Actions
Bug #17395
closed
SELinux policy for technique editor is not applied anymore after upgrade on RHEL/Centos server
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
Reviewed
Fix check:
Checked
Regression:
Description
SELinux policy for technique editor is not present anymore after upgrade. It's because we reduced the number of packages and replaced ncf-api-virtualenv package (~ technique editor stuff) by rudder-webapp.
rudder-webapp x86_64 1398866025:6.0.5.release-1.EL.7 Rudder 118 M
replacing ncf.noarch 1398866025:5.0.17.release-1.EL.7
replacing ncf-api-virtualenv.noarch 1398866025:5.0.17.release-1.EL.7
replacing rudder-inventory-endpoint.noarch 1398866025:5.0.17.release-1.EL.7
replacing rudder-inventory-ldap.x86_64 1398866025:5.0.17.release-1.EL.7
replacing rudder-jetty.noarch 1398866025:5.0.17.release-1.EL.7
replacing rudder-techniques.noarch 1398866025:5.0.17.release-1.EL.7
So rudder-webapp correctly setups the selinux policy,
Installing : 1398866025:rudder-webapp-6.0.5.release-1.EL.7.x86_64 21/42 ... INFO: Applying selinux policy... Donebut ncf-api-virtualenv is removed at the end:
Erasing : 1398866025:ncf-api-virtualenv-5.0.17.release-1.EL.7.noarch 30/42 INFO: Removing the ncf-api-venv user... Done INFO: Removing ncf-api-virtualenv selinux policy...libsemanage.semanage_direct_remove_key: Removing last ncf-api-virtualenv module (no other ncf-api-virtualenv module exists at another priority). Done
Luckily, ncf-api-venv user is not removed, because apache is running, but i think we had some cases where it was removed.
We should include installation of selinux policy in posttrans of rudder-webapp too, or prevent ncf-api-virtualenv postun to run
i think we should include checks on ncf-api-venv user too
Updated by 
Updated by
Actions