Project

General

Profile

Actions

Bug #10118

closed

Selinux Policy may not be correctly applied if selinux packages are updated during install

Added by Vincent MEMBRÉ almost 8 years ago. Updated over 7 years ago.

Status:
Rejected
Priority:
1 (highest)
Category:
System integration
Target version:
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
UX impact:
User visibility:
Getting started - demo | first install | level 1 Techniques
Effort required:
Priority:
77
Name check:
Fix check:
Regression:

Description

When trying to install rudder-server-root on a centos7 node, I had some issues when appliying selinux policies

server-relay:

Installing : 1398866025:rudder-server-relay-4.1.0.beta2-1.EL.7.x86_    57/102
INFO: Creating group rudder... Done
INFO: Creating the rudder user... Done
INFO: Setting Apache HTTPd as a boot service...Note: Forwarding request to 'systemctl enable httpd.service'.
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
 Done
INFO: Stopping Apache HTTPd... Done
INFO: No usable SSL certificate detected for Rudder HTTP/S support, generating one automatically... Done
INFO: Starting Apache HTTPd... Done
Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/400/rudder-relay/cil:1
semodule:  Failed!

ncf-api-virtualenv:

 Installing : 1398866025:ncf-api-virtualenv-4.1.0.beta2-1.EL.7.noarc    62/102

 INFO: Applying ncf-api-virtualenv selinux policy...Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/400/ncf-api-virtualenv/cil:1
 semodule:  Failed!
 libsemanage.semanage_read_policydb: Could not open kernel policy /etc/selinux/targeted/active/policy.kern for reading. (No such file or directory).

rudder-webapp:

Installation : 1398866025:rudder-webapp-4.1.0.beta2-1.EL.7.noarch
INFO: Setting Apache HTTPd as a boot service... Done
INFO: Restarting syslog... Done
INFO: Stopping Apache HTTPd... Done
INFO: Adding ncf-api-venv to the rudder group... Done
Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/400/rudder-webapp/cil:1
semodule:  Failed!
INFO: Starting Apache HTTPd... Done
INFO: Launching script to check if a migration is needed
INFO: Checking if rudder-web.properties database access credentials are all right... LDAP OK,  SQL Credentials updated
INFO: Checking if inventory-web.properties database access credentials are all right... non existant, skipping
INFO: Checking PostgreSQL service status... OK
INFO: Checking LDAP service status... OK

INFO: The migration has completed successfully.
INFO: End of migration script
libsemanage.semanage_read_policydb: Could not open kernel policy /etc/selinux/targeted/active/policy.kern for reading. (No such file or directory).
OSError: No such file or directory

Apllying the same script works well after the upgrade and everything is fine

BUT It may be caused by upgrade of selinux packages that is done at the same time, with a completely weird order

  Mise à jour  : libsepol-2.5-6.el7.x86_64                                                                                                                                                                                               1/92 
  Mise à jour  : libselinux-2.5-6.el7.x86_64                                                                                                                                                                                             2/92 
  Mise à jour  : audit-libs-2.6.5-3.el7.x86_64                                                                                                                                                                                           3/92 
  Mise à jour  : chkconfig-1.7.2-1.el7.x86_64                                                                                                                                                                                            4/92 
  Mise à jour  : nss-sysinit-3.21.3-2.el7_3.x86_64                                                                                                                                                                                       5/92 
  Mise à jour  : nss-3.21.3-2.el7_3.x86_64                                                                                                                                                                                               6/92 
  Mise à jour  : libsemanage-2.5-5.1.el7_3.x86_64     
....
<rudder package installs>
...
  Mise à jour  : selinux-policy-targeted-3.13.1-102.el7_3.13.noarch                                                                                                                                                                     70/92 
warning: /etc/selinux/targeted/seusers created as /etc/selinux/targeted/seusers.rpmnew
« /etc/selinux/targeted/modules/active/seusers » -> « /etc/selinux/targeted/active/seusers.local »
  Mise à jour  : audit-2.6.5-3.el7.x86_64                                                                                                                                                                                               71/92 
  Mise à jour  : libgudev1-219-30.el7_3.6.x86_64                      

It may be because utils we use (semanage etc) want to use a version of selinux newer than the one currently installed, which is upgraded at the end of the install

I guess this happens to in 3.1


Related issues 1 (0 open1 closed)

Is duplicate of Rudder - Bug #10479: Remove all calls to semanage in our packagesReleasedBenoît PECCATTEActions
Actions #1

Updated by Vincent MEMBRÉ almost 8 years ago

  • Target version changed from 3.1.18 to 3.1.19
Actions #2

Updated by Nicolas CHARLES almost 8 years ago

  • Severity set to Critical - prevents main use of Rudder | no workaround | data loss | security
  • User visibility set to First impressions of Rudder
Actions #3

Updated by Nicolas CHARLES almost 8 years ago

I just had it again in 4.0.3

Actions #5

Updated by Alexis Mousset almost 8 years ago

  • Related to Bug #10426: Apache not started on a fresh centos7 install (selinux problem) added
Actions #6

Updated by François ARMAND almost 8 years ago

  • User visibility changed from First impressions of Rudder to Getting started - demo | first install | level 1 Techniques
Actions #7

Updated by Benoît PECCATTE over 7 years ago

  • Related to deleted (Bug #10426: Apache not started on a fresh centos7 install (selinux problem))
Actions #8

Updated by Benoît PECCATTE over 7 years ago

  • Is duplicate of Bug #10479: Remove all calls to semanage in our packages added
Actions #9

Updated by Benoît PECCATTE over 7 years ago

  • Status changed from New to Rejected

Fixed by #10479

Actions #10

Updated by Benoît PECCATTE over 7 years ago

  • Priority set to 77
Actions

Also available in: Atom PDF