Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

selinux problem in omi on RHEL8 #680

Closed
Klaas- opened this issue Feb 11, 2021 · 16 comments · Fixed by #681
Closed

selinux problem in omi on RHEL8 #680

Klaas- opened this issue Feb 11, 2021 · 16 comments · Fixed by #681

Comments

@Klaas-
Copy link

Klaas- commented Feb 11, 2021
edited
Loading

Hi,
it seems the omi-logrotate selinux module is uninstalled after upgrading. I think this is a general build problem, scx has the same issue.

  Running scriptlet: omi-1.6.6-0.x86_64                                                                                                                                                                                                                                          2/2
Removing selinux policy module for omi-logrotate ...
libsemanage.semanage_direct_remove_key: Removing last omi-logrotate module (no other omi-logrotate module exists at another priority).

How to reproduce:
have a system without omi/scx

$ dnf install omi scx
Last metadata expiration check: 1:22:15 ago on Thu 11 Feb 2021 02:11:10 PM UTC.
Dependencies resolved.
=====================================================================================================================================================================================================================================================================================
 Package                                                    Architecture                                                  Version                                                           Repository                                                                          Size
=====================================================================================================================================================================================================================================================================================
Installing:
 omi                                                        x86_64                                                        1.6.6-0                                                           packages-microsoft-com-prod                                                        1.8 M
 scx                                                        x86_64                                                        1.6.6-0                                                           packages-microsoft-com-prod                                                        2.0 M

Transaction Summary
=====================================================================================================================================================================================================================================================================================
Install  2 Packages

Total download size: 3.8 M
Installed size: 11 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): scx-1.6.6-0.universal.x64.rpm                                                                                                                                                                                                                 9.6 MB/s | 2.0 MB     00:00
(2/2): omi-1.6.6-0.ssl_110.ulinux.x64.rpm                                                                                                                                                                                                            8.5 MB/s | 1.8 MB     00:00
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                                                                                 17 MB/s | 3.8 MB     00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                                                                                             1/1
  Running scriptlet: omi-1.6.6-0.x86_64                                                                                                                                                                                                                                          1/2
Creating omi group ...
Creating omi service account ...

  Installing       : omi-1.6.6-0.x86_64                                                                                                                                                                                                                                          1/2
  Running scriptlet: omi-1.6.6-0.x86_64                                                                                                                                                                                                                                          1/2

************************************************************
* Warning: The certificate and keyfile were not generated  *
* since they already exist.                                *
************************************************************
2021-02-11 15:33:30 : Crontab not configured to update omi keytab automatically. Skip unconfigure
ktutil not found
Checking if cron is installed...
Checking if cron/crond service is started...
Set up a cron job to OMI logrotate every 15 minutes
System appears to have SELinux installed, attempting to install selinux policy module for logrotate
  Trying /usr/share/selinux/packages/omi-selinux/omi-logrotate.pp ...
  Trying /usr/share/selinux/packages/omi-selinux/omi-selinux.pp ...
  Labeling omi log files ...
Configuring OMI service ...
Created symlink /etc/systemd/system/multi-user.target.wants/omid.service → /usr/lib/systemd/system/omid.service.
Trying to start omi with systemctl
omi is started.

  Running scriptlet: scx-1.6.6-0.x86_64                                                                                                                                                                                                                                          2/2
  Installing       : scx-1.6.6-0.x86_64                                                                                                                                                                                                                                          2/2
  Running scriptlet: scx-1.6.6-0.x86_64                                                                                                                                                                                                                                          2/2
Trying to stop omi with systemctl
omi is stopped.
Trying to start omi with systemctl
omi is started.
System appears to have SELinux installed, attempting to install selinux policy module for logrotate
  Trying /usr/share/selinux/packages/scxagent-logrotate/scxagent-logrotate.pp ...

  Verifying        : omi-1.6.6-0.x86_64                                                                                                                                                                                                                                          1/2
  Verifying        : scx-1.6.6-0.x86_64                                                                                                                                                                                                                                          2/2
Installed products updated.

Installed:
  omi-1.6.6-0.x86_64                                                                                                                        scx-1.6.6-0.x86_64

Complete!

$ semodule -l|grep -E 'scx|omi'
omi-logrotate
omi-selinux
scxagent-logrotate

$ dnf reinstall scx omi
Last metadata expiration check: 1:24:46 ago on Thu 11 Feb 2021 02:11:10 PM UTC.
Dependencies resolved.
=====================================================================================================================================================================================================================================================================================
 Package                                                    Architecture                                                  Version                                                           Repository                                                                          Size
=====================================================================================================================================================================================================================================================================================
Reinstalling:
 omi                                                        x86_64                                                        1.6.6-0                                                           packages-microsoft-com-prod                                                        1.8 M
 scx                                                        x86_64                                                        1.6.6-0                                                           packages-microsoft-com-prod                                                        2.0 M

Transaction Summary
=====================================================================================================================================================================================================================================================================================

Total download size: 3.8 M
Installed size: 11 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): scx-1.6.6-0.universal.x64.rpm                                                                                                                                                                                                                  12 MB/s | 2.0 MB     00:00
(2/2): omi-1.6.6-0.ssl_110.ulinux.x64.rpm                                                                                                                                                                                                             10 MB/s | 1.8 MB     00:00
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                                                                                 21 MB/s | 3.8 MB     00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                                                                                             1/1
  Running scriptlet: omi-1.6.6-0.x86_64                                                                                                                                                                                                                                          1/4
Unconfiguring omid (systemd) service ...
Removed /etc/systemd/system/multi-user.target.wants/omid.service.

  Reinstalling     : omi-1.6.6-0.x86_64                                                                                                                                                                                                                                          1/4
  Running scriptlet: omi-1.6.6-0.x86_64                                                                                                                                                                                                                                          1/4

************************************************************
* Warning: The certificate and keyfile were not generated  *
* since they already exist.                                *
************************************************************
omi already configured
2021-02-11 15:36:02 : Crontab not configured to update omi keytab automatically. Skip unconfigure
ktutil not found
Checking if cron is installed...
Checking if cron/crond service is started...
Set up a cron job to OMI logrotate every 15 minutes
System appears to have SELinux installed, attempting to install selinux policy module for logrotate
  Trying /usr/share/selinux/packages/omi-selinux/omi-logrotate.pp ...
  Trying /usr/share/selinux/packages/omi-selinux/omi-selinux.pp ...
  Labeling omi log files ...
Configuring OMI service ...
Created symlink /etc/systemd/system/multi-user.target.wants/omid.service → /usr/lib/systemd/system/omid.service.
Trying to start omi with systemctl
omi is started.

  Running scriptlet: scx-1.6.6-0.x86_64                                                                                                                                                                                                                                          2/4
  Reinstalling     : scx-1.6.6-0.x86_64                                                                                                                                                                                                                                          2/4
  Running scriptlet: scx-1.6.6-0.x86_64                                                                                                                                                                                                                                          2/4
Trying to stop omi with systemctl
omi is stopped.
Trying to start omi with systemctl
omi is started.
System appears to have SELinux installed, attempting to install selinux policy module for logrotate
  Trying /usr/share/selinux/packages/scxagent-logrotate/scxagent-logrotate.pp ...

  Running scriptlet: scx-1.6.6-0.x86_64                                                                                                                                                                                                                                          3/4
  Cleanup          : scx-1.6.6-0.x86_64                                                                                                                                                                                                                                          3/4
  Running scriptlet: scx-1.6.6-0.x86_64                                                                                                                                                                                                                                          3/4
Trying to stop omi with systemctl
omi is stopped.
Trying to start omi with systemctl
omi is started.
Removing selinux policy module for scxagent-logrotate ...
libsemanage.semanage_direct_remove_key: Removing last scxagent-logrotate module (no other scxagent-logrotate module exists at another priority).

  Running scriptlet: omi-1.6.6-0.x86_64                                                                                                                                                                                                                                          4/4
  Cleanup          : omi-1.6.6-0.x86_64                                                                                                                                                                                                                                          4/4
  Running scriptlet: omi-1.6.6-0.x86_64                                                                                                                                                                                                                                          4/4
Removing selinux policy module for omi-logrotate ...
libsemanage.semanage_direct_remove_key: Removing last omi-logrotate module (no other omi-logrotate module exists at another priority).

  Verifying        : omi-1.6.6-0.x86_64                                                                                                                                                                                                                                          1/4
  Verifying        : omi-1.6.6-0.x86_64                                                                                                                                                                                                                                          2/4
  Verifying        : scx-1.6.6-0.x86_64                                                                                                                                                                                                                                          3/4
  Verifying        : scx-1.6.6-0.x86_64                                                                                                                                                                                                                                          4/4
Installed products updated.

Reinstalled:
  omi-1.6.6-0.x86_64                                                                                                                        scx-1.6.6-0.x86_64

Complete!

$ semodule -l|grep -E 'scx|omi'
omi-selinux
@Klaas-
Copy link
Author

Klaas- commented Feb 12, 2021

I think this needs a change in https://github.com/microsoft/omi/blame/2cd827ba933a74374ca177007d4954aa8df493f3/Unix/installbuilder/datafiles/Linux.data#L366-L373
it needs to recognize if its being upgraded or uninstalled. I think this should also apply to rhel: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/

Highlighting the author: @JumpingYang001

@Klaas-
Copy link
Author

Klaas- commented Feb 12, 2021
edited
Loading

maybe you also want to change this in the script that builds the spec file from the data file to generalize the solution or move it into https://github.com/microsoft/omi/blame/2cd827ba933a74374ca177007d4954aa8df493f3/Unix/installbuilder/datafiles/Linux.data#L289

@Klaas- Klaas- mentioned this issue Feb 12, 2021
Closed
@JumpingYang001
Copy link
Contributor

@Klaas- thanks for reporting it! we will check the issue.

@JumpingYang001 JumpingYang001 mentioned this issue Feb 23, 2021
Merged
@Klaas- Klaas- mentioned this issue Jul 26, 2021
Closed
@Klaas-
Copy link
Author

Klaas- commented Jul 26, 2021

@JumpingYang001

The change you made somehow hasn't made it into the official rpm


$  cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.9 (Maipo)

$ rpm -qa|grep omi
omi-1.6.8-0.x86_64

$ rpm -qi omi
Name        : omi
Version     : 1.6.8
Release     : 0
Architecture: x86_64
Install Date: Fri 02 Apr 2021 03:45:05 AM CEST
Group       : System Environment/Daemons
Size        : 4608406
License     : MIT
Signature   : RSA/SHA256, Wed 31 Mar 2021 05:32:41 PM CEST, Key ID eb3e94adbe1229cf
Source RPM  : omi-1.6.8-0.src.rpm
Build Date  : Thu 14 Jan 2021 03:36:46 AM CET
Build Host  : osbld64-rhel5-01.scx.com
Relocations : (not relocatable)
Vendor      : Microsoft Corporation
Summary     : Open Management Infrastructure
Description :
omi server

$ rpm -qi --scripts omi
[...]
postuninstall scriptlet (using /bin/sh):
#!/bin/sh

if [ "$1" -ne 1 ]; then
    rm -f /opt/omi/lib/libcrypto* /opt/omi/lib/libssl* /opt/omi/lib/.libcrypto* /opt/omi/lib/.libssl*
    rmdir /opt/omi/lib > /dev/null 2>&1
    rmdir /opt/omi > /dev/null 2>&1

    # Clean up cron and logrotate
    rm -f /etc/cron.d/omilogrotate > /dev/null 2>&1
    rm -f /etc/logrotate.d/omi > /dev/null 2>&1

    egrep -q "^omiusers:" /etc/group
    if [ $? -eq 0 ]; then
        echo "Deleting omiusers group ..."
        groupdel omiusers
    fi
    egrep -q "^omi:" /etc/passwd
    if [ $? -eq 0 ]; then
       echo "Deleting omi service account ..."
           userdel omi
    fi
    egrep -q "^omi:" /etc/group
    if [ $? -eq 0 ]; then
        echo "Deleting omi group ..."
        groupdel omi
    fi
fi

if [ -e /usr/sbin/semodule ]; then
    if [ ! -z "$(/usr/sbin/semodule -l | grep omi-logrotate)" ]; then
        echo "Removing selinux policy module for omi-logrotate ..."
        /usr/sbin/semodule -r omi-logrotate
    fi
fi
exit 0

Greetings
Klaas

@Klaas-
Copy link
Author

Klaas- commented Jul 26, 2021

side question: will this need more than one version upgrade to actually happen? on the next upgrade the current versions postuninstall script will be called right?

@JumpingYang001
Copy link
Contributor

@Klaas- yes, the upgrade uninstall script will be executed in next version.

@Klaas-
Copy link
Author

Klaas- commented Jul 27, 2021

@JumpingYang001

  1. any idea why it's not in the official packages yet?
  2. Do you plan to fix this by for example changing the upgrade procedure that happens on minor upgrades via waagent?

@JumpingYang001
Copy link
Contributor

@Klaas- it is already in official packages, and it is by design, since upgrade a package will use exist package's uninstall script and for current package's uninstall script will be executed in next upgrade.

@Klaas-
Copy link
Author

Klaas- commented Jul 27, 2021

@JumpingYang001
but it's not in the current packages scripts. 1.6.8-0 was tagged on github on Apr 9 and includes the fix. 1.6.8-0 from packages.microsoft.com was built on Thu 14 Jan 2021; so I am guessing you do not build from github sources and have some kind of own code staging for those packages, this seems to invite errors like this.

$ curl -O https://packages.microsoft.com/rhel/7/prod/omi-1.6.8-0.ssl_100.ulinux.x64.rpm
[...]
$ rpm -qp --scripts ./omi-1.6.8-0.ssl_100.ulinux.x64.rpm
[...]
postuninstall scriptlet (using /bin/sh):
#!/bin/sh

if [ "$1" -ne 1 ]; then
    rm -f /opt/omi/lib/libcrypto* /opt/omi/lib/libssl* /opt/omi/lib/.libcrypto* /opt/omi/lib/.libssl*
    rmdir /opt/omi/lib > /dev/null 2>&1
    rmdir /opt/omi > /dev/null 2>&1

    # Clean up cron and logrotate
    rm -f /etc/cron.d/omilogrotate > /dev/null 2>&1
    rm -f /etc/logrotate.d/omi > /dev/null 2>&1

    egrep -q "^omiusers:" /etc/group
    if [ $? -eq 0 ]; then
        echo "Deleting omiusers group ..."
        groupdel omiusers
    fi
    egrep -q "^omi:" /etc/passwd
    if [ $? -eq 0 ]; then
       echo "Deleting omi service account ..."
           userdel omi
    fi
    egrep -q "^omi:" /etc/group
    if [ $? -eq 0 ]; then
        echo "Deleting omi group ..."
        groupdel omi
    fi
fi

if [ -e /usr/sbin/semodule ]; then
    if [ ! -z "$(/usr/sbin/semodule -l | grep omi-logrotate)" ]; then
        echo "Removing selinux policy module for omi-logrotate ..."
        /usr/sbin/semodule -r omi-logrotate
    fi
fi
exit 0

@JumpingYang001
Copy link
Contributor

@Klaas- understand your question now, in fact, the 1.6.8-0 release tag wasn't updated by me... it was updated by other team member, yes, the tag is wrong... , and I check the real code for 1.6.8-0 should only includes these commits: https://github.com/microsoft/omi/commits/e6851ec20b00615d5fda8d3858cd5f142ed04528 .

@Klaas-
Copy link
Author

Klaas- commented Jul 27, 2021

So it will take another two releases of omi until this problem is addressed on it's own :) I am guessing it was a bad idea to wait for the fix, I am seeing a couple of multi-gb log files already, so I will clean this up in configuration management ... :)

@JumpingYang001
Copy link
Contributor

@Klaas- yeah, if you have urgent to fix it, you can manually do it at first, thanks for pointing out the issue.

@Klaas-
Copy link
Author

Klaas- commented Aug 12, 2021

@JumpingYang001 even loading the module is not enough :)

/etc/cron.daily/logrotate:

error: error accessing /var/opt/microsoft/omsconfig: Permission denied
error: failed to rename /var/opt/microsoft/omsconfig/omsconfig.log to /var/opt/microsoft/omsconfig/omsconfig.log-20210812: Permission denied
error: error accessing /var/opt/microsoft/omsconfig: Permission denied
error: failed to rename /var/opt/microsoft/omsconfig/omsconfigdetailed.log to /var/opt/microsoft/omsconfig/omsconfigdetailed.log-20210812: Permission denied

Logrotate now has enough rights to access the file, but not enough to write the rotated log because it does not have rights on the directory :)

@JumpingYang001
Copy link
Contributor

@Klaas- /var/opt/microsoft/omsconfig path is another team's product directory, maybe you can contact them: https://github.com/Microsoft/PowerShell-DSC-for-Linux

@Klaas-
Copy link
Author

Klaas- commented Aug 13, 2021

Ah yes, sorry I see the policy is from https://github.com/microsoft/OMS-Agent-for-Linux/blob/master/installer/selinux/omsagent-logrotate.fc , I'll raise this issue there

@Klaas- Klaas- mentioned this issue Aug 13, 2021
Merged
@Klaas-
Copy link
Author

Klaas- commented Aug 13, 2021

It seems like there is an issue about this in that repo already, microsoft/OMS-Agent-for-Linux#781 (comment)

@Klaas- Klaas- mentioned this issue Aug 18, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixes omi-logrotate and omi-selinux remove issue for upgrade scenario microsoft/omi
2 participants
@Klaas- @JumpingYang001