-
Bug
-
Resolution: Done-Errata
-
Undefined
-
rhel-7.9.z
-
leapp-repository-0.20.0-1.el7_9
-
None
-
None
-
rhel-upgrades
-
0
-
False
-
False
-
-
None
-
None
-
Requested
-
None
-
If docs needed, set a value
-
-
Unspecified
-
None
-
57,005
Description of problem:
After upgrading a RHEL 7 system to RHEL8 the semanage port configuration is not fully preserved.
Customer has configured type `http_cache_port_t` to port 8000.
Leap fails to set this configuration because it conflicts with the existing configuration for port 8000 as type `soundd_port_t`.
Version-Release number of selected component (if applicable):
policycoreutils-python-utils-2.9-24.el8.noarch
leapp-0.15.1-1.el7_9.noarch
How reproducible:
always
Steps to Reproduce:
1. spin up a rhel7 image (I used kcli from the rhel7 image from the portal downloads)
~~~
- cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.9 (Maipo)
~~~
2. check default SELinux port for http_cache and port 8000:
~~~
- semanage port -l |grep http_cache
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130 - semanage port -l |grep 8000
soundd_port_t tcp 8000, 9433, 16001
~~~
3. Add/modify port 8000
~~~
- semanage port -a -t http_cache_port_t -p tcp 8000
ValueError: Port tcp/8000 already defined - semanage port -l |grep http_cache
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130 - semanage port -l |grep 8000
soundd_port_t tcp 8000, 9433, 16001 - semanage port -m -t http_cache_port_t -p tcp 8000
- semanage port -l |grep http_cache
http_cache_port_t tcp 8000, 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130 - semanage port -l |grep 8000
http_cache_port_t tcp 8000, 8080, 8118, 8123, 10001-10010
soundd_port_t tcp 8000, 9433, 16001
~~~
4. reboot and verify
~~~
- semanage port -l |grep http_cache
http_cache_port_t tcp 8000, 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130 - semanage port -l |grep 8000
http_cache_port_t tcp 8000, 8080, 8118, 8123, 10001-10010
soundd_port_t tcp 8000, 9433, 16001
~~~
5. perform the leapp upgrade
~~~
- subscription-manager repos --enable rhel-7-server-rpms
- subscription-manager repos --enable rhel-7-server-extras-rpms
- subscription-manager release --unset
- yum versionlock clear
- yum update
- reboot
- yum install leapp-upgrade
- leapp answer --section remove_pam_pkcs11_module_check.confirm=True
- rmmod floppy
- rmmod pata_acpi
- leapp upgrade --debug
- reboot
~~~
Actual results:
The selinux port config is not retained:
~~~
- semanage port -l |grep 8000
soundd_port_t tcp 8000, 9433, 16001 - semanage port -l |grep http_cache
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
~~~
Expected results:
SELinux configuration to be retained after Leapp upgrade
Additional info:
The log `/var/log/leapp/leapp-upgrade.log` shows that Leapp attempts to set the type but fails because a definition already exists for port 8000:
~~~
2023-08-10 10:26:53.522 INFO PID: 1268 leapp.workflow.Applications.selinuxapplycustom: Importing the following SELinux customizations collected by "semanage export":
2023-08-10 10:26:55.156 WARNING PID: 1268 leapp.workflow.Applications.selinuxapplycustom: Error applying "semanage port -a -t http_cache_port_t -r 's0' -p tcp 8000": ValueError: Port tcp/8000 already defined
~~~
This is identical to the error seen in step 3. above.
The resulting configuration may not be valid for SELinux and may need to be adressed in policycore-utils but Leapp needs to handle or at least warn about this issue.
- external trackers
- links to
-
RHBA-2023:124145
leapp and leapp-repository bug fix and enhancement update
- mentioned on
