Project

Profile

Help

Issue #2424

closed

restorecon runs unecessarily for all 2.10+ upgrades

Added by bmbouter over 7 years ago. Updated almost 5 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
High
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
3. High
Version:
Platform Release:
2.10.3
OS:
Triaged:
Yes
Groomed:
Yes
Sprint Candidate:
No
Tags:
Pulp 2, SELinux
Sprint:
Sprint 11
Quarter:

Description

The spec file uses semodule -l[0] to determine what version of the pulp-server selinux policy is being upgraded from. This is then used by the relabel script[1] to run the minimum required set of restorecon statements.

Starting with RHEL 7.3, the SELinux policy version is no longer shown due to BZ 1392573[2] which causes all restorecon statements to run unnecessarily when the previous version fails to be parsed.

[0]: https://github.com/pulp/pulp/blob/1ff9cba5222e18fc28a3456b386a424acf4f8874/pulp.spec#L970
[1]: https://github.com/pulp/pulp/blob/718c24aa32b75de032d5e6b46c5077e919e2db17/server/selinux/server/relabel.sh
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1392573

Actions #1

Updated by bmbouter over 7 years ago

Instead of using semodule -l we could use rpm -qa to parse the previously installed SELinux module.

Actions #2

Updated by bizhang over 7 years ago

  • Priority changed from Normal to High
  • Sprint/Milestone set to 29
  • Severity changed from 2. Medium to 3. High
  • Groomed changed from No to Yes
Actions #3

Updated by bizhang over 7 years ago

  • Triaged changed from No to Yes
  • Groomed changed from Yes to No
Actions #4

Updated by bizhang over 7 years ago

  • Groomed changed from No to Yes
Actions #5

Updated by dkliban@redhat.com over 7 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to dkliban@redhat.com
Actions #6

Updated by dkliban@redhat.com over 7 years ago

I just discovered that the same symptoms are probably experienced by anyone upgrading to 2.10.2+. The string comparison performed in relabel.sh[0] does not correctly identify 2.10.1 as being greater than 2.2.0. As a result all the restorecon statements are run.

[0] https://github.com/pulp/pulp/blob/2.10-dev/server/selinux/server/relabel.sh#L4

Actions #7

Updated by semyers over 7 years ago

We do this dealio in some packaging scripts to do version checks. I'm not sure there's a better sh-friendly way:
https://github.com/pulp/pulp_packaging/blob/e494215e766d18749ace3a7fa21d9c51946c55d9/ci/jobs/pulp-upgrade.yaml#L116

Here are some examples...

To compare is a version is less than 2.2, the result will not equal 2.2:

$ echo -e '2.1\n2.2'|sort -V|head -n 1
2.1

To compare if a version is greater than or equal to 2.2, the result will equal 2.2:

$ echo -e '2.2\n2.2'|sort -V|head -n 1
2.2
$ echo -e '2.10\n2.2'|sort -V|head -n 1
2.2

Tail can be used in the reverse cases.

To compare if a version is less than or equal to 2.2, the result will equal 2.2:

$ echo -e '2.1\n2.2'|sort -V|tail -n 1
2.2
$ echo -e '2.2\n2.2'|sort -V|tail -n 1
2.2

To compare if a version is greater than 2.2, the result will not equal 2.2:

$ echo -e '2.3\n2.2'|sort -V|tail -n 1
2.3
$ echo -e '2.10\n2.2'|sort -V|tail -n 1
2.10
Actions #8

Updated by dkliban@redhat.com over 7 years ago

Search results from stack overflow suggest using sort -V also. RHEL 6.8 provides sort 8.4 which is able to do the version string sorting. I will go with this approach.

Actions #9

Updated by dkliban@redhat.com over 7 years ago

  • Status changed from ASSIGNED to POST

Added by dkliban@redhat.com over 7 years ago

Revision 29c2026b | View on GitHub

Changes how pulp-selinux RPM decides when to run restorecon statements

RHEL 7.3 was experiencing a bug that was preventing the pulp-selinux RPM from using semodule -l to figure out the installed version of pulp-selinux policies during upgrades. This patch switched to using rpm -qa for determining the version of previously installed SELinux policy.

The version comparison logic in relabel.sh only worked for version strings <= 1.9.z. This patch improves this code to make sure upgrades to 2.10.2 don't accidently run unnecesary restorecon statements.

closes #2434 https://pulp.plan.io/issues/2424

Actions #10

Updated by bmbouter over 7 years ago

  • Subject changed from restorecon runs unecessarily for some upgrades to restorecon runs unecessarily for all 2.10+ upgrades

@dkliban: can you also port this fix into the packaging repo[0]? I think it needs to only go to the el7, f23, and f24 branches in there. I can review that PR if that is helpful, and then you can cherry pick to the other two branches.

[0]: https://github.com/pulp/packaging

Actions #11

Updated by dkliban@redhat.com over 7 years ago

A good way to test this is to install Pulp 2.9.1 or 2.10.0 on EL 7.3 and then perform the following operations:

# create a test file
sudo touch /var/lib/pulp/test
sudo chown apache:apache /var/lib/pulp/test
# set security context to something different
sudo chcon 'system_u:object_r:var_run_t:s0' /var/lib/pulp/test
# verify security context
ls -laZ /var/lib/pulp

Upgrade to 2.10.2 and check the security context of /var/lib/pulp/test is still 'system_u:object_r:var_run_t:s0'.

Actions #12

Updated by bmbouter over 7 years ago

  • Status changed from POST to MODIFIED
  • Platform Release set to 2.10.3
Actions #13

Updated by semyers over 7 years ago

  • Status changed from MODIFIED to 5
Actions #14

Updated by pthomas@redhat.com over 7 years ago

  • Status changed from 5 to 6

verified


$ sudo touch /var/lib/pulp/test
$ sudo chown apache:apache /var/lib/pulp/test 
$ sudo chcon 'system_u:object_r:var_run_t:s0' /var/lib/pulp/test
$ ls -laZ /var/lib/pulp
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 .
drwxr-xr-x. root   root   system_u:object_r:var_lib_t:s0   ..
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 0005_puppet_module_name_change.txt
-rw-r--r--. root   root   unconfined_u:object_r:httpd_sys_rw_content_t:s0 db_initialized.flag
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 published
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 static
-rw-r--r--. apache apache system_u:object_r:var_run_t:s0   test
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 uploads

$ yum upgrade --skip-broken

---> Package pulp-admin-client.noarch 0:2.9.3-1.el7 will be updated
---> Package pulp-admin-client.noarch 0:2.10.2-2.el7 will be an update
---> Package pulp-docker-admin-extensions.noarch 0:2.0.4-1.el7 will be updated
---> Package pulp-docker-admin-extensions.noarch 0:2.1.0-1.el7 will be an update
---> Package pulp-docker-plugins.noarch 0:2.0.4-1.el7 will be updated
---> Package pulp-docker-plugins.noarch 0:2.1.0-1.el7 will be an update
---> Package pulp-ostree-admin-extensions.noarch 0:1.1.3-1.el7 will be updated
---> Package pulp-ostree-admin-extensions.noarch 0:1.1.4-1.el7 will be an update
---> Package pulp-ostree-plugins.noarch 0:1.1.3-1.el7 will be updated
---> Package pulp-ostree-plugins.noarch 0:1.1.4-1.el7 will be an update
---> Package pulp-puppet-admin-extensions.noarch 0:2.9.3-1.el7 will be updated
---> Package pulp-puppet-admin-extensions.noarch 0:2.10.2-1.el7 will be an update
---> Package pulp-puppet-plugins.noarch 0:2.9.3-1.el7 will be updated
---> Package pulp-puppet-plugins.noarch 0:2.10.2-1.el7 will be an update
---> Package pulp-rpm-admin-extensions.noarch 0:2.9.3-1.el7 will be updated
---> Package pulp-rpm-admin-extensions.noarch 0:2.10.2-1.el7 will be an update
---> Package pulp-rpm-plugins.noarch 0:2.9.3-1.el7 will be updated
---> Package pulp-rpm-plugins.noarch 0:2.10.2-1.el7 will be an update
---> Package pulp-selinux.noarch 0:2.9.3-1.el7 will be updated
---> Package pulp-selinux.noarch 0:2.10.2-2.el7 will be an update
---> Package pulp-server.noarch 0:2.9.3-1.el7 will be updated
---> Package pulp-server.noarch 0:2.10.2-2.el7 will be an update
--> Processing Dependency: kobo for package: pulp-server-2.10.2-2.el7.noarch
---> Package python-nectar.noarch 0:1.5.2-1.el7 will be updated
---> Package python-nectar.noarch 0:1.5.3-1.el7 will be an update
---> Package python-pulp-bindings.noarch 0:2.9.3-1.el7 will be updated
---> Package python-pulp-bindings.noarch 0:2.10.2-2.el7 will be an update
---> Package python-pulp-client-lib.noarch 0:2.9.3-1.el7 will be updated
---> Package python-pulp-client-lib.noarch 0:2.10.2-2.el7 will be an update
---> Package python-pulp-common.noarch 0:2.9.3-1.el7 will be updated
---> Package python-pulp-common.noarch 0:2.10.2-2.el7 will be an update
---> Package python-pulp-docker-common.noarch 0:2.0.4-1.el7 will be updated
---> Package python-pulp-docker-common.noarch 0:2.1.0-1.el7 will be an update
---> Package python-pulp-oid_validation.noarch 0:2.9.3-1.el7 will be updated
---> Package python-pulp-oid_validation.noarch 0:2.10.2-2.el7 will be an update
---> Package python-pulp-ostree-common.noarch 0:1.1.3-1.el7 will be updated
---> Package python-pulp-ostree-common.noarch 0:1.1.4-1.el7 will be an update
---> Package python-pulp-puppet-common.noarch 0:2.9.3-1.el7 will be updated
---> Package python-pulp-puppet-common.noarch 0:2.10.2-1.el7 will be an update
---> Package python-pulp-repoauth.noarch 0:2.9.3-1.el7 will be updated
---> Package python-pulp-repoauth.noarch 0:2.10.2-2.el7 will be an update
---> Package python-pulp-rpm-common.noarch 0:2.9.3-1.el7 will be updated
---> Package python-pulp-rpm-common.noarch 0:2.10.2-1.el7 will be an update
---> Package python-pulp-streamer.noarch 0:2.9.3-1.el7 will be updated
---> Package python-pulp-streamer.noarch 0:2.10.2-2.el7 will be an update

$ sudo -u apache pulp-manage-db
$ ls -laZ /var/lib/pulp
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 .
drwxr-xr-x. root   root   system_u:object_r:var_lib_t:s0   ..
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 0005_puppet_module_name_change.txt
-rw-r--r--. root   root   unconfined_u:object_r:httpd_sys_rw_content_t:s0 db_initialized.flag
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 published
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 static
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 test
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 uploads

$ sudo chcon 'system_u:object_r:var_run_t:s0' /var/lib/pulp/test
$ ls -laZ /var/lib/pulp
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 .
drwxr-xr-x. root   root   system_u:object_r:var_lib_t:s0   ..
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 0005_puppet_module_name_change.txt
-rw-r--r--. root   root   unconfined_u:object_r:httpd_sys_rw_content_t:s0 db_initialized.flag
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 published
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 static
-rw-r--r--. apache apache system_u:object_r:var_run_t:s0   test
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 uploads

$ yum upgrade --skip-broken
Loaded plugins: product-id, search-disabled-repos, subscription-manager
pulp                                                                                       | 3.6 kB  00:00:00     
pulp/7Server/x86_64/primary_db                                                             |  24 kB  00:00:00     
Resolving Dependencies
--> Running transaction check
---> Package pulp-admin-client.noarch 0:2.10.2-2.el7 will be updated
---> Package pulp-admin-client.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package pulp-puppet-admin-extensions.noarch 0:2.10.2-1.el7 will be updated
---> Package pulp-puppet-admin-extensions.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package pulp-puppet-plugins.noarch 0:2.10.2-1.el7 will be updated
---> Package pulp-puppet-plugins.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package pulp-rpm-admin-extensions.noarch 0:2.10.2-1.el7 will be updated
---> Package pulp-rpm-admin-extensions.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package pulp-rpm-plugins.noarch 0:2.10.2-1.el7 will be updated
---> Package pulp-rpm-plugins.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package pulp-selinux.noarch 0:2.10.2-2.el7 will be updated
---> Package pulp-selinux.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package pulp-server.noarch 0:2.10.2-2.el7 will be updated
---> Package pulp-server.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package python-pulp-bindings.noarch 0:2.10.2-2.el7 will be updated
---> Package python-pulp-bindings.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package python-pulp-client-lib.noarch 0:2.10.2-2.el7 will be updated
---> Package python-pulp-client-lib.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package python-pulp-common.noarch 0:2.10.2-2.el7 will be updated
---> Package python-pulp-common.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package python-pulp-oid_validation.noarch 0:2.10.2-2.el7 will be updated
---> Package python-pulp-oid_validation.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package python-pulp-puppet-common.noarch 0:2.10.2-1.el7 will be updated
---> Package python-pulp-puppet-common.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package python-pulp-repoauth.noarch 0:2.10.2-2.el7 will be updated
---> Package python-pulp-repoauth.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package python-pulp-rpm-common.noarch 0:2.10.2-1.el7 will be updated
---> Package python-pulp-rpm-common.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package python-pulp-streamer.noarch 0:2.10.2-2.el7 will be updated
---> Package python-pulp-streamer.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package redhat-lsb-core.x86_64 0:4.1-27.el7 will be obsoleted
--> Processing Dependency: redhat-lsb-core(x86-64) = 4.1-27.el7 for package: redhat-lsb-cxx-4.1-27.el7.x86_64
--> Processing Dependency: redhat-lsb-core(x86-64) = 4.1-27.el7 for package: redhat-lsb-4.1-27.el7.x86_64
--> Processing Dependency: redhat-lsb-core(x86-64) = 4.1-27.el7 for package: redhat-lsb-desktop-4.1-27.el7.x86_64
--> Processing Dependency: redhat-lsb-core(x86-64) = 4.1-27.el7 for package: redhat-lsb-languages-4.1-27.el7.x86_64
--> Processing Dependency: redhat-lsb-core(x86-64) = 4.1-27.el7 for package: redhat-lsb-printing-4.1-27.el7.x86_64
---> Package stub-redhat-lsb-core-only-for-ceph.noarch 0:2015.1-1.atomic.el7 will be obsoleting
--> Running transaction check
---> Package redhat-lsb-core.x86_64 0:4.1-27.el7 will be obsoleted
---> Package stub-redhat-lsb-core-only-for-ceph.noarch 0:2015.1-1.atomic.el7 will be obsoleting
--> Running transaction check
---> Package pulp-admin-client.noarch 0:2.10.2-2.el7 will be updated
---> Package pulp-admin-client.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package pulp-puppet-admin-extensions.noarch 0:2.10.2-1.el7 will be updated
---> Package pulp-puppet-admin-extensions.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package pulp-puppet-plugins.noarch 0:2.10.2-1.el7 will be updated
---> Package pulp-puppet-plugins.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package pulp-rpm-admin-extensions.noarch 0:2.10.2-1.el7 will be updated
---> Package pulp-rpm-admin-extensions.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package pulp-rpm-plugins.noarch 0:2.10.2-1.el7 will be updated
---> Package pulp-rpm-plugins.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package pulp-selinux.noarch 0:2.10.2-2.el7 will be updated
---> Package pulp-selinux.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package pulp-server.noarch 0:2.10.2-2.el7 will be updated
---> Package pulp-server.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package python-pulp-bindings.noarch 0:2.10.2-2.el7 will be updated
---> Package python-pulp-bindings.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package python-pulp-client-lib.noarch 0:2.10.2-2.el7 will be updated
---> Package python-pulp-client-lib.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package python-pulp-common.noarch 0:2.10.2-2.el7 will be updated
---> Package python-pulp-common.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package python-pulp-oid_validation.noarch 0:2.10.2-2.el7 will be updated
---> Package python-pulp-oid_validation.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package python-pulp-puppet-common.noarch 0:2.10.2-1.el7 will be updated
---> Package python-pulp-puppet-common.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package python-pulp-repoauth.noarch 0:2.10.2-2.el7 will be updated
---> Package python-pulp-repoauth.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package python-pulp-rpm-common.noarch 0:2.10.2-1.el7 will be updated
---> Package python-pulp-rpm-common.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package python-pulp-streamer.noarch 0:2.10.2-2.el7 will be updated
---> Package python-pulp-streamer.noarch 0:2.10.3-0.1.beta.el7 will be an update
--> Finished Dependency Resolution

$ sudo -u apache pulp-manage-db
$ ls -laZ /var/lib/pulp
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 .
drwxr-xr-x. root   root   system_u:object_r:var_lib_t:s0   ..
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 0005_puppet_module_name_change.txt
-rw-r--r--. root   root   unconfined_u:object_r:httpd_sys_rw_content_t:s0 db_initialized.flag
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 published
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 static
-rw-r--r--. apache apache system_u:object_r:var_run_t:s0   test
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 uploads

Added by dkliban@redhat.com over 7 years ago

Revision 44e13b1b | View on GitHub

Fixes relabel.sh to handle empty string being passed in.

The new version comparison mechanism no longer handled an empty string being passed in. As a result none of the restorecon statements were getting run at the end of pulp-selinux installation.

closes #2436 https://pulp.plan.io/issues/2436

Actions #15

Updated by semyers over 7 years ago

  • Status changed from 6 to CLOSED - CURRENTRELEASE
Actions #18

Updated by bmbouter about 6 years ago

  • Sprint set to Sprint 11
Actions #19

Updated by bmbouter about 6 years ago

  • Sprint/Milestone deleted (29)
Actions #20

Updated by bmbouter almost 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF