Actions
Bug #10118
closedSelinux Policy may not be correctly applied if selinux packages are updated during install
Status:
Rejected
Priority:
1 (highest)
Assignee:
Category:
System integration
Target version:
Pull Request:
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
UX impact:
User visibility:
Getting started - demo | first install | level 1 Techniques
Effort required:
Priority:
77
Name check:
Fix check:
Regression:
Description
When trying to install rudder-server-root on a centos7 node, I had some issues when appliying selinux policies
server-relay:
Installing : 1398866025:rudder-server-relay-4.1.0.beta2-1.EL.7.x86_ 57/102 INFO: Creating group rudder... Done INFO: Creating the rudder user... Done INFO: Setting Apache HTTPd as a boot service...Note: Forwarding request to 'systemctl enable httpd.service'. Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service. Done INFO: Stopping Apache HTTPd... Done INFO: No usable SSL certificate detected for Rudder HTTP/S support, generating one automatically... Done INFO: Starting Apache HTTPd... Done Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/400/rudder-relay/cil:1 semodule: Failed!
ncf-api-virtualenv:
Installing : 1398866025:ncf-api-virtualenv-4.1.0.beta2-1.EL.7.noarc 62/102 INFO: Applying ncf-api-virtualenv selinux policy...Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/400/ncf-api-virtualenv/cil:1 semodule: Failed! libsemanage.semanage_read_policydb: Could not open kernel policy /etc/selinux/targeted/active/policy.kern for reading. (No such file or directory).
rudder-webapp:
Installation : 1398866025:rudder-webapp-4.1.0.beta2-1.EL.7.noarch INFO: Setting Apache HTTPd as a boot service... Done INFO: Restarting syslog... Done INFO: Stopping Apache HTTPd... Done INFO: Adding ncf-api-venv to the rudder group... Done Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/400/rudder-webapp/cil:1 semodule: Failed! INFO: Starting Apache HTTPd... Done INFO: Launching script to check if a migration is needed INFO: Checking if rudder-web.properties database access credentials are all right... LDAP OK, SQL Credentials updated INFO: Checking if inventory-web.properties database access credentials are all right... non existant, skipping INFO: Checking PostgreSQL service status... OK INFO: Checking LDAP service status... OK INFO: The migration has completed successfully. INFO: End of migration script libsemanage.semanage_read_policydb: Could not open kernel policy /etc/selinux/targeted/active/policy.kern for reading. (No such file or directory). OSError: No such file or directory
Apllying the same script works well after the upgrade and everything is fine
BUT It may be caused by upgrade of selinux packages that is done at the same time, with a completely weird order
Mise à jour : libsepol-2.5-6.el7.x86_64 1/92 Mise à jour : libselinux-2.5-6.el7.x86_64 2/92 Mise à jour : audit-libs-2.6.5-3.el7.x86_64 3/92 Mise à jour : chkconfig-1.7.2-1.el7.x86_64 4/92 Mise à jour : nss-sysinit-3.21.3-2.el7_3.x86_64 5/92 Mise à jour : nss-3.21.3-2.el7_3.x86_64 6/92 Mise à jour : libsemanage-2.5-5.1.el7_3.x86_64 .... <rudder package installs> ... Mise à jour : selinux-policy-targeted-3.13.1-102.el7_3.13.noarch 70/92 warning: /etc/selinux/targeted/seusers created as /etc/selinux/targeted/seusers.rpmnew « /etc/selinux/targeted/modules/active/seusers » -> « /etc/selinux/targeted/active/seusers.local » Mise à jour : audit-2.6.5-3.el7.x86_64 71/92 Mise à jour : libgudev1-219-30.el7_3.6.x86_64
It may be because utils we use (semanage etc) want to use a version of selinux newer than the one currently installed, which is upgraded at the end of the install
I guess this happens to in 3.1
Updated by Vincent MEMBRÉ almost 8 years ago
- Target version changed from 3.1.18 to 3.1.19
Updated by Nicolas CHARLES almost 8 years ago
- Severity set to Critical - prevents main use of Rudder | no workaround | data loss | security
- User visibility set to First impressions of Rudder
Updated by Nicolas CHARLES almost 8 years ago
Running content of https://github.com/Normation/rudder-packages/blob/master/rudder-webapp/SPECS/rudder-webapp.spec#L381 seems to solve the issue
Updated by Alexis Mousset almost 8 years ago
- Related to Bug #10426: Apache not started on a fresh centos7 install (selinux problem) added
Updated by François ARMAND almost 8 years ago
- User visibility changed from First impressions of Rudder to Getting started - demo | first install | level 1 Techniques
Updated by Benoît PECCATTE over 7 years ago
- Related to deleted (Bug #10426: Apache not started on a fresh centos7 install (selinux problem))
Updated by Benoît PECCATTE over 7 years ago
- Is duplicate of Bug #10479: Remove all calls to semanage in our packages added
Actions