search

microsoft / SCXcore

System Center Cross Platform Provider for Operations Manager
Microsoft Public License
36 stars 31 forks source link

selinux problems in linux builds #168

Closed Klaas- closed 3 years ago

Klaas- commented 3 years ago

Hi, cross linked from microsoft/omi/issues/680 -- hope I found the right github repository

it seems the scxagent-logrotate selinux module is uninstalled after upgrading.

You need to change a lot of the postun scriptlet and put it into the if clause that is not being executed during update

Postuninstall from scx-1.6.6-0.x86_64

postuninstall scriptlet (using /bin/sh):
#!/bin/sh
    # If we're called for upgrade, don't do anything
    if [ "$1" -ne 1 ]; then
        # Check if port 1270 is open
        /opt/omi/bin/omiconfigeditor httpsport -q 1270 < /etc/opt/omi/conf/omiserver.conf > /dev/null 2>&1
        if [ $? -eq 0 ]; then
            touch /etc/opt/microsoft/scx/conf/scxagent-enable-port
            # Remove port 1270 from the list of ports that OMI will listen on
            /opt/omi/bin/omiconfigeditor httpsport -r 1270 < /etc/opt/omi/conf/omiserver.conf > /etc/opt/omi/conf/omiserver.conf_temp
            mv /etc/opt/omi/conf/omiserver.conf_temp /etc/opt/omi/conf/omiserver.conf
        fi
    fi

# Clean up logrotate
rm -f /etc/logrotate.d/scxagent
rm -f /etc/cron.d/scxagent

DeleteSoftLinkToSudo() {
    if [ -L /etc/opt/microsoft/scx/conf/sudodir ]; then
        LINKED_DIR=`(cd /etc/opt/microsoft/scx/conf/sudodir ; pwd -P)`
        [ x${LINKED_DIR} = x/usr/bin ] && rm /etc/opt/microsoft/scx/conf/sudodir
    fi
}

DeleteSoftLinkToTmpDir() {
    if [ -L /etc/opt/microsoft/scx/conf/tmpdir ]; then
        LINKED_DIR=`(cd /etc/opt/microsoft/scx/conf/tmpdir ; pwd -P)`
        [ x${LINKED_DIR} = x/tmp ] && rm /etc/opt/microsoft/scx/conf/tmpdir
    fi
}

/opt/omi/bin/service_control reload

# If we're called for upgrade, don't do anything
if [ "$1" -ne 1 ]; then
    DeleteSoftLinkToSudo
    DeleteSoftLinkToTmpDir
fi
if [ -e /usr/sbin/semodule ]; then
    if [ ! -z "$(/usr/sbin/semodule -l | grep scxagent-logrotate)" ]; then
        echo "Removing selinux policy module for scxagent-logrotate ..."
        /usr/sbin/semodule -r scxagent-logrotate
    fi
fi

exit 0

I think this needs to go into the if clause that is not being executed during upgrade:

# Clean up logrotate
rm -f /etc/logrotate.d/scxagent
rm -f /etc/cron.d/scxagent

if [ -e /usr/sbin/semodule ]; then
    if [ ! -z "$(/usr/sbin/semodule -l | grep scxagent-logrotate)" ]; then
        echo "Removing selinux policy module for scxagent-logrotate ..."
        /usr/sbin/semodule -r scxagent-logrotate
    fi
fi

Reproducer (copied from other issue):

have a system without omi/scx

$ dnf install omi scx
Last metadata expiration check: 1:22:15 ago on Thu 11 Feb 2021 02:11:10 PM UTC.
Dependencies resolved.
=====================================================================================================================================================================================================================================================================================
 Package                                                    Architecture                                                  Version                                                           Repository                                                                          Size
=====================================================================================================================================================================================================================================================================================
Installing:
 omi                                                        x86_64                                                        1.6.6-0                                                           packages-microsoft-com-prod                                                        1.8 M
 scx                                                        x86_64                                                        1.6.6-0                                                           packages-microsoft-com-prod                                                        2.0 M

Transaction Summary
=====================================================================================================================================================================================================================================================================================
Install  2 Packages

Total download size: 3.8 M
Installed size: 11 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): scx-1.6.6-0.universal.x64.rpm                                                                                                                                                                                                                 9.6 MB/s | 2.0 MB     00:00
(2/2): omi-1.6.6-0.ssl_110.ulinux.x64.rpm                                                                                                                                                                                                            8.5 MB/s | 1.8 MB     00:00
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                                                                                 17 MB/s | 3.8 MB     00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                                                                                             1/1
  Running scriptlet: omi-1.6.6-0.x86_64                                                                                                                                                                                                                                          1/2
Creating omi group ...
Creating omi service account ...

  Installing       : omi-1.6.6-0.x86_64                                                                                                                                                                                                                                          1/2
  Running scriptlet: omi-1.6.6-0.x86_64                                                                                                                                                                                                                                          1/2

************************************************************
* Warning: The certificate and keyfile were not generated  *
* since they already exist.                                *
************************************************************
2021-02-11 15:33:30 : Crontab not configured to update omi keytab automatically. Skip unconfigure
ktutil not found
Checking if cron is installed...
Checking if cron/crond service is started...
Set up a cron job to OMI logrotate every 15 minutes
System appears to have SELinux installed, attempting to install selinux policy module for logrotate
  Trying /usr/share/selinux/packages/omi-selinux/omi-logrotate.pp ...
  Trying /usr/share/selinux/packages/omi-selinux/omi-selinux.pp ...
  Labeling omi log files ...
Configuring OMI service ...
Created symlink /etc/systemd/system/multi-user.target.wants/omid.service → /usr/lib/systemd/system/omid.service.
Trying to start omi with systemctl
omi is started.

  Running scriptlet: scx-1.6.6-0.x86_64                                                                                                                                                                                                                                          2/2
  Installing       : scx-1.6.6-0.x86_64                                                                                                                                                                                                                                          2/2
  Running scriptlet: scx-1.6.6-0.x86_64                                                                                                                                                                                                                                          2/2
Trying to stop omi with systemctl
omi is stopped.
Trying to start omi with systemctl
omi is started.
System appears to have SELinux installed, attempting to install selinux policy module for logrotate
  Trying /usr/share/selinux/packages/scxagent-logrotate/scxagent-logrotate.pp ...

  Verifying        : omi-1.6.6-0.x86_64                                                                                                                                                                                                                                          1/2
  Verifying        : scx-1.6.6-0.x86_64                                                                                                                                                                                                                                          2/2
Installed products updated.

Installed:
  omi-1.6.6-0.x86_64                                                                                                                        scx-1.6.6-0.x86_64

Complete!
$ semodule -l|grep -E 'scx|omi'
omi-logrotate
omi-selinux
scxagent-logrotate
$ dnf reinstall scx omi
Last metadata expiration check: 1:24:46 ago on Thu 11 Feb 2021 02:11:10 PM UTC.
Dependencies resolved.
=====================================================================================================================================================================================================================================================================================
 Package                                                    Architecture                                                  Version                                                           Repository                                                                          Size
=====================================================================================================================================================================================================================================================================================
Reinstalling:
 omi                                                        x86_64                                                        1.6.6-0                                                           packages-microsoft-com-prod                                                        1.8 M
 scx                                                        x86_64                                                        1.6.6-0                                                           packages-microsoft-com-prod                                                        2.0 M

Transaction Summary
=====================================================================================================================================================================================================================================================================================

Total download size: 3.8 M
Installed size: 11 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): scx-1.6.6-0.universal.x64.rpm                                                                                                                                                                                                                  12 MB/s | 2.0 MB     00:00
(2/2): omi-1.6.6-0.ssl_110.ulinux.x64.rpm                                                                                                                                                                                                             10 MB/s | 1.8 MB     00:00
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                                                                                 21 MB/s | 3.8 MB     00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                                                                                             1/1
  Running scriptlet: omi-1.6.6-0.x86_64                                                                                                                                                                                                                                          1/4
Unconfiguring omid (systemd) service ...
Removed /etc/systemd/system/multi-user.target.wants/omid.service.

  Reinstalling     : omi-1.6.6-0.x86_64                                                                                                                                                                                                                                          1/4
  Running scriptlet: omi-1.6.6-0.x86_64                                                                                                                                                                                                                                          1/4

************************************************************
* Warning: The certificate and keyfile were not generated  *
* since they already exist.                                *
************************************************************
omi already configured
2021-02-11 15:36:02 : Crontab not configured to update omi keytab automatically. Skip unconfigure
ktutil not found
Checking if cron is installed...
Checking if cron/crond service is started...
Set up a cron job to OMI logrotate every 15 minutes
System appears to have SELinux installed, attempting to install selinux policy module for logrotate
  Trying /usr/share/selinux/packages/omi-selinux/omi-logrotate.pp ...
  Trying /usr/share/selinux/packages/omi-selinux/omi-selinux.pp ...
  Labeling omi log files ...
Configuring OMI service ...
Created symlink /etc/systemd/system/multi-user.target.wants/omid.service → /usr/lib/systemd/system/omid.service.
Trying to start omi with systemctl
omi is started.

  Running scriptlet: scx-1.6.6-0.x86_64                                                                                                                                                                                                                                          2/4
  Reinstalling     : scx-1.6.6-0.x86_64                                                                                                                                                                                                                                          2/4
  Running scriptlet: scx-1.6.6-0.x86_64                                                                                                                                                                                                                                          2/4
Trying to stop omi with systemctl
omi is stopped.
Trying to start omi with systemctl
omi is started.
System appears to have SELinux installed, attempting to install selinux policy module for logrotate
  Trying /usr/share/selinux/packages/scxagent-logrotate/scxagent-logrotate.pp ...

  Running scriptlet: scx-1.6.6-0.x86_64                                                                                                                                                                                                                                          3/4
  Cleanup          : scx-1.6.6-0.x86_64                                                                                                                                                                                                                                          3/4
  Running scriptlet: scx-1.6.6-0.x86_64                                                                                                                                                                                                                                          3/4
Trying to stop omi with systemctl
omi is stopped.
Trying to start omi with systemctl
omi is started.
Removing selinux policy module for scxagent-logrotate ...
libsemanage.semanage_direct_remove_key: Removing last scxagent-logrotate module (no other scxagent-logrotate module exists at another priority).

  Running scriptlet: omi-1.6.6-0.x86_64                                                                                                                                                                                                                                          4/4
  Cleanup          : omi-1.6.6-0.x86_64                                                                                                                                                                                                                                          4/4
  Running scriptlet: omi-1.6.6-0.x86_64                                                                                                                                                                                                                                          4/4
Removing selinux policy module for omi-logrotate ...
libsemanage.semanage_direct_remove_key: Removing last omi-logrotate module (no other omi-logrotate module exists at another priority).

  Verifying        : omi-1.6.6-0.x86_64                                                                                                                                                                                                                                          1/4
  Verifying        : omi-1.6.6-0.x86_64                                                                                                                                                                                                                                          2/4
  Verifying        : scx-1.6.6-0.x86_64                                                                                                                                                                                                                                          3/4
  Verifying        : scx-1.6.6-0.x86_64                                                                                                                                                                                                                                          4/4
Installed products updated.

Reinstalled:
  omi-1.6.6-0.x86_64                                                                                                                        scx-1.6.6-0.x86_64

Complete!
$ semodule -l|grep -E 'scx|omi'
omi-selinux

Greetings Klaas

Klaas- commented 3 years ago

Highlighting author: @sarojcare

JumpingYang001 commented 3 years ago

@Klaas- thanks for reporting it! we will check the issue.