Bug 988855 - semanage fails in %post when installing a plugin
semanage fails in %post when installing a plugin
Status: CLOSED CURRENTRELEASE
Product: oVirt
Classification: Community
Component: ovirt-node (Show other bugs)
unspecified
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Joey Boggs
:
Depends On: 994131
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-26 10:53 EDT by Mike Burns
Modified: 2013-11-28 08:49 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-28 08:49:13 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
screenshot (5.19 KB, image/png)
2013-08-06 10:11 EDT, Joey Boggs
no flags Details

  None (edit)
Description Mike Burns 2013-07-26 10:53:39 EDT
Description of problem:
ovirt-node-plugin-vdsm sets a number of selinux rules (virt_use_nfs, virt_use_sanlock, etc).  When running edit-node, these are not getting set correctly.

Version-Release number of selected component (if applicable):
3.0.0

How reproducible:
always

Steps to Reproduce:
1.take base image and inject ovirt-node-plugin-vdsm
2.boot the image
3.check virt_use_nfs virt_use_sanlock sanlock_use_nfs booleans

Actual results:
all are off

Expected results:
all are on

Additional info:
Comment 1 Joey Boggs 2013-08-06 10:11:57 EDT
Created attachment 783361 [details]
screenshot
Comment 2 Joey Boggs 2013-08-06 10:45:24 EDT
These are all on by default since we turn them on in ovirt-node-selinux.

It fails in edit-node since we disable selinux and setsebool won't run.

A workaround is:

Write the boolean into /etc/selinux/targeted/modules/active/booleans.local

virt_use_nfs=1

I checked with selinux folks and that should work fine but filed a bz to add an offline option to make this easier.
Comment 3 Fabian Deutsch 2013-11-28 08:49:13 EST
This has been addressed with th selinux specific sub-package.

Note You need to log in before you can comment on or make changes to this bug.