Actions
Issue #2424
closed
restorecon runs unecessarily for all 2.10+ upgrades
Added by bmbouter over 7 years ago. Updated about 5 years ago.
Start date:
Due date:
Estimated time:
Severity:
3. High
Version:
Platform Release:
2.10.3
OS:
Triaged:
Yes
Groomed:
Yes
Sprint Candidate:
No
Tags:
Pulp 2, SELinux
Sprint:
Sprint 11
Quarter:
Description
The spec file uses semodule -l[0] to determine what version of the pulp-server selinux policy is being upgraded from. This is then used by the relabel script[1] to run the minimum required set of restorecon statements.
Starting with RHEL 7.3, the SELinux policy version is no longer shown due to BZ 1392573[2] which causes all restorecon statements to run unnecessarily when the previous version fails to be parsed.
[0]: https://github.com/pulp/pulp/blob/1ff9cba5222e18fc28a3456b386a424acf4f8874/pulp.spec#L970
[1]: https://github.com/pulp/pulp/blob/718c24aa32b75de032d5e6b46c5077e919e2db17/server/selinux/server/relabel.sh
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1392573
Updated by bmbouter over 7 years ago
Instead of using semodule -l we could use rpm -qa to parse the previously installed SELinux module.
Updated by bizhang over 7 years ago
- Priority changed from Normal to High
- Sprint/Milestone set to 29
- Severity changed from 2. Medium to 3. High
- Groomed changed from No to Yes
Updated by bizhang over 7 years ago
- Triaged changed from No to Yes
- Groomed changed from Yes to No
Updated by dkliban@redhat.com over 7 years ago
- Status changed from NEW to ASSIGNED
- Assignee set to dkliban@redhat.com
Updated by dkliban@redhat.com over 7 years ago
I just discovered that the same symptoms are probably experienced by anyone upgrading to 2.10.2+. The string comparison performed in relabel.sh[0] does not correctly identify 2.10.1 as being greater than 2.2.0. As a result all the restorecon statements are run.
[0] https://github.com/pulp/pulp/blob/2.10-dev/server/selinux/server/relabel.sh#L4
Updated by semyers over 7 years ago
We do this dealio in some packaging scripts to do version checks. I'm not sure there's a better sh-friendly way:
https://github.com/pulp/pulp_packaging/blob/e494215e766d18749ace3a7fa21d9c51946c55d9/ci/jobs/pulp-upgrade.yaml#L116
Here are some examples...
To compare is a version is less than 2.2, the result will not equal 2.2:
$ echo -e '2.1\n2.2'|sort -V|head -n 1
2.1
To compare if a version is greater than or equal to 2.2, the result will equal 2.2:
$ echo -e '2.2\n2.2'|sort -V|head -n 1
2.2
$ echo -e '2.10\n2.2'|sort -V|head -n 1
2.2
Tail can be used in the reverse cases.
To compare if a version is less than or equal to 2.2, the result will equal 2.2:
$ echo -e '2.1\n2.2'|sort -V|tail -n 1
2.2
$ echo -e '2.2\n2.2'|sort -V|tail -n 1
2.2
To compare if a version is greater than 2.2, the result will not equal 2.2:
$ echo -e '2.3\n2.2'|sort -V|tail -n 1
2.3
$ echo -e '2.10\n2.2'|sort -V|tail -n 1
2.10
Updated by dkliban@redhat.com over 7 years ago
Search results from stack overflow suggest using sort -V also. RHEL 6.8 provides sort 8.4 which is able to do the version string sorting. I will go with this approach.
Updated by dkliban@redhat.com over 7 years ago
- Status changed from ASSIGNED to POST
Added by dkliban@redhat.com over 7 years ago
Updated by bmbouter over 7 years ago
- Subject changed from restorecon runs unecessarily for some upgrades to restorecon runs unecessarily for all 2.10+ upgrades
@dkliban: can you also port this fix into the packaging repo[0]? I think it needs to only go to the el7, f23, and f24 branches in there. I can review that PR if that is helpful, and then you can cherry pick to the other two branches.
Updated by dkliban@redhat.com over 7 years ago
A good way to test this is to install Pulp 2.9.1 or 2.10.0 on EL 7.3 and then perform the following operations:
# create a test file
sudo touch /var/lib/pulp/test
sudo chown apache:apache /var/lib/pulp/test
# set security context to something different
sudo chcon 'system_u:object_r:var_run_t:s0' /var/lib/pulp/test
# verify security context
ls -laZ /var/lib/pulp
Upgrade to 2.10.2 and check the security context of /var/lib/pulp/test is still 'system_u:object_r:var_run_t:s0'.
Updated by bmbouter over 7 years ago
- Status changed from POST to MODIFIED
- Platform Release set to 2.10.3
Updated by pthomas@redhat.com over 7 years ago
- Status changed from 5 to 6
verified
$ sudo touch /var/lib/pulp/test
$ sudo chown apache:apache /var/lib/pulp/test
$ sudo chcon 'system_u:object_r:var_run_t:s0' /var/lib/pulp/test
$ ls -laZ /var/lib/pulp
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 .
drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 ..
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 0005_puppet_module_name_change.txt
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 db_initialized.flag
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 published
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 static
-rw-r--r--. apache apache system_u:object_r:var_run_t:s0 test
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 uploads
$ yum upgrade --skip-broken
---> Package pulp-admin-client.noarch 0:2.9.3-1.el7 will be updated
---> Package pulp-admin-client.noarch 0:2.10.2-2.el7 will be an update
---> Package pulp-docker-admin-extensions.noarch 0:2.0.4-1.el7 will be updated
---> Package pulp-docker-admin-extensions.noarch 0:2.1.0-1.el7 will be an update
---> Package pulp-docker-plugins.noarch 0:2.0.4-1.el7 will be updated
---> Package pulp-docker-plugins.noarch 0:2.1.0-1.el7 will be an update
---> Package pulp-ostree-admin-extensions.noarch 0:1.1.3-1.el7 will be updated
---> Package pulp-ostree-admin-extensions.noarch 0:1.1.4-1.el7 will be an update
---> Package pulp-ostree-plugins.noarch 0:1.1.3-1.el7 will be updated
---> Package pulp-ostree-plugins.noarch 0:1.1.4-1.el7 will be an update
---> Package pulp-puppet-admin-extensions.noarch 0:2.9.3-1.el7 will be updated
---> Package pulp-puppet-admin-extensions.noarch 0:2.10.2-1.el7 will be an update
---> Package pulp-puppet-plugins.noarch 0:2.9.3-1.el7 will be updated
---> Package pulp-puppet-plugins.noarch 0:2.10.2-1.el7 will be an update
---> Package pulp-rpm-admin-extensions.noarch 0:2.9.3-1.el7 will be updated
---> Package pulp-rpm-admin-extensions.noarch 0:2.10.2-1.el7 will be an update
---> Package pulp-rpm-plugins.noarch 0:2.9.3-1.el7 will be updated
---> Package pulp-rpm-plugins.noarch 0:2.10.2-1.el7 will be an update
---> Package pulp-selinux.noarch 0:2.9.3-1.el7 will be updated
---> Package pulp-selinux.noarch 0:2.10.2-2.el7 will be an update
---> Package pulp-server.noarch 0:2.9.3-1.el7 will be updated
---> Package pulp-server.noarch 0:2.10.2-2.el7 will be an update
--> Processing Dependency: kobo for package: pulp-server-2.10.2-2.el7.noarch
---> Package python-nectar.noarch 0:1.5.2-1.el7 will be updated
---> Package python-nectar.noarch 0:1.5.3-1.el7 will be an update
---> Package python-pulp-bindings.noarch 0:2.9.3-1.el7 will be updated
---> Package python-pulp-bindings.noarch 0:2.10.2-2.el7 will be an update
---> Package python-pulp-client-lib.noarch 0:2.9.3-1.el7 will be updated
---> Package python-pulp-client-lib.noarch 0:2.10.2-2.el7 will be an update
---> Package python-pulp-common.noarch 0:2.9.3-1.el7 will be updated
---> Package python-pulp-common.noarch 0:2.10.2-2.el7 will be an update
---> Package python-pulp-docker-common.noarch 0:2.0.4-1.el7 will be updated
---> Package python-pulp-docker-common.noarch 0:2.1.0-1.el7 will be an update
---> Package python-pulp-oid_validation.noarch 0:2.9.3-1.el7 will be updated
---> Package python-pulp-oid_validation.noarch 0:2.10.2-2.el7 will be an update
---> Package python-pulp-ostree-common.noarch 0:1.1.3-1.el7 will be updated
---> Package python-pulp-ostree-common.noarch 0:1.1.4-1.el7 will be an update
---> Package python-pulp-puppet-common.noarch 0:2.9.3-1.el7 will be updated
---> Package python-pulp-puppet-common.noarch 0:2.10.2-1.el7 will be an update
---> Package python-pulp-repoauth.noarch 0:2.9.3-1.el7 will be updated
---> Package python-pulp-repoauth.noarch 0:2.10.2-2.el7 will be an update
---> Package python-pulp-rpm-common.noarch 0:2.9.3-1.el7 will be updated
---> Package python-pulp-rpm-common.noarch 0:2.10.2-1.el7 will be an update
---> Package python-pulp-streamer.noarch 0:2.9.3-1.el7 will be updated
---> Package python-pulp-streamer.noarch 0:2.10.2-2.el7 will be an update
$ sudo -u apache pulp-manage-db
$ ls -laZ /var/lib/pulp
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 .
drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 ..
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 0005_puppet_module_name_change.txt
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 db_initialized.flag
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 published
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 static
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 test
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 uploads
$ sudo chcon 'system_u:object_r:var_run_t:s0' /var/lib/pulp/test
$ ls -laZ /var/lib/pulp
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 .
drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 ..
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 0005_puppet_module_name_change.txt
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 db_initialized.flag
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 published
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 static
-rw-r--r--. apache apache system_u:object_r:var_run_t:s0 test
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 uploads
$ yum upgrade --skip-broken
Loaded plugins: product-id, search-disabled-repos, subscription-manager
pulp | 3.6 kB 00:00:00
pulp/7Server/x86_64/primary_db | 24 kB 00:00:00
Resolving Dependencies
--> Running transaction check
---> Package pulp-admin-client.noarch 0:2.10.2-2.el7 will be updated
---> Package pulp-admin-client.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package pulp-puppet-admin-extensions.noarch 0:2.10.2-1.el7 will be updated
---> Package pulp-puppet-admin-extensions.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package pulp-puppet-plugins.noarch 0:2.10.2-1.el7 will be updated
---> Package pulp-puppet-plugins.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package pulp-rpm-admin-extensions.noarch 0:2.10.2-1.el7 will be updated
---> Package pulp-rpm-admin-extensions.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package pulp-rpm-plugins.noarch 0:2.10.2-1.el7 will be updated
---> Package pulp-rpm-plugins.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package pulp-selinux.noarch 0:2.10.2-2.el7 will be updated
---> Package pulp-selinux.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package pulp-server.noarch 0:2.10.2-2.el7 will be updated
---> Package pulp-server.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package python-pulp-bindings.noarch 0:2.10.2-2.el7 will be updated
---> Package python-pulp-bindings.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package python-pulp-client-lib.noarch 0:2.10.2-2.el7 will be updated
---> Package python-pulp-client-lib.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package python-pulp-common.noarch 0:2.10.2-2.el7 will be updated
---> Package python-pulp-common.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package python-pulp-oid_validation.noarch 0:2.10.2-2.el7 will be updated
---> Package python-pulp-oid_validation.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package python-pulp-puppet-common.noarch 0:2.10.2-1.el7 will be updated
---> Package python-pulp-puppet-common.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package python-pulp-repoauth.noarch 0:2.10.2-2.el7 will be updated
---> Package python-pulp-repoauth.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package python-pulp-rpm-common.noarch 0:2.10.2-1.el7 will be updated
---> Package python-pulp-rpm-common.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package python-pulp-streamer.noarch 0:2.10.2-2.el7 will be updated
---> Package python-pulp-streamer.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package redhat-lsb-core.x86_64 0:4.1-27.el7 will be obsoleted
--> Processing Dependency: redhat-lsb-core(x86-64) = 4.1-27.el7 for package: redhat-lsb-cxx-4.1-27.el7.x86_64
--> Processing Dependency: redhat-lsb-core(x86-64) = 4.1-27.el7 for package: redhat-lsb-4.1-27.el7.x86_64
--> Processing Dependency: redhat-lsb-core(x86-64) = 4.1-27.el7 for package: redhat-lsb-desktop-4.1-27.el7.x86_64
--> Processing Dependency: redhat-lsb-core(x86-64) = 4.1-27.el7 for package: redhat-lsb-languages-4.1-27.el7.x86_64
--> Processing Dependency: redhat-lsb-core(x86-64) = 4.1-27.el7 for package: redhat-lsb-printing-4.1-27.el7.x86_64
---> Package stub-redhat-lsb-core-only-for-ceph.noarch 0:2015.1-1.atomic.el7 will be obsoleting
--> Running transaction check
---> Package redhat-lsb-core.x86_64 0:4.1-27.el7 will be obsoleted
---> Package stub-redhat-lsb-core-only-for-ceph.noarch 0:2015.1-1.atomic.el7 will be obsoleting
--> Running transaction check
---> Package pulp-admin-client.noarch 0:2.10.2-2.el7 will be updated
---> Package pulp-admin-client.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package pulp-puppet-admin-extensions.noarch 0:2.10.2-1.el7 will be updated
---> Package pulp-puppet-admin-extensions.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package pulp-puppet-plugins.noarch 0:2.10.2-1.el7 will be updated
---> Package pulp-puppet-plugins.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package pulp-rpm-admin-extensions.noarch 0:2.10.2-1.el7 will be updated
---> Package pulp-rpm-admin-extensions.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package pulp-rpm-plugins.noarch 0:2.10.2-1.el7 will be updated
---> Package pulp-rpm-plugins.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package pulp-selinux.noarch 0:2.10.2-2.el7 will be updated
---> Package pulp-selinux.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package pulp-server.noarch 0:2.10.2-2.el7 will be updated
---> Package pulp-server.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package python-pulp-bindings.noarch 0:2.10.2-2.el7 will be updated
---> Package python-pulp-bindings.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package python-pulp-client-lib.noarch 0:2.10.2-2.el7 will be updated
---> Package python-pulp-client-lib.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package python-pulp-common.noarch 0:2.10.2-2.el7 will be updated
---> Package python-pulp-common.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package python-pulp-oid_validation.noarch 0:2.10.2-2.el7 will be updated
---> Package python-pulp-oid_validation.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package python-pulp-puppet-common.noarch 0:2.10.2-1.el7 will be updated
---> Package python-pulp-puppet-common.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package python-pulp-repoauth.noarch 0:2.10.2-2.el7 will be updated
---> Package python-pulp-repoauth.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package python-pulp-rpm-common.noarch 0:2.10.2-1.el7 will be updated
---> Package python-pulp-rpm-common.noarch 0:2.10.3-0.1.beta.el7 will be an update
---> Package python-pulp-streamer.noarch 0:2.10.2-2.el7 will be updated
---> Package python-pulp-streamer.noarch 0:2.10.3-0.1.beta.el7 will be an update
--> Finished Dependency Resolution
$ sudo -u apache pulp-manage-db
$ ls -laZ /var/lib/pulp
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 .
drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 ..
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 0005_puppet_module_name_change.txt
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 db_initialized.flag
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 published
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 static
-rw-r--r--. apache apache system_u:object_r:var_run_t:s0 test
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 uploads
Added by dkliban@redhat.com over 7 years ago
Revision 44e13b1b | View on GitHub
Fixes relabel.sh to handle empty string being passed in.
The new version comparison mechanism no longer handled an empty string being passed in. As a result none of the restorecon statements were getting run at the end of pulp-selinux installation.
Updated by semyers over 7 years ago
- Status changed from 6 to CLOSED - CURRENTRELEASE
Actions
.
Changes how pulp-selinux RPM decides when to run restorecon statements
RHEL 7.3 was experiencing a bug that was preventing the pulp-selinux RPM from using semodule -l to figure out the installed version of pulp-selinux policies during upgrades. This patch switched to using rpm -qa for determining the version of previously installed SELinux policy.
The version comparison logic in relabel.sh only worked for version strings <= 1.9.z. This patch improves this code to make sure upgrades to 2.10.2 don't accidently run unnecesary restorecon statements.
closes #2434 https://pulp.plan.io/issues/2424