Project

General

Profile

Bug #10118

Selinux Policy may not be correctly applied if selinux packages are updated during install

Added by Vincent MEMBRÉ over 1 year ago. Updated over 1 year ago.

Status:
Rejected
Priority:
1
Category:
System integration
Target version:
Target version (plugin):
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
User visibility:
Getting started - demo | first install | level 1 Techniques
Effort required:
Pull Request:
Priority:
77

Description

When trying to install rudder-server-root on a centos7 node, I had some issues when appliying selinux policies

server-relay:

Installing : 1398866025:rudder-server-relay-4.1.0.beta2-1.EL.7.x86_    57/102
INFO: Creating group rudder... Done
INFO: Creating the rudder user... Done
INFO: Setting Apache HTTPd as a boot service...Note: Forwarding request to 'systemctl enable httpd.service'.
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
 Done
INFO: Stopping Apache HTTPd... Done
INFO: No usable SSL certificate detected for Rudder HTTP/S support, generating one automatically... Done
INFO: Starting Apache HTTPd... Done
Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/400/rudder-relay/cil:1
semodule:  Failed!

ncf-api-virtualenv:

 Installing : 1398866025:ncf-api-virtualenv-4.1.0.beta2-1.EL.7.noarc    62/102

 INFO: Applying ncf-api-virtualenv selinux policy...Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/400/ncf-api-virtualenv/cil:1
 semodule:  Failed!
 libsemanage.semanage_read_policydb: Could not open kernel policy /etc/selinux/targeted/active/policy.kern for reading. (No such file or directory).

rudder-webapp:

Installation : 1398866025:rudder-webapp-4.1.0.beta2-1.EL.7.noarch
INFO: Setting Apache HTTPd as a boot service... Done
INFO: Restarting syslog... Done
INFO: Stopping Apache HTTPd... Done
INFO: Adding ncf-api-venv to the rudder group... Done
Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/400/rudder-webapp/cil:1
semodule:  Failed!
INFO: Starting Apache HTTPd... Done
INFO: Launching script to check if a migration is needed
INFO: Checking if rudder-web.properties database access credentials are all right... LDAP OK,  SQL Credentials updated
INFO: Checking if inventory-web.properties database access credentials are all right... non existant, skipping
INFO: Checking PostgreSQL service status... OK
INFO: Checking LDAP service status... OK

INFO: The migration has completed successfully.
INFO: End of migration script
libsemanage.semanage_read_policydb: Could not open kernel policy /etc/selinux/targeted/active/policy.kern for reading. (No such file or directory).
OSError: No such file or directory

Apllying the same script works well after the upgrade and everything is fine

BUT It may be caused by upgrade of selinux packages that is done at the same time, with a completely weird order

  Mise à jour  : libsepol-2.5-6.el7.x86_64                                                                                                                                                                                               1/92 
  Mise à jour  : libselinux-2.5-6.el7.x86_64                                                                                                                                                                                             2/92 
  Mise à jour  : audit-libs-2.6.5-3.el7.x86_64                                                                                                                                                                                           3/92 
  Mise à jour  : chkconfig-1.7.2-1.el7.x86_64                                                                                                                                                                                            4/92 
  Mise à jour  : nss-sysinit-3.21.3-2.el7_3.x86_64                                                                                                                                                                                       5/92 
  Mise à jour  : nss-3.21.3-2.el7_3.x86_64                                                                                                                                                                                               6/92 
  Mise à jour  : libsemanage-2.5-5.1.el7_3.x86_64     
....
<rudder package installs>
...
  Mise à jour  : selinux-policy-targeted-3.13.1-102.el7_3.13.noarch                                                                                                                                                                     70/92 
warning: /etc/selinux/targeted/seusers created as /etc/selinux/targeted/seusers.rpmnew
« /etc/selinux/targeted/modules/active/seusers » -> « /etc/selinux/targeted/active/seusers.local »
  Mise à jour  : audit-2.6.5-3.el7.x86_64                                                                                                                                                                                               71/92 
  Mise à jour  : libgudev1-219-30.el7_3.6.x86_64                      

It may be because utils we use (semanage etc) want to use a version of selinux newer than the one currently installed, which is upgraded at the end of the install

I guess this happens to in 3.1


Related issues

Is duplicate of Rudder - Bug #10479: Remove all calls to semanage in our packagesReleased

History

#1 Updated by Vincent MEMBRÉ over 1 year ago

  • Target version changed from 3.1.18 to 3.1.19

#2 Updated by Nicolas CHARLES over 1 year ago

  • Severity set to Critical - prevents main use of Rudder | no workaround | data loss | security
  • User visibility set to First impressions of Rudder

#3 Updated by Nicolas CHARLES over 1 year ago

I just had it again in 4.0.3

#5 Updated by Alexis MOUSSET over 1 year ago

  • Related to Bug #10426: Apache not started on a fresh centos7 install (selinux problem) added

#6 Updated by François ARMAND over 1 year ago

  • User visibility changed from First impressions of Rudder to Getting started - demo | first install | level 1 Techniques

#7 Updated by Benoît PECCATTE over 1 year ago

  • Related to deleted (Bug #10426: Apache not started on a fresh centos7 install (selinux problem))

#8 Updated by Benoît PECCATTE over 1 year ago

  • Is duplicate of Bug #10479: Remove all calls to semanage in our packages added

#9 Updated by Benoît PECCATTE over 1 year ago

  • Status changed from New to Rejected

Fixed by #10479

#10 Updated by Benoît PECCATTE over 1 year ago

  • Priority set to 77

Also available in: Atom PDF