Bug #10118: Selinux Policy may not be correctly applied if selinux packages are updated during install - Rudder - Issue Tracker

Actions

Copy link

Bug #10118

closed

Selinux Policy may not be correctly applied if selinux packages are updated during install

Added by Vincent MEMBRÉ almost 8 years ago. Updated over 7 years ago.

Status:

Rejected

Priority:

1 (highest)

Assignee:

Vincent MEMBRÉ

Category:

System integration

Target version:

3.1.19

Pull Request:

Severity:

Critical - prevents main use of Rudder | no workaround | data loss | security

UX impact:

User visibility:

Getting started - demo | first install | level 1 Techniques

Effort required:

Priority:

Name check:

Fix check:

Regression:

Description

When trying to install rudder-server-root on a centos7 node, I had some issues when appliying selinux policies

server-relay:

Installing : 1398866025:rudder-server-relay-4.1.0.beta2-1.EL.7.x86_    57/102
INFO: Creating group rudder... Done
INFO: Creating the rudder user... Done
INFO: Setting Apache HTTPd as a boot service...Note: Forwarding request to 'systemctl enable httpd.service'.
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
 Done
INFO: Stopping Apache HTTPd... Done
INFO: No usable SSL certificate detected for Rudder HTTP/S support, generating one automatically... Done
INFO: Starting Apache HTTPd... Done
Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/400/rudder-relay/cil:1
semodule:  Failed!

ncf-api-virtualenv:

 Installing : 1398866025:ncf-api-virtualenv-4.1.0.beta2-1.EL.7.noarc    62/102

 INFO: Applying ncf-api-virtualenv selinux policy...Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/400/ncf-api-virtualenv/cil:1
 semodule:  Failed!
 libsemanage.semanage_read_policydb: Could not open kernel policy /etc/selinux/targeted/active/policy.kern for reading. (No such file or directory).

rudder-webapp:

Installation : 1398866025:rudder-webapp-4.1.0.beta2-1.EL.7.noarch
INFO: Setting Apache HTTPd as a boot service... Done
INFO: Restarting syslog... Done
INFO: Stopping Apache HTTPd... Done
INFO: Adding ncf-api-venv to the rudder group... Done
Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/400/rudder-webapp/cil:1
semodule:  Failed!
INFO: Starting Apache HTTPd... Done
INFO: Launching script to check if a migration is needed
INFO: Checking if rudder-web.properties database access credentials are all right... LDAP OK,  SQL Credentials updated
INFO: Checking if inventory-web.properties database access credentials are all right... non existant, skipping
INFO: Checking PostgreSQL service status... OK
INFO: Checking LDAP service status... OK

INFO: The migration has completed successfully.
INFO: End of migration script
libsemanage.semanage_read_policydb: Could not open kernel policy /etc/selinux/targeted/active/policy.kern for reading. (No such file or directory).
OSError: No such file or directory

Apllying the same script works well after the upgrade and everything is fine

BUT It may be caused by upgrade of selinux packages that is done at the same time, with a completely weird order

  Mise à jour  : libsepol-2.5-6.el7.x86_64                                                                                                                                                                                               1/92 
  Mise à jour  : libselinux-2.5-6.el7.x86_64                                                                                                                                                                                             2/92 
  Mise à jour  : audit-libs-2.6.5-3.el7.x86_64                                                                                                                                                                                           3/92 
  Mise à jour  : chkconfig-1.7.2-1.el7.x86_64                                                                                                                                                                                            4/92 
  Mise à jour  : nss-sysinit-3.21.3-2.el7_3.x86_64                                                                                                                                                                                       5/92 
  Mise à jour  : nss-3.21.3-2.el7_3.x86_64                                                                                                                                                                                               6/92 
  Mise à jour  : libsemanage-2.5-5.1.el7_3.x86_64     
....
<rudder package installs>
...
  Mise à jour  : selinux-policy-targeted-3.13.1-102.el7_3.13.noarch                                                                                                                                                                     70/92 
warning: /etc/selinux/targeted/seusers created as /etc/selinux/targeted/seusers.rpmnew
« /etc/selinux/targeted/modules/active/seusers » -> « /etc/selinux/targeted/active/seusers.local »
  Mise à jour  : audit-2.6.5-3.el7.x86_64                                                                                                                                                                                               71/92 
  Mise à jour  : libgudev1-219-30.el7_3.6.x86_64

It may be because utils we use (semanage etc) want to use a version of selinux newer than the one currently installed, which is upgraded at the end of the install

I guess this happens to in 3.1

Related issues 1 (0 open — 1 closed)

Actions

Copy link

Updated by Vincent MEMBRÉ almost 8 years ago

Target version changed from 3.1.18 to 3.1.19

Actions

Copy link

Updated by Nicolas CHARLES over 7 years ago

Severity set to Critical - prevents main use of Rudder | no workaround | data loss | security
User visibility set to First impressions of Rudder

Actions

Copy link