This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 893065 - vdsm package can not be installed on RHEL 6.4 if selinux disabled.
vdsm package can not be installed on RHEL 6.4 if selinux disabled.
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: policycoreutils (Show other bugs)
6.4
Unspecified Linux
urgent Severity urgent
: rc
: ---
Assigned To: Miroslav Grepl
Michal Trunecka
infra
: Regression
: 892316 (view as bug list)
Depends On:
Blocks: 862738 902691
  Show dependency treegraph
 
Reported: 2013-01-08 09:11 EST by Leonid Natapov
Modified: 2014-09-30 19:34 EDT (History)
20 users (show)

See Also:
Fixed In Version: policycoreutils-2.0.83-19.30.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 05:15:43 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
seobject.py patch (4.52 KB, patch)
2013-01-16 05:07 EST, Miroslav Grepl
no flags Details | Diff

  None (edit)
Description Leonid Natapov 2013-01-08 09:11:28 EST
vdsm package can not be installed on RHEL 6.4 if selinux disabled.
Was trying to install vdsm package while testing preintegration ticket https://engineering.redhat.com/trac/preint/ticket/847

cli,python and xmlrpc packages were installed without problem but vdsm package failed to install.

The host was with all current updates.

Here is the console output:

[root@purple-vds2 yum.repos.d]# rpm -i http://file.rdu.redhat.com/~fsimonce/vdsm-gitc4e61b9.el6/vdsm-4.10.2-3.0.5.gitc4e61b9.el6.x86_64.rpm
Traceback (most recent call last):
  File "/usr/bin/vdsm-tool", line 143, in <module>
    sys.exit(main())
  File "/usr/bin/vdsm-tool", line 125, in main
    load_modules()
  File "/usr/bin/vdsm-tool", line 74, in load_modules
    module = imp.load_module(mod_name, mod_fobj, mod_absp, mod_desc)
  File "/usr/lib64/python2.6/site-packages/vdsm/tool/seboolsetup.py", line 21, in <module>
    import seobject
  File "/usr/lib64/python2.6/site-packages/seobject.py", line 952, in <module>
    class portRecords(semanageRecords):
  File "/usr/lib64/python2.6/site-packages/seobject.py", line 953, in portRecords
    valid_types =  setools.seinfo(setools.ATTRIBUTE,"port_type")[0]["types"]
  File "/usr/lib64/python2.6/site-packages/setools/__init__.py", line 49, in seinfo
    dict_list = _seinfo.seinfo(setype, name)
RuntimeError: No default policy found.
Traceback (most recent call last):
  File "/usr/bin/vdsm-tool", line 143, in <module>
    sys.exit(main())
  File "/usr/bin/vdsm-tool", line 125, in main
    load_modules()
  File "/usr/bin/vdsm-tool", line 74, in load_modules
    module = imp.load_module(mod_name, mod_fobj, mod_absp, mod_desc)
  File "/usr/lib64/python2.6/site-packages/vdsm/tool/seboolsetup.py", line 21, in <module>
    import seobject
  File "/usr/lib64/python2.6/site-packages/seobject.py", line 952, in <module>
    class portRecords(semanageRecords):
  File "/usr/lib64/python2.6/site-packages/seobject.py", line 953, in portRecords
    valid_types =  setools.seinfo(setools.ATTRIBUTE,"port_type")[0]["types"]
  File "/usr/lib64/python2.6/site-packages/setools/__init__.py", line 49, in seinfo
    dict_list = _seinfo.seinfo(setype, name)
RuntimeError: No default policy found.
Comment 2 Federico Simoncelli 2013-01-08 10:54:29 EST
According to dwalsh we should catch the exception:

  File "/usr/lib64/python2.6/site-packages/vdsm/tool/seboolsetup.py", line 21, in <module>
    import seobject
  File "/usr/lib64/python2.6/site-packages/seobject.py", line 952, in <module>
    class portRecords(semanageRecords):
  File "/usr/lib64/python2.6/site-packages/seobject.py", line 953, in portRecords
    valid_types =  setools.seinfo(setools.ATTRIBUTE,"port_type")[0]["types"]
  File "/usr/lib64/python2.6/site-packages/setools/__init__.py", line 49, in seinfo
    dict_list = _seinfo.seinfo(setype, name)
RuntimeError: No default policy found.

Dan we probably want this ASAP.
Comment 3 Daniel Walsh 2013-01-08 17:20:44 EST
What exactly are you doing with seobject?
Comment 4 Douglas Schilling Landgraf 2013-01-08 22:14:01 EST
*** Bug 892316 has been marked as a duplicate of this bug. ***
Comment 5 Douglas Schilling Landgraf 2013-01-08 22:29:12 EST
Here the code:
==================

import seobject

<snip>
def setup_booleans(status):
    sebool_obj = seobject.booleanRecords()
    sebool_status = sebool_obj.get_all()

    sebool_obj.start()

    for sebool_variable in VDSM_SEBOOL_LIST:
        if status and not all(sebool_status[sebool_variable]):
            sebool_obj.modify(sebool_variable, SEBOOL_ENABLED)

        if not status and any(sebool_status[sebool_variable]):
            sebool_obj.modify(sebool_variable, SEBOOL_DISABLED)

    sebool_obj.finish()
</snip>


=============
# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.4 Beta (Santiago)

# rpm -qa | grep -i selinux
libselinux-2.0.94-5.3.el6.x86_64
libselinux-devel-2.0.94-5.3.el6.x86_64
selinux-policy-3.7.19-191.el6.noarch
selinux-policy-targeted-3.7.19-191.el6.noarch
libselinux-python-2.0.94-5.3.el6.x86_64
libselinux-utils-2.0.94-5.3.el6.x86_64

# getenforce 
Disabled

# python -c 'import seobject'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib64/python2.6/site-packages/seobject.py", line 952, in <module>
    class portRecords(semanageRecords):
  File "/usr/lib64/python2.6/site-packages/seobject.py", line 953, in portRecords
    valid_types =  setools.seinfo(setools.ATTRIBUTE,"port_type")[0]["types"]	
  File "/usr/lib64/python2.6/site-packages/setools/__init__.py", line 49, in seinfo
    dict_list = _seinfo.seinfo(setype, name)
RuntimeError: No default policy found.
Comment 6 Douglas Schilling Landgraf 2013-01-09 06:47:40 EST
Hi Daniel,

I cannot see such Traceback on RHEL6.3 or F18, the same test importing seobject:

# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.3 Beta (Santiago)

# rpm -qa | grep selinux
libselinux-2.0.94-5.3.el6.x86_64
selinux-policy-targeted-3.7.19-139.el6.noarch
selinux-policy-3.7.19-139.el6.noarch
libselinux-python-2.0.94-5.3.el6.x86_64
libselinux-utils-2.0.94-5.3.el6.x86_64

# getenforce 
Disabled

# python -c 'import seobject'

=======================================================


# cat /etc/redhat-release 
Fedora release 17 (Beefy Miracle)

# rpm -qa | grep -i selinux
selinux-policy-3.10.0-149.fc17.noarch
libselinux-2.1.10-3.fc17.x86_64
selinux-policy-targeted-3.10.0-149.fc17.noarch
selinux-policy-devel-3.10.0-149.fc17.noarch
libselinux-python-2.1.10-3.fc17.x86_64
libselinux-utils-2.1.10-3.fc17.x86_64

# python -c 'import seobject'
#

=================================

Thanks!
Comment 7 Douglas Schilling Landgraf 2013-01-09 08:09:37 EST
Additional info:

I see the same error for semanage on RHEL 6.4 (not happened on RHEL6.3)

# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.4 Beta (Santiago)

# getenforce 
Disabled

# semanage 
Traceback (most recent call last):
  File "/usr/sbin/semanage", line 25, in <module>
    import seobject
  File "/usr/lib64/python2.6/site-packages/seobject.py", line 952, in <module>
    class portRecords(semanageRecords):
  File "/usr/lib64/python2.6/site-packages/seobject.py", line 953, in portRecords
    valid_types =  setools.seinfo(setools.ATTRIBUTE,"port_type")[0]["types"]	
  File "/usr/lib64/python2.6/site-packages/setools/__init__.py", line 49, in seinfo
    dict_list = _seinfo.seinfo(setype, name)
RuntimeError: No default policy found.
Comment 8 Daniel Walsh 2013-01-09 09:52:11 EST
Yes I would say this is a bug in semanage also, and I have changed F18 to only throw an exception if selinux is enabled.  But I am not sure of what the proper way to handle this since the other lines would blow up on you if SELinux is disabled also.

Do you do your code during installation?

What booleans are you turning on?
Comment 9 Douglas Schilling Landgraf 2013-01-09 10:36:24 EST
Hi Daniel,

I see the point, we call the tool in the spec file.

Booleans:
===============
VDSM_SEBOOL_LIST = [
    "virt_use_fusefs",
    "virt_use_nfs",
    "virt_use_samba",
    "virt_use_sanlock",
    "sanlock_use_fusefs",
    "sanlock_use_nfs",
    "sanlock_use_samba",
]


Well, we could do patch the tool as below, is it the way to go Daniel?

diff --git a/vdsm-tool/seboolsetup.py b/vdsm-tool/seboolsetup.py
index 437da68..48184dc 100644
--- a/vdsm-tool/seboolsetup.py
+++ b/vdsm-tool/seboolsetup.py
@@ -18,7 +18,12 @@
 # Refer to the README and COPYING files for full details of the license
 #
 
-import seobject
+try:
+    import seobject
+    _selinuxEnabled = True
+except RuntimeError:
+    _selinuxEnabled = False
+
 from vdsm.tool import expose
 
 SEBOOL_ENABLED = "on"
@@ -36,19 +41,21 @@ VDSM_SEBOOL_LIST = [
 
 
 def setup_booleans(status):
-    sebool_obj = seobject.booleanRecords()
-    sebool_status = sebool_obj.get_all()
 
-    sebool_obj.start()
+    if _selinuxEnabled:
+        sebool_obj = seobject.booleanRecords()
+        sebool_status = sebool_obj.get_all()
+
+        sebool_obj.start()
 
-    for sebool_variable in VDSM_SEBOOL_LIST:
-        if status and not all(sebool_status[sebool_variable]):
-            sebool_obj.modify(sebool_variable, SEBOOL_ENABLED)
+        for sebool_variable in VDSM_SEBOOL_LIST:
+            if status and not all(sebool_status[sebool_variable]):
+                sebool_obj.modify(sebool_variable, SEBOOL_ENABLED)
 
-        if not status and any(sebool_status[sebool_variable]):
-            sebool_obj.modify(sebool_variable, SEBOOL_DISABLED)
+            if not status and any(sebool_status[sebool_variable]):
+                sebool_obj.modify(sebool_variable, SEBOOL_DISABLED)
 
-    sebool_obj.finish()
+        sebool_obj.finish()
 
 


Thanks!
Comment 10 Daniel Walsh 2013-01-09 10:39:54 EST
Why not?

def setup_booleans(status):
    import seobject
    sebool_obj = seobject.booleanRecords()
    sebool_status = sebool_obj.get_all()

    sebool_obj.start()

    for sebool_variable in VDSM_SEBOOL_LIST:
        if status and not all(sebool_status[sebool_variable]):
            sebool_obj.modify(sebool_variable, SEBOOL_ENABLED)

        if not status and any(sebool_status[sebool_variable]):
            sebool_obj.modify(sebool_variable, SEBOOL_DISABLED)

    sebool_obj.finish()

...

try:
    setup_booleans(status)
except ValueError, e:
    if selinux.is_selinux_enabled() == 1:
          raise e
Comment 11 Douglas Schilling Landgraf 2013-01-09 20:57:47 EST
Hi Daniel,

Thanks for your patch suggestion but it's showing the exception of importing seobject anyway. Any other idea? I have tested the comment #9 and it worked at least.
Comment 12 Douglas Schilling Landgraf 2013-01-10 14:42:52 EST
Hi Daniel,

   New try and I got a patch that fit, thanks for your help. 
Patch available upstream for review: http://gerrit.ovirt.org/#/c/10892/
Comment 13 Douglas Schilling Landgraf 2013-01-14 14:49:15 EST
As we talked with Daniel today, /me moving the bugzilla to selinux component. 
They are going to implement a similar patch into policycoreutils-python.
Comment 14 Daniel Walsh 2013-01-15 12:05:58 EST
We will fix policycoreutils in 6.5.
Comment 15 Ayal Baron 2013-01-15 15:48:18 EST
We cannot wait for 6.5, this is a vdsm blocker on RHEL 6.4 (for RHEV 3.1).
Afaiu, any customer installing new hosts will not be able to work.
Comment 16 Daniel Walsh 2013-01-15 15:59:17 EST
My understanding was that vdsm was going to fix the problem for now, and then we would update policycoreutils in the next release.
Comment 17 Douglas Schilling Landgraf 2013-01-15 16:07:20 EST
Hi Daniel,

  The patch received nack on review in upstream, that's why I moved to policycoreutils component. Sorry if I couldn't make it clear to you.

Thanks
Douglas
Comment 18 Federico Simoncelli 2013-01-15 16:10:37 EST
(In reply to comment #16)
> My understanding was that vdsm was going to fix the problem for now, and
> then we would update policycoreutils in the next release.

There is no way to fix this on the vdsm side without losing a functionality. We need to set the policies also when selinux is disabled. Correct me if I'm wrong but this looks like a regression (on 6.3 it's working).
Comment 19 Miroslav Grepl 2013-01-16 05:07:20 EST
Created attachment 679453 [details]
seobject.py patch

Dan,
i have found the problem. Basically it is caused by 

valid_types =  setools.seinfo(setools.ATTRIBUTE,"port_type")[0]["types"]

which we added to solve another bug in RHEL6.4.

I attached the patch which solves the problem in policycoreutils for now.
Comment 20 RHEL Product and Program Management 2013-01-16 06:43:58 EST
This request was evaluated by Red Hat Product Management for
inclusion in a Red Hat Enterprise Linux release.  Product
Management has requested further review of this request by
Red Hat Engineering, for potential inclusion in a Red Hat
Enterprise Linux release for currently deployed products.
This request is not yet committed for inclusion in a release.
Comment 22 Miroslav Grepl 2013-01-16 09:20:15 EST
Fixed in policycoreutils-2.0.83-19.30.el6
Comment 25 Leonid Natapov 2013-01-21 09:43:49 EST
Kerel, yes. you can find me on IRC under nickname Lesik.
Comment 26 Michal Trunecka 2013-01-22 09:19:22 EST
Leonid, could you please try to install the vdsm package with the fixed version of policycoreutils? We have an automated regression test which checks the issue which was fixed and it seems to be ok, but I would like to ensure there is no other issue.
Comment 29 errata-xmlrpc 2013-02-21 05:15:43 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0396.html

Note You need to log in before you can comment on or make changes to this bug.