search

saltstack / salt

Software to automate the management and configuration of any infrastructure or application at scale. Get access to the Salt software package repository here:
https://repo.saltproject.io/
Apache License 2.0
14.09k stars 5.47k forks source link

The selinux.fcontext_policy_present fails with exception in Salt 3000 on Centos 8 with policycoreutils v2.9-3 #56287

Open golmaal opened 4 years ago

golmaal commented 4 years ago

Description of Issue

I get an exception as following when applying the policy (created with name=/var/www/html/repo/(.*)? and sel_type=httpd_sys_content_t) as following:

The minion function caused an exception: Traceback (most recent call last):
      File "/usr/lib/python3.6/site-packages/salt/minion.py", line 1675, in _thread_return
        return_data = minion_instance.executors[fname](opts, data, func, args, kwargs)
      File "/usr/lib/python3.6/site-packages/salt/executors/direct_call.py", line 12, in execute
        return func(*args, **kwargs)
      File "/usr/lib/python3.6/site-packages/salt/modules/state.py", line 1351, in sls
        ret = st_.state.call_high(high_, orchestration_jid)
      File "/usr/lib/python3.6/site-packages/salt/state.py", line 2909, in call_high
        ret = self.call_chunks(chunks)
      File "/usr/lib/python3.6/site-packages/salt/state.py", line 2271, in call_chunks
        running = self.call_chunk(low, running, chunks)
      File "/usr/lib/python3.6/site-packages/salt/state.py", line 2809, in call_chunk
        self.event(running[tag], len(chunks), fire_event=low.get('fire_event'))
      File "/usr/lib/python3.6/site-packages/salt/state.py", line 2577, in event
        [self.jid, 'prog', self.opts['id'], six.text_type(chunk_ret['__run_num__'])], 'job'
    KeyError: '__run_num__'
ERROR: Minions returned with non-zero exit code

I tracked it down to my policycoreutils RPM policycoreutils-2.9-3.el8_1.1.x86_64. The command run by /usr/lib/python3.6/site-packages/salt/modules/selinux.py (https://github.com/saltstack/salt/blob/9adc2214c3bb7c68f820f7bd5fe5e132b7b3fbc9/salt/modules/selinux.py#L719) restorecon -v -F -R /var/www/html/repo/ returns 'Relabeled /var/www/html/repo/index.html from unconfined_u:object_r:var_t:s0 to system_u:object_r:httpd_sys_content_t:s0' instead of 'restorecon reset...' as expected by fcontext_apply_policy method in selinux.py execution module...

Thoughts

This issue can be fixed by initialing the changes dictionary unconditionally on line 720 in modules/selinux.py file. However, to get the correct list of new/old, pattern would need to be updated anyway.

Steps to Reproduce Issue

On CentOS 8 - 

[root@centos8 test]# yum whatprovides restorecon
policycoreutils-2.9-3.el8_1.1.x86_64 : SELinux policy core utilities
Provide    : /sbin/restorecon
Filename    : /usr/sbin/restorecon
[root@centos8 test]# rpm -qa policycoreutils
policycoreutils-2.9-3.el8_1.1.x86_64
[root@centos8 test]# semanage fcontext -a -t httpd_sys_content_t "/var/www/html/test/(.*)?"
[root@centos8 test]# restorecon -v -F -R '/var/www/html/test/'

Relabeled /var/www/html/test from unconfined_u:object_r:httpd_sys_content_t:s0 to system_u:object_r:httpd_sys_content_t:s0
Relabeled /var/www/html/test/index.html from unconfined_u:object_r:httpd_sys_content_t:s0 to system_u:object_r:httpd_sys_content_t:s0

On CentOS 7 -

[root@master7 test]# yum whatprovides restorecon
policycoreutils-2.5-33.el7.x86_64 : SELinux policy core utilities
Filename    : /usr/sbin/restorecon
[root@centos7 selinux]# rpm -qa policycoreutils
policycoreutils-2.5-33.el7.x86_64
[root@master7 test]# semanage fcontext -a -t httpd_sys_content_t "/var/www/html/test/(.*)?"
[root@master7 test]# restorecon -v -F -R '/var/www/html/test/'

restorecon reset /var/www/html/test context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /var/www/html/test/index.html context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:httpd_sys_content_t:s0

Versions Report

[root@centos8 ~]# salt --versions-report
Salt Version:
           Salt: 3000

Dependency Versions:
           cffi: 1.14.0
       cherrypy: unknown
       dateutil: 2.6.1
      docker-py: Not Installed
          gitdb: Not Installed
      gitpython: Not Installed
         Jinja2: 2.10.1
        libgit2: Not Installed
       M2Crypto: 0.35.2
           Mako: 1.0.6
   msgpack-pure: Not Installed
 msgpack-python: 0.6.2
   mysql-python: Not Installed
      pycparser: 2.19
       pycrypto: Not Installed
   pycryptodome: 3.9.7
         pygit2: Not Installed
         Python: 3.6.8 (default, Nov 21 2019, 19:31:34)
   python-gnupg: Not Installed
         PyYAML: 3.12
          PyZMQ: 18.1.1
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.5.3
            ZMQ: 4.3.2

System Versions:
           dist: centos 8.1.1911 Core
         locale: UTF-8
        machine: x86_64
        release: 4.18.0-147.5.1.el8_1.x86_64
         system: Linux
        version: CentOS Linux 8.1.1911 Core
garethgreenaway commented 4 years ago

@golmaal Thanks for the report. Looks like the output from the restorecon command has changed and we need to detect and handle the new output in the module.

github-abcde commented 4 years ago

@garethgreenaway Can you update the labels of this issue given the status of the PR?