omi-logrotate - selinux policy module versions could not be installed (SLES 12/15)

[mabicca]

Hi everyone,

We had some reports about these errors when upgrading omi:

This is on SLES 12 and we've also seen some reports on SLES15.

Is this something we need to fix or at least correct the errors being displayed, in some of these cases, SELinux was not enabled/configured.

The only thing I can tell is that this message seems to appear in VMs that don't have SELinux enabled/configured get this error whereas VMs with SELinux installed but disabled or enabled don't.

Please, let me know if you need more details.

Thank you, -Marco

[JumpingYang001]

@mabicca that means omi install semodule failed, you can try to run /usr/sbin/semodule -v -v -i /usr/share/selinux/packages/omi-selinux/omi-logrotate.pp and check the failure reason.

[mabicca]

Hi @JumpingYang001 , yes, that was my point, it seems these VM's don't even have that, I guess we should think about adding some logic to detect that?

That is likely the problem.

[JumpingYang001]

@mabicca I have checked the code and also tried on our local, if /usr/sbin/semodule does not exist, omi installation will not show anything about semodule or selinux, I guess you run the command on different system rather than the problem box?

related code: https://github.com/microsoft/omi/blob/c344617428445e4b1d5a9e5995e54dfc818a4dd8/Unix/installbuilder/datafiles/Linux.data#L332

trying on our local:

~
root@mysls12-test# mv /usr/sbin/semodule /usr/sbin/semodule.bak
~
root@mysls12-test # rpm -i omi-1.6.8-1.ssl_100.ulinux.x64.rpm
Creating omiusers group ...
Creating omi group ...
Creating omi service account ...
Generating a 2048 bit RSA private key
...............................................................+++
.................+++
writing new private key to '/etc/opt/omi/ssl/omikey.pem'
-----
2021-09-25 19:49:09 : Crontab not configured to update omi keytab automatically. Skip unconfigure
ktutil not found
Checking if cron is installed...
Checking if cron/crond service is started...
Set up a cron job to OMI logrotate every 15 minutes
Configuring OMI service ...
Trying to start omi with systemctl
omi is started.
~
root@mysls12-test #

[mabicca]

Hi @JumpingYang001 , I'll try to see if I can get more details , the issue was during the omsagent upgrade I believe, so maybe there is something with OMS Agent then. There's definitely the problem on a SLES 15 where selinux binaries are not available.

I also noticed that apparently SELinux is there, I am wondering if there's anything else that is considering it to be enabled besides the binaries?

[JumpingYang001]

Hi @mabicca , not sure if anything else need to be enabled, but if /usr/sbin/semodule exist omi will try to install omi-logrotate.pp semodule and omi-selinux.pp semodule, I am not sure whether we should let the installation to continue when the semodule failed to install. If the selinux is enabled and omi selinux semodule failed, omi will be blocked by some latest Linux OS's selinux default settings.

[benformosa]

I get this same issue on RHEL 7 with selinux disabled. In addition, because of this error, the systemd unit file is not installed correctly, and so the installation succeeds but the service doesn't work.

The test if selinux is disabled returns false on non-debian systems because it's also testing if /usr/bin/dpkg-deb exists:

https://github.com/microsoft/omi/blob/c344617428445e4b1d5a9e5995e54dfc818a4dd8/Unix/installbuilder/datafiles/Linux.data#L336

I'd recommend a change something like this, assuming selinuxenabled is available on SuSE as well (it is on RHEL 5+).

diff --git a/Linux.data b/Linux.data.fix
index 2278fec..a96cc22 100644
--- a/Linux.data
+++ b/Linux.data.fix
@@ -332,8 +332,7 @@ is_redhat5(){
 if [ -e /usr/sbin/semodule ]; then
     echo "System appears to have SELinux installed, attempting to install selinux policy module for logrotate"
     echo "  Trying ${{SEPKG_DIR_OMI}}/omi-logrotate.pp ..."
-    sestatus=`sestatus|grep status|awk '{print $3}'`
-    if [ -e /usr/bin/dpkg-deb -a "$sestatus" = "disabled" ]; then
+    if ! selinuxenabled ; then
         echo "INFO: omi-logrotate selinux policy module has not yet installed due to selinux is disabled."
         echo "When enabling selinux, load omi-logrotate module manually with following commands for logrotate feature to work properly for omi logs."
         echo "/usr/sbin/semodule -i $SEPKG_DIR_OMI/omi-logrotate.pp >/dev/null 2>&1"

Additionally, if the policy module fails to install, the scriptlet should still run ConfigureOmiService. (I mean ideally the RPM would just install the unit files rather than using the scriptlet to copy them)

[JumpingYang001]

@benformosa I will discuss it in our team and update with you.

[mabicca]

@JumpingYang001 do we have any updates on this? Was this updated as suggested before?

[JumpingYang001]

@JumpingYang001 do we have any updates on this? Was this updated as suggested before?

we did some fixes on it, you can try if the issue still exist or fixed.