Just a heads-up - change in RHEL 7.7

[ubellavance]

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 3.6.2-3
• Ruby: 2
• Distribution: RHEL7
• Module version: 0.8.0

How to reproduce (e.g Puppet code you use)

Upgrade to RHEL 7.7

What are you seeing

The module doesn't see the current fcontext configs, so it tries to add new fcontext rules

What behaviour did you expect instead

The module should not do nothing unless you changed the puppet config

I have opened a ticket with Red Hat and that's the answer:

The output in RHEL 7.7 has an additional field "-r 's0'", which indicates the MLS policy classification level. Is it possible for you to change the string you are searching for with grep for RHEL 7.7 systems?

I know that I'll have to modify my local copy of the module because it's not supported, but I wanted to inform you of the change in case you are still using the same method (I looked at the code but I'm not good enough with puppet, especially >v4, to know how the current module checks if the fcontext exists).

Output log

Any additional information you'd like to impart

[igalic]

you want to look into these two files:

https://github.com/voxpupuli/puppet-selinux/blob/master/lib/puppet/provider/selinux_fcontext/semanage.rb
https://github.com/voxpupuli/puppet-selinux/blob/master/lib/puppet/provider/selinux_fcontext_equivalence/semanage.rb

[ubellavance]

@igalic according to what I see, the module would need to be changed as I don't see 's0' anywhere. Unless it comes from a variable. Has anyone tested this module (master or latest release) on RHEL/CentOS 7.7?

[ekohl]

@ubellavance I think many of us are not using MLS. If you are, patches are highly welcome. We also welcome more maintainers who know their SELinux. When needed we'll gladly help with the Puppet specifics.

[ubellavance]

Hi @ekohl, how would I know if I'm using MLS or not? I'm tempted to say that I use the default settings. All I know is that Red Hat changed the output of a command and we need to adapt the module if necessary.

I have fixed the module locally here and I'm not sure if a PR would be accepted because I use version 0.8.0. For the master version, I don't have time to setup an environment with puppet >v5.5.8 to test my edits. If I clone the repo, then enable the CI on it, then make my change, will the CI let me know if it works or not? Are the tests passing right now? Do the tests test that? The problem is not that the state of the puppet client is not OK, it's just that semanage commands are run for nothing to try to create fcontext entries while they're already there.

[ubellavance]

I've tried my best to try to reproduce the issue on a Centos7 VM. I installed puppet 5, then created this manifest, then executed puppet apply

Here's the contents of the manifest

[root@s1 ~]# cat /root/puppet.pp 
include selinux
selinux::fcontext{'set-mysql-log-context':
  context  => 'mysqld_log_t',
  pathname => '/var/tmp/mysql',
}

Here is how I called puppet, and the output

[root@s1 ~]# puppet -V
5.5.16
[root@s1 ~]# /opt/puppetlabs/bin/puppet apply /root/puppet.pp 
Error: Evaluation Error: Error while evaluating a Resource Statement, Selinux::Fcontext[set-mysql-log-context]:
  has no parameter named 'context'
  has no parameter named 'pathname' (file: /root/puppet.pp, line: 2) on node s1

What am I missing?

I also tried using hiera but got the same errors.
I created /var/tmp/mysql manually

[ubellavance]

[root@s1 ~]# /opt/puppetlabs/bin/puppet module list
/etc/puppetlabs/code/environments/production/modules
├── puppet-selinux (v3.0.0)
└── puppetlabs-stdlib (v6.1.0)
/etc/puppetlabs/code/modules (no modules installed)
/opt/puppetlabs/puppet/modules (no modules installed)

[ubellavance]

It works with just include selinux or just to change booleans (tested via hiera)

[ubellavance]

My example was not good. I tried with what's in the manifest, and it's OK.

https://github.com/voxpupuli/puppet-selinux/blob/master/examples/fcontext.pp is not current.

[ubellavance]

The current module must be using another way of knowing if the fcontext is already there or not because I tested it against a Centos 7.7 VM and there is no problem. Weird thing is I can't find in the debug output the command it uses to test for the existence of the fcontext.

[oranenj]

@ubellavance The version of puppet-selinux you're using is way out of date and your puppet version is very much EOL :/ If you want to fix it, look at the puppet3 branch in the repo, but you're pretty much on your own there. I guess it would not hurt to merge a patch that fixes the problem you send one in for the puppet3 branch.

The present (Puppet5+) module directly parses the file returned by the following ruby code:

irb(main):001:0> require 'selinux'
=> true
irb(main):002:0> Selinux.selinux_file_context_local_path
=> "/etc/selinux/targeted/contexts/files/file_contexts.local"

see lib/puppet/provider/semanage.rb

[oranenj]

Never mind, apparently the puppet3 branch no longer exists. You will have to use a local fork if you want this fixed for puppet3

[ubellavance]

It's already fixed in my local fork. Glad to see the current version isn't affected and I can see that the method used to get custom file contexts looks way more efficient than calling semanage each time. Calling semanage each time makes puppet executions way longer.