Description of problem: The postinstall scriptlet of tomcat6 and tomcat7 is not executed when upgrading an already existed package. This results in the selinux policies not being updated. Cause of the problem: if [ $1 -eq 1 ] ... then ... /usr/sbin/semodule -i /etc/tomcat6/selinux/packages/tomcat6/tomcat6.pp 2>/dev/null ||: fi The usage of [ $1 -eq 1 ] prevents the underlying code to be executed after upgrade of package. (see http://fedoraproject.org/wiki/Packaging:ScriptletSnippets#Syntax) Also, calling semodule in the scriptlet was previously broken (see bz#969002), so the policy was not installed at all. So upgrading tomcat would still not install the policy. Version-Release number of selected component (if applicable): tomcat6-6.0.37-3_patch_01.ep6.el6 tomcat6-6.0.37-3_patch_01.ep6.el5 tomcat7-7.0.40-1_patch_01.ep6.el6 tomcat7-7.0.40-2_patch_01.ep6.el5
Are you sure this is a resolved issue, Libor? I can't spot any details about the fix so have created a fairly general release note entry.
It will be fixed in CR2.
Created attachment 762071 [details] propose patch please review and comment.
A problem is still present in postinstall scriptlet of tomcat7-7.0.40-8_patch_01.ep6.el5 /usr/sbin/semodule -i /etc/tomcat7/selinux/packages/tomcat7/tomcat7.pp %2>/dev/null ||: There is syntactic error at the redirection which causes semodule to fail.
it's fixed in git. affected only the ep-6-rhel-5 branch of tomcat7.
blocker? Something like can't update = yes it is a blocker. Bug still present (policy not updated) = no it isn't a blocker.
VERIFIED on: tomcat6-6.0.37-8_patch_01.ep6.el5 tomcat7-7.0.40-9_patch_01.ep6.el5 tomcat6-6.0.37-10_patch_01.ep6.el6 tomcat7-7.0.40-5_patch_01.ep6.el6