", line 953, in portRecords
    valid_types =  setools.seinfo(setools.ATTRIBUTE,"port_type")[0]["types"]
  File "/usr/lib64/python2.6/site-packages/setools/__init__.py", line 49, in seinfo
    dict_list = _seinfo.seinfo(setype, name)
RuntimeError: No default policy found.

Dan we probably want this ASAP.

Comment 3 Daniel Walsh 2013-01-08 22:20:44 UTC

What exactly are you doing with seobject?

Comment 4 Douglas Schilling Landgraf 2013-01-09 03:14:01 UTC

*** Bug 892316 has been marked as a duplicate of this bug. ***

Comment 5 Douglas Schilling Landgraf 2013-01-09 03:29:12 UTC

Here the code:
==================

import seobject

<snip>
def setup_booleans(status):
    sebool_obj = seobject.booleanRecords()
    sebool_status = sebool_obj.get_all()

    sebool_obj.start()

    for sebool_variable in VDSM_SEBOOL_LIST:
        if status and not all(sebool_status[sebool_variable]):
            sebool_obj.modify(sebool_variable, SEBOOL_ENABLED)

        if not status and any(sebool_status[sebool_variable]):
            sebool_obj.modify(sebool_variable, SEBOOL_DISABLED)

    sebool_obj.finish()
</snip>


=============
# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.4 Beta (Santiago)

# rpm -qa | grep -i selinux
libselinux-2.0.94-5.3.el6.x86_64
libselinux-devel-2.0.94-5.3.el6.x86_64
selinux-policy-3.7.19-191.el6.noarch
selinux-policy-targeted-3.7.19-191.el6.noarch
libselinux-python-2.0.94-5.3.el6.x86_64
libselinux-utils-2.0.94-5.3.el6.x86_64

# getenforce 
Disabled

# python -c 'import seobject'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib64/python2.6/site-packages/seobject.py", line 952, in <module>
    class portRecords(semanageRecords):
  File "/usr/lib64/python2.6/site-packages/seobject.py", line 953, in portRecords
    valid_types =  setools.seinfo(setools.ATTRIBUTE,"port_type")[0]["types"]	
  File "/usr/lib64/python2.6/site-packages/setools/__init__.py", line 49, in seinfo
    dict_list = _seinfo.seinfo(setype, name)
RuntimeError: No default policy found.

Comment 6 Douglas Schilling Landgraf 2013-01-09 11:47:40 UTC

Hi Daniel,

I cannot see such Traceback on RHEL6.3 or F18, the same test importing seobject:

# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.3 Beta (Santiago)

# rpm -qa | grep selinux
libselinux-2.0.94-5.3.el6.x86_64
selinux-policy-targeted-3.7.19-139.el6.noarch
selinux-policy-3.7.19-139.el6.noarch
libselinux-python-2.0.94-5.3.el6.x86_64
libselinux-utils-2.0.94-5.3.el6.x86_64

# getenforce 
Disabled

# python -c 'import seobject'

=======================================================


# cat /etc/redhat-release 
Fedora release 17 (Beefy Miracle)

# rpm -qa | grep -i selinux
selinux-policy-3.10.0-149.fc17.noarch
libselinux-2.1.10-3.fc17.x86_64
selinux-policy-targeted-3.10.0-149.fc17.noarch
selinux-policy-devel-3.10.0-149.fc17.noarch
libselinux-python-2.1.10-3.fc17.x86_64
libselinux-utils-2.1.10-3.fc17.x86_64

# python -c 'import seobject'
#

=================================

Thanks!

Comment 7 Douglas Schilling Landgraf 2013-01-09 13:09:37 UTC

Additional info:

I see the same error for semanage on RHEL 6.4 (not happened on RHEL6.3)

# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.4 Beta (Santiago)

# getenforce 
Disabled

# semanage 
Traceback (most recent call last):
  File "/usr/sbin/semanage", line 25, in <module>
    import seobject
  File "/usr/lib64/python2.6/site-packages/seobject.py", line 952, in <module>
    class portRecords(semanageRecords):
  File "/usr/lib64/python2.6/site-packages/seobject.py", line 953, in portRecords
    valid_types =  setools.seinfo(setools.ATTRIBUTE,"port_type")[0]["types"]	
  File "/usr/lib64/python2.6/site-packages/setools/__init__.py", line 49, in seinfo
    dict_list = _seinfo.seinfo(setype, name)
RuntimeError: No default policy found.

Comment 8 Daniel Walsh 2013-01-09 14:52:11 UTC

Yes I would say this is a bug in semanage also, and I have changed F18 to only throw an exception if selinux is enabled.  But I am not sure of what the proper way to handle this since the other lines would blow up on you if SELinux is disabled also.

Do you do your code during installation?

What booleans are you turning on?

Comment 9 Douglas Schilling Landgraf 2013-01-09 15:36:24 UTC

Hi Daniel,

I see the point, we call the tool in the spec file.

Booleans:
===============
VDSM_SEBOOL_LIST = [
    "virt_use_fusefs",
    "virt_use_nfs",
    "virt_use_samba",
    "virt_use_sanlock",
    "sanlock_use_fusefs",
    "sanlock_use_nfs",
    "sanlock_use_samba",
]


Well, we could do patch the tool as below, is it the way to go Daniel?

diff --git a/vdsm-tool/seboolsetup.py b/vdsm-tool/seboolsetup.py
index 437da68..48184dc 100644
--- a/vdsm-tool/seboolsetup.py
+++ b/vdsm-tool/seboolsetup.py
@@ -18,7 +18,12 @@
 # Refer to the README and COPYING files for full details of the license
 #
 
-import seobject
+try:
+    import seobject
+    _selinuxEnabled = True
+except RuntimeError:
+    _selinuxEnabled = False
+
 from vdsm.tool import expose
 
 SEBOOL_ENABLED = "on"
@@ -36,19 +41,21 @@ VDSM_SEBOOL_LIST = [
 
 
 def setup_booleans(status):
-    sebool_obj = seobject.booleanRecords()
-    sebool_status = sebool_obj.get_all()
 
-    sebool_obj.start()
+    if _selinuxEnabled:
+        sebool_obj = seobject.booleanRecords()
+        sebool_status = sebool_obj.get_all()
+
+        sebool_obj.start()
 
-    for sebool_variable in VDSM_SEBOOL_LIST:
-        if status and not all(sebool_status[sebool_variable]):
-            sebool_obj.modify(sebool_variable, SEBOOL_ENABLED)
+        for sebool_variable in VDSM_SEBOOL_LIST:
+            if status and not all(sebool_status[sebool_variable]):
+                sebool_obj.modify(sebool_variable, SEBOOL_ENABLED)
 
-        if not status and any(sebool_status[sebool_variable]):
-            sebool_obj.modify(sebool_variable, SEBOOL_DISABLED)
+            if not status and any(sebool_status[sebool_variable]):
+                sebool_obj.modify(sebool_variable, SEBOOL_DISABLED)
 
-    sebool_obj.finish()
+        sebool_obj.finish()
 
 


Thanks!

Comment 10 Daniel Walsh 2013-01-09 15:39:54 UTC

Why not?

def setup_booleans(status):
    import seobject
    sebool_obj = seobject.booleanRecords()
    sebool_status = sebool_obj.get_all()

    sebool_obj.start()

    for sebool_variable in VDSM_SEBOOL_LIST:
        if status and not all(sebool_status[sebool_variable]):
            sebool_obj.modify(sebool_variable, SEBOOL_ENABLED)

        if not status and any(sebool_status[sebool_variable]):
            sebool_obj.modify(sebool_variable, SEBOOL_DISABLED)

    sebool_obj.finish()

...

try:
    setup_booleans(status)
except ValueError, e:
    if selinux.is_selinux_enabled() == 1:
          raise e

Comment 11 Douglas Schilling Landgraf 2013-01-10 01:57:47 UTC

Hi Daniel,

Thanks for your patch suggestion but it's showing the exception of importing seobject anyway. Any other idea? I have tested the comment #9 and it worked at least.

Comment 12 Douglas Schilling Landgraf 2013-01-10 19:42:52 UTC

Hi Daniel,

   New try and I got a patch that fit, thanks for your help. 
Patch available upstream for review: http://gerrit.ovirt.org/#/c/10892/

Comment 13 Douglas Schilling Landgraf 2013-01-14 19:49:15 UTC

As we talked with Daniel today, /me moving the bugzilla to selinux component. 
They are going to implement a similar patch into policycoreutils-python.

Comment 14 Daniel Walsh 2013-01-15 17:05:58 UTC

We will fix policycoreutils in 6.5.

Comment 15 Ayal Baron 2013-01-15 20:48:18 UTC

We cannot wait for 6.5, this is a vdsm blocker on RHEL 6.4 (for RHEV 3.1).
Afaiu, any customer installing new hosts will not be able to work.

Comment 16 Daniel Walsh 2013-01-15 20:59:17 UTC

My understanding was that vdsm was going to fix the problem for now, and then we would update policycoreutils in the next release.

Comment 17 Douglas Schilling Landgraf 2013-01-15 21:07:20 UTC

Hi Daniel,

  The patch received nack on review in upstream, that's why I moved to policycoreutils component. Sorry if I couldn't make it clear to you.

Thanks
Douglas

Comment 18 Federico Simoncelli 2013-01-15 21:10:37 UTC

(In reply to comment #16)
> My understanding was that vdsm was going to fix the problem for now, and
> then we would update policycoreutils in the next release.

There is no way to fix this on the vdsm side without losing a functionality. We need to set the policies also when selinux is disabled. Correct me if I'm wrong but this looks like a regression (on 6.3 it's working).

Comment 19 Miroslav Grepl 2013-01-16 10:07:20 UTC

Created attachment 679453 [details]
seobject.py patch

Dan,
i have found the problem. Basically it is caused by 

valid_types =  setools.seinfo(setools.ATTRIBUTE,"port_type")[0]["types"]

which we added to solve another bug in RHEL6.4.

I attached the patch which solves the problem in policycoreutils for now.

Comment 20 RHEL Program Management 2013-01-16 11:43:58 UTC

This request was evaluated by Red Hat Product Management for
inclusion in a Red Hat Enterprise Linux release.  Product
Management has requested further review of this request by
Red Hat Engineering, for potential inclusion in a Red Hat
Enterprise Linux release for currently deployed products.
This request is not yet committed for inclusion in a release.

Comment 22 Miroslav Grepl 2013-01-16 14:20:15 UTC

Fixed in policycoreutils-2.0.83-19.30.el6

Comment 25 Leonid Natapov 2013-01-21 14:43:49 UTC

Kerel, yes. you can find me on IRC under nickname Lesik.

Comment 26 Michal Trunecka 2013-01-22 14:19:22 UTC

Leonid, could you please try to install the vdsm package with the fixed version of policycoreutils? We have an automated regression test which checks the issue which was fixed and it seems to be ok, but I would like to ensure there is no other issue.

Comment 29 errata-xmlrpc 2013-02-21 10:15:43 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0396.html

Note You need to log in before you can comment on or make changes to this bug.

abaron
asegundo
bazulay
cpelland
dougsland
dwalsh
ebenes
fsimonce
idith
iheim
italkohe
ksrot
lpeer
mgrepl
mmalik
mtruneck
ohochman
tlavigne
ven.patnala
ykaul