New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
selinux: Improve importing customizations #925
Conversation
Thank you for contributing to the Leapp project!Please note that every PR needs to comply with the Leapp Guidelines and must pass all tests in order to be mergable.
To launch regression testing public members of oamg organization can leave the following comment:
Please open ticket in case you experience technical problem with the CI. (RH internal only) Note: In case there are problems with tests not being triggered automatically on new PR/commit or pending for a long time, please consider rerunning the CI by commenting leapp-ci build (might require several comments). If the problem persists, contact leapp-infra. |
Needs some more testing before merging. |
This PR has been linked in issue tracker (#OAMG-7268). |
Re-applying customizations in a single transaction may fail in case a package already applied it during upgrade. Fall back to applying customizations one by one. Stop using a file for "semanage import", since "stdin" is much cleaner. Do not import "delete all" commands to avoid removing customizations done by package scripts during upgrade. Update tests to accommodate ^^^ and test for customization removal by selinuxapplycustom. Related: https://bugzilla.redhat.com/show_bug.cgi?id=2111074 Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
The new functionality seems to work fine at least on rhel 8 (I couldn't install leapp-upgrade package on rhel 7 because of missing dependencies, so no testing there... but I'm not using any new selinux commands so it should be fine). Ready for review :) |
@vmojzis wdym by missing dependencies on rhel7? you should be able to install it on rhel7 for sure |
@vmojzis it seems good. let us know when the testing is finished so we could merge it |
/rerun-all |
Copr build succeeded: https://copr.fedorainfracloud.org/coprs/build/4689329 |
Copr build succeeded: https://copr.fedorainfracloud.org/coprs/build/4689328 |
Testing Farm request for RHEL-8.6.0-Nightly/4689329 regression testing has been created. |
Testing Farm request for RHEL-7.9-ZStream/4689329 regression testing has been created. |
Testing Farm request for RHEL-8.6-rhui/4689329 regression testing has been created. |
Testing Farm request for RHEL-8.6-rhui/4689328 regression testing has been created. |
Testing Farm request for RHEL-7.9-rhui/4689329 regression testing has been created. |
Testing Farm request for RHEL-7.9-rhui/4689328 regression testing has been created. |
Testing Farm request for RHEL-8.6.0-Nightly/4689329 regression testing has been created. |
Testing Farm request for RHEL-8.6.0-Nightly/4689328 regression testing has been created. |
Testing Farm request for RHEL-7.9-ZStream/4689329 regression testing has been created. |
Testing Farm request for RHEL-7.9-ZStream/4689328 regression testing has been created. |
Go ahead. It seems to work as intended. |
Ah, you need to have enabled
Thanks for the info. I wil rerun the tests as there have been some issues in the infrastrusture and merge it. |
/rerun-all |
Copr build succeeded: https://copr.fedorainfracloud.org/coprs/build/4700329 |
Testing Farm request for RHEL-7.9-ZStream/4700329 regression testing has been created. |
Testing Farm request for RHEL-8.6.0-Nightly/4700329 regression testing has been created. |
/rerun-all |
Copr build succeeded: https://copr.fedorainfracloud.org/coprs/build/4702990 |
Testing Farm request for RHEL-8.6.0-Nightly/4702990 regression testing has been created. |
Testing Farm request for RHEL-7.9-ZStream/4702990 regression testing has been created. |
Testing Farm request for RHEL-8.6-rhui/4702990 regression testing has been created. |
Testing Farm request for RHEL-8.6.0-Nightly/4702990 regression testing has been created. |
Testing Farm request for RHEL-7.9-ZStream/4702990 regression testing has been created. |
Testing Farm request for RHEL-7.9-rhui/4702990 regression testing has been created. |
/rerun |
Copr build succeeded: https://copr.fedorainfracloud.org/coprs/build/4704653 |
Testing Farm request for RHEL-8.6-rhui/4704653 regression testing has been created. |
Testing Farm request for RHEL-7.9-rhui/4704653 regression testing has been created. |
Testing Farm request for RHEL-8.6.0-Nightly/4704653 regression testing has been created. |
Testing Farm request for RHEL-7.9-ZStream/4704653 regression testing has been created. |
/rerun |
Copr build succeeded: https://copr.fedorainfracloud.org/coprs/build/4749692 |
Testing Farm request for RHEL-7.9-rhui/4749692 regression testing has been created. |
/packit build |
Testing Farm request for RHEL-8.7.0-Nightly/4749692 regression testing has been created. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm & works. thanks \o
Testing Farm request for RHEL-8.6.0-Nightly/4749692 regression testing has been created. |
Testing Farm request for RHEL-7.9-ZStream/4749692 regression testing has been created. |
Testing Farm request for RHEL-7.9-ZStream/4749692 regression testing has been created. |
## Packaging - Provide and require leapp-repository-dependencies 7 (oamg#952) - Provide `leapp-command(<CMD>)` for each CLI command provided by leapp-repository (oamg#947) - Require dracut, kmod, procps-ng on RHEL 8+ (oamg#952) - Require leapp-framework >= 3.1 (oamg#905, oamg#927) ## Upgrade handling ### Fixes - Do not create the upgrade bootloader entry when the dnf dry-run actor fails (oamg#912) - Do not inhibit in-place upgrades in case LUKS volumes are Ceph OSDs (oamg#735) - Fix & improve application of custom selinux rules to be less error prone and do not override changes done by RPM scriptlets (oamg#925) - Fix detection of deprecated devices (and drivers) regarding the PCI address (oamg#881) - Fix detection of deprecated kernel modules (oamg#874) - Fix the false positive NFS storage detection on NFS servers (oamg#888) - Fix the issues on systems with the LANGUAGE environment variable (oamg#887) - Fix the root directory scan to deal with non-utf8 filenames (oamg#927) - Skip comment lines when parsing the GRUB configuration file (oamg#883) - Stop propagating the “debug” and ”enforcing=0” kernel cmdline options into the target kernel cmdline options (oamg#938, oamg#950) - [IPU 7 -> 8] Fix the upgrade of the Satellite server (oamg#875, oamg#878, oamg#879 oamg#890, oamg#899, oamg#916, 934) - [IPU 7 -> 8] Fix SSSD: Prune old cache files (the format of data is incompatible) (oamg#922) - [IPU 8 -> 9] Enable the CRB repository for the upgrade only if enabled on the source system (oamg#942) - [IPU 8 -> 9] Drop obsoleted actor blocking upgrade on z16 (oamg#892) - [IPU 8 -> 9] Fix cloud provider detection on AWS (oamg#920) - [IPU 8 -> 9] Fix detention of the latest kernel on RHEL 8+ systems (oamg#909) - [IPU 8 -> 9] Fix issues caused by leapp artifacts from previous in-place upgrades (oamg#889) - [IPU 8 -> 9] Fix issues with false positive switch to emergency console during the upgrade (oamg#906) - [IPU 8 -> 9] Fix swap page size on aarch64 (oamg#937, oamg#948) - [IPU 8 -> 9] Fix the VDO scanner to skip partitions unrelated to VDO and adjust error messages (oamg#919) ### Enhancements - Add 8.7 & 9.1 Beta & GA product certificates (oamg#891) - Detect /var/lib/leapp being mounted in a non-persistent fashion (oamg#921) - Detect /var/lib/leapp mounted with the noexec option (oamg#908) - Improve the report msg when NFS partitions are discovered providing info about concrete mountpoints (oamg#806) - Inform about necessary migrations related to bacula-director (oamg#896) - [IPU 7 -> 8] The default upgrade path for RHEL SAP is 7.9 -> 8.6 (oamg#939) - [IPU 7 -> 8] Detect and fix missing newline at the end of /etc/default/grub (oamg#945) - [IPU 7 -> 8] Handle upgrades of SAP Apps systems on Azure (oamg#926) - [IPU 7 -> 8] Handle upgrades on RHUI Google Cloud (oamg#897, oamg#946) - [IPU 8 -> 9] Support upgrade path RHEL 8.7 -> 9.0 and RHEL SAP 8.6 -> 9.0 (oamg#903, oamg#894) - [IPU 8 -> 9] Add actors covering removal of NIS components on RHEL 9 (oamg#851) - [IPU 8 -> 9] Add checks for obsolete .NET versions (oamg#867) - [IPU 8 -> 9] Allow specifying the report schema v1.2.0 (oamg#872) - [IPU 8 -> 9] Check and handle upgrades with custom crypto policies (oamg#898) - [IPU 8 -> 9] Check and migrate OpenSSH configuration (oamg#864, oamg#860) - [IPU 8 -> 9] Check and migrate multipath configuration the upgrade (oamg#886) - [IPU 8 -> 9] Check minimum memory requirements (oamg#935) - [IPU 8 -> 9] Enable Base and SAP In-place upgrades on Azure (oamg#943) - [IPU 8 -> 9] Enable in-place upgrades in Azure RHEL 8 base images using RHUI (oamg#918) - [IPU 8 -> 9] Handle upgrades of SAP systems on AWS (oamg#924) - [IPU 8 -> 9] Inhibit upgrade when NVIDIA driver is detected (oamg#880) - [IPU 8 -> 9] Migrate blocklisted CAs (oamg#882) - [IPU 8 -> 9] Migrate the OpenSSL configuration (oamg#900) - [IPU 8 -> 9] Report changes around SCP and SFTP (oamg#863, oamg#893) ## Additional changes interesting for devels - Extend LsblkEntry model in StorageInfo by kernel name and size of partition in bytes (oamg#919) - Mass refactoring: Fix imports in actors and libraries to follow project guidelines (oamg#932) - Mass refactoring: Replace use of deprecated `reporting.(Tags|Flags)` by `reporting.Groups` (oamg#932) - PESEventScanner actor has been fully refactored (oamg#856, oamg#941) - Use library function is_inhibitor to check for failures (oamg#905) Signed-off-by: Petr Stodulka <pstodulk@redhat.com>
## Packaging - Provide and require leapp-repository-dependencies 7 (#952) - Provide `leapp-command(<CMD>)` for each CLI command provided by leapp-repository (#947) - Require dracut, kmod, procps-ng on RHEL 8+ (#952) - Require leapp-framework >= 3.1 (#905, #927) ## Upgrade handling ### Fixes - Do not create the upgrade bootloader entry when the dnf dry-run actor fails (#912) - Do not inhibit in-place upgrades in case LUKS volumes are Ceph OSDs (#735) - Fix & improve application of custom selinux rules to be less error prone and do not override changes done by RPM scriptlets (#925) - Fix detection of deprecated devices (and drivers) regarding the PCI address (#881) - Fix detection of deprecated kernel modules (#874) - Fix the false positive NFS storage detection on NFS servers (#888) - Fix the issues on systems with the LANGUAGE environment variable (#887) - Fix the root directory scan to deal with non-utf8 filenames (#927) - Skip comment lines when parsing the GRUB configuration file (#883) - Stop propagating the “debug” and ”enforcing=0” kernel cmdline options into the target kernel cmdline options (#938, #950) - [IPU 7 -> 8] Fix the upgrade of the Satellite server (#875, #878, #879 #890, #899, #916, 934) - [IPU 7 -> 8] Fix SSSD: Prune old cache files (the format of data is incompatible) (#922) - [IPU 8 -> 9] Enable the CRB repository for the upgrade only if enabled on the source system (#942) - [IPU 8 -> 9] Drop obsoleted actor blocking upgrade on z16 (#892) - [IPU 8 -> 9] Fix cloud provider detection on AWS (#920) - [IPU 8 -> 9] Fix detention of the latest kernel on RHEL 8+ systems (#909) - [IPU 8 -> 9] Fix issues caused by leapp artifacts from previous in-place upgrades (#889) - [IPU 8 -> 9] Fix issues with false positive switch to emergency console during the upgrade (#906) - [IPU 8 -> 9] Fix swap page size on aarch64 (#937, #948) - [IPU 8 -> 9] Fix the VDO scanner to skip partitions unrelated to VDO and adjust error messages (#919) ### Enhancements - Add 8.7 & 9.1 Beta & GA product certificates (#891) - Detect /var/lib/leapp being mounted in a non-persistent fashion (#921) - Detect /var/lib/leapp mounted with the noexec option (#908) - Improve the report msg when NFS partitions are discovered providing info about concrete mountpoints (#806) - Inform about necessary migrations related to bacula-director (#896) - [IPU 7 -> 8] The default upgrade path for RHEL SAP is 7.9 -> 8.6 (#939) - [IPU 7 -> 8] Detect and fix missing newline at the end of /etc/default/grub (#945) - [IPU 7 -> 8] Handle upgrades of SAP Apps systems on Azure (#926) - [IPU 7 -> 8] Handle upgrades on RHUI Google Cloud (#897, #946) - [IPU 8 -> 9] Support upgrade path RHEL 8.7 -> 9.0 and RHEL SAP 8.6 -> 9.0 (#903, #894) - [IPU 8 -> 9] Add actors covering removal of NIS components on RHEL 9 (#851) - [IPU 8 -> 9] Add checks for obsolete .NET versions (#867) - [IPU 8 -> 9] Allow specifying the report schema v1.2.0 (#872) - [IPU 8 -> 9] Check and handle upgrades with custom crypto policies (#898) - [IPU 8 -> 9] Check and migrate OpenSSH configuration (#864, #860) - [IPU 8 -> 9] Check and migrate multipath configuration the upgrade (#886) - [IPU 8 -> 9] Check minimum memory requirements (#935) - [IPU 8 -> 9] Enable Base and SAP In-place upgrades on Azure (#943) - [IPU 8 -> 9] Enable in-place upgrades in Azure RHEL 8 base images using RHUI (#918) - [IPU 8 -> 9] Handle upgrades of SAP systems on AWS (#924) - [IPU 8 -> 9] Inhibit upgrade when NVIDIA driver is detected (#880) - [IPU 8 -> 9] Migrate blocklisted CAs (#882) - [IPU 8 -> 9] Migrate the OpenSSL configuration (#900) - [IPU 8 -> 9] Report changes around SCP and SFTP (#863, #893) ## Additional changes interesting for devels - Extend LsblkEntry model in StorageInfo by kernel name and size of partition in bytes (#919) - Mass refactoring: Fix imports in actors and libraries to follow project guidelines (#932) - Mass refactoring: Replace use of deprecated `reporting.(Tags|Flags)` by `reporting.Groups` (#932) - PESEventScanner actor has been fully refactored (#856, #941) - Use library function is_inhibitor to check for failures (#905) Signed-off-by: Petr Stodulka <pstodulk@redhat.com>
Re-applying customizations in a single transaction may fail in case a
package already applied it during upgrade. Fall back to applying
customizations one by one.
Stop using a file for "semanage import", since "stdin" is much cleaner.
Do not import "delete all" commands to avoid removing customizations
done by package scripts during upgrade.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=2111074
Signed-off-by: Vit Mojzis vmojzis@redhat.com