Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-7303

selinux : Bad regex in modules.pp can fail an agent run

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Won't Fix
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: selinux_core
    • Labels:
      None
    • Environment:

      Independent of environment

    • Template:
      MODULES Bug Template
    • Team:
      Coremunity
    • Method Found:
      Needs Assessment
    • QA Risk Assessment:
      Needs Assessment

      Description

      Basic Info
      Module Version: 0.6.1
      Puppet Version: 3.6.2
      OS Name/Version: Centos7 agent / Centos6 server

      Describe your issue in as much detail as possible...

      Desired Behavior:

          Manual or automated puppet agent run on client as normal

      Actual Behavior:

       

      Agent run throws the following error -

      Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Invalid source parameter, expecting a directory at /<path>/module.pp:66 on node <node.with.agent.com>

      In module.pp, around line 66 is this stanza:

      {{ $sourcedir = "puppet:///modules/selinux/${name}"}}
      {{ }}}
      {{ # sourcedir validation}}
      {{ # we only accept puppet:///modules/<something>/<something>, file:///anything}}
      {{ # we reject .te}}
      {{ case $sourcedir {}}
      {{ /^puppet:\/\/\/modules\/.*.te$/: {}}
      {{ fail('Invalid source parameter, expecting a directory')}}
      {{ }}}

      The intent is to fail if a .te file is passed in as a source directory; however, the dot in ".te" is not escaped properly. Therefore it is a regex dot, not a literal.

      The result is that any directory ending in "te" will throw the error and kill the run. The correct regex would be

      /^puppet:\/\/\/modules\/.*\.te$/

      And the reason this failed in our environment, and it's not likely been experienced by many, is....

      ...
      drwxr-xr-x+ 3 root root 16384 Apr 27 2015 myiptables
      drwxrwxr-x+ 3 root root 16384 Jun 7 11:06 mylogrota*te* <====
      drwxrwxr-x+ 3 root root 16384 Jun 7 11:05 mylogwatch
      ...

      so when it gets to mylogrotate, it matches the malformed regex and bombs out.

       

        Attachments

          Activity

            People

            • Assignee:
              robmunsch Rob Munsch
              Reporter:
              robmunsch Rob Munsch
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Zendesk Support