[BUG] selinux is not updating the fcontext when execute using salt-call

tzarskigss commented 1 year ago

Description When testing the states using salt-call, there is an issue with update the file context using selinux if the file was modified.

Setup

the was found in the RHEL9 and CentOS Stream release 9 State files:

root/test-one.txt:
  file.managed:
    - source: salt://files/resolv_conf-2.j2
    - user: root
    - group: root
    - mode: 0644
    - backup: minion
    - template: jinja

    - selinux:
        seuser: system_u
        serole: object_r
        setype: net_conf_t
        serange: s0

Please be as specific as possible and give set-up details.

[X] on-prem machine
[ ] VM (Virtualbox, KVM, etc. please specify)
[ ] VM running on a cloud service, please be explicit and add details
[ ] container (Kubernetes, Docker, containerd, etc. please specify)
[ ] or a combination, please be explicit
[ ] jails if it is FreeBSD
[ ] classic packaging
[X] onedir packaging
[X] used bootstrap to install

Steps to Reproduce the behavior

make a test file: touch /root/test-one.txt check the file properties

ls -lZ /root/test-one.txt
-rw-r--r--. 1 root root unconfined_u:object_r:admin_home_t:s0 0 Jul 12 04:07 /root/test-one.txt

Run the state using salt-call


salt-call state.apply eric/demo-6
local:
----------
      ID: /root/test-one.txt
Function: file.managed
  Result: True
 Comment: File /root/test-one.txt updated
 Started: 04:07:42.466425
Duration: 4151.225 ms
 Changes:
          ----------
          diff:
              ---
              +++
              @@ -0,0 +1,12 @@
              +# THIS FILE IS MANAGED BY SALTSTACK
              +# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
              +
              +
              +
              +
              +
              +domain vcloud.local
              +search vcloud.local
              +nameserver 192.168.110.1
              +
              +
          selinux:
              ----------
              New:
                  User: system_u Type: net_conf_t
              Old:
                  User: unconfined_u Type: admin_home_t

Summary for local

Succeeded: 1 (changed=1) Failed: 0

Total states run: 1 Total run time: 4.151 s

File was updated properly, now check the file
ls -lZ /root/test-one.txt
-rw-r--r--. 1 root root system_u:object_r:net_conf_t:s0 176 Jul 12 04:07 /root/test-one.txt

 semanage fcontext -C -l
SELinux fcontext                                   type               Context

/root/test-one.txt                                 all files          system_u:object_r:net_conf_t:s0

Now update the file 
` echo "hello" >> /root/test-one.txt`
Check the file again

semanage fcontext -C -l SELinux fcontext type Context

/root/test-one.txt all files system_u:object_r:net_conf_t:s0

ls -lZ /root/test-one.txt -rw-r--r--. 1 root root system_u:object_r:net_conf_t:s0 182 Jul 12 04:09 /root/test-one.txt


Now trying to update the file again  and getting error

date Wed Jul 12 04:09:44 AM EDT 2023 salt-call state.apply eric/demo-6 [ERROR ] Command 'semanage' failed with return code: 1 [ERROR ] stderr: ValueError: File context for /root/test-one.txt already defined [ERROR ] retcode: 1 [ERROR ] Unable to manage file: Problem setting fcontext: {'pid': 43053, 'retcode': 1, 'stdout': '', 'stderr': 'ValueError: File context for /root/test-one.txt already defined'} local:

      ID: /root/test-one.txt
Function: file.managed
  Result: False
 Comment: Unable to manage file: Problem setting fcontext: {'pid': 43053, 'retcode': 1, 'stdout': '', 'stderr': 'ValueError: File context for /root/test-one.txt already defined'}
 Started: 04:09:58.580838
Duration: 2049.276 ms
 Changes:

Summary for local

Succeeded: 0 Failed: 1

Total states run: 1 Total run time: 2.049 s

Checking the file

ls -lZ /root/test-one.txt -rw-r--r--. 1 root root unconfined_u:object_r:net_conf_t:s0 176 Jul 12 04:09 /root/test-one.txt

semanage fcontext -C -l SELinux fcontext type Context

/root/test-one.txt all files system_u:object_r:net_conf_t:s0

**Expected behavior**
A clear and concise description of what you expected to happen.

**Screenshots**
If applicable, add screenshots to help explain your problem.

**Versions Report**
minion

Salt Version: Salt: 3005.1

Dependency Versions: cffi: 1.14.6 cherrypy: 18.6.1 dateutil: 2.8.1 docker-py: Not Installed gitdb: Not Installed gitpython: Not Installed Jinja2: 3.1.0 libgit2: Not Installed M2Crypto: Not Installed Mako: Not Installed msgpack: 1.0.2 msgpack-pure: Not Installed mysql-python: Not Installed pycparser: 2.21 pycrypto: Not Installed pycryptodome: 3.9.8 pygit2: Not Installed Python: 3.9.16 (main, Nov 1 2022, 00:00:00) python-gnupg: 0.4.8 PyYAML: 5.4.1 PyZMQ: 23.2.0 smmap: Not Installed timelib: 0.2.4 Tornado: 4.5.3 ZMQ: 4.3.4

System Versions: dist: centos 9 locale: utf-8 machine: x86_64 release: 5.14.0-319.el9.x86_64 system: Linux version: CentOS Stream 9


SALT MASTER 
Salt Version:
          Salt: 3005.1

Dependency Versions:
          cffi: 1.15.1
      cherrypy: Not Installed
      dateutil: Not Installed
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 3.1.2
       libgit2: Not Installed
      M2Crypto: Not Installed
          Mako: Not Installed
       msgpack: 0.5.6
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     pycparser: 2.21
      pycrypto: 2.6.1
  pycryptodome: 3.18.0
        pygit2: Not Installed
        Python: 3.7.5 (default, Mar 22 2023, 17:31:55)
  python-gnupg: Not Installed
        PyYAML: 5.4.1
         PyZMQ: 19.0.2
         smmap: Not Installed
       timelib: Not Installed
       Tornado: 4.5.3
           ZMQ: 4.3.4

Salt Extensions:
        SSEAPE: 8.12.0.7

System Versions:
          dist: photon 3.0 Photon
        locale: utf-8
       machine: x86_64
       release: 4.19.277-1.ph3
        system: Linux
       version: VMware Photon OS 3.0 Photon

**Additional context**
The problem does not exist when do the same steps and run the state file form salt-master like
`salt centos9 state.apply eric/demo-6`
Checked with other minion/ OS combination.
The salt master is 3005.1
RHEL 7 minion is 3005.1
RHEL 8 minion is 3005.1
RHEL 9 minion is 3006.1

The issue is present on both RHEL 8 and RHEL 9, both on 3005.1 and 3006.1.

welcome[bot] commented 1 year ago

Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey. Please be sure to review our Code of Conduct. Also, check out some of our community resources including:

There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar. If you have additional questions, email us at saltproject@vmware.com. We’re glad you’ve joined our community and look forward to doing awesome things with you!

OrangeDog commented 1 year ago

This seems to be caused by #63336.

tzarskigss commented 1 year ago

is there any way to check this, as the issue is not random like in https://github.com/saltstack/salt/issues/63336 In this case it looks that salt-call act differently than commands sends by salt master so if you update file locally like " echo "hello" >> /root/test-one.txt" and run the salt centos9 state.apply eric/demo-6the issue never happen