Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-7323

selmodule syncversion => false behavior incorrect

    Details

    • Type: Bug
    • Status: Accepted
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: selinux_core
    • Environment:

      Puppet Open Source 3.8.5
      (Issue applies to 3.8.5 and latest version of Puppet)

    • Template:
    • Team:
      Platform OS

      Description

      The documentation for the 'selmodule' type states that the default value of 'syncversion' is 'false'. However it is actually 'undef' (the type does not set 'defaultto' for this parameter).

      If 'syncversion' is explicitly set to false, Puppet runs on RHEL <=7.2 fail because the semodule provider still calls the syncversion method which raises an exception when '/usr/sbin/semodule --upgrade ...' fails because the module is the same version on disk and loaded.

      However, in RHEL7.3, Red Hat updated SELinux's policycoreutils which changed the behavior of the semodule utility that Puppet's selmodule provider depends on. The utility no longer reports the version of loaded SELinux modules. This has been reported in PUP-5649.

      The effect is that every Puppet run on RHEL7.3 reports a change in Selmodule resources where syncversion is set to true.

      The semodule provider's 'syncversion=' method does not check it's dosync parameter and unconditionally calls semodule --upgrade, which fails if the versions match on RHEL 7.2 and earlier.

      syncversion is called when the parameter value isn't undef.

      syncversion= appears the be called when

      • the syncversion parameter is false and the syncversion method returns :true (matching load and file versions)
      • the syncversion parameter is true and the syncversion method returns :false (when load version is 'nil' for RHEL7.3)

      The workaround appears to be to use undef instead of false, and I'm not clear on when/how Puppet decides to call the provider methods 'syncversion' and 'syncversion='.

      Here are the differences in behavior:

      # RHEL <=7.2 - syncversion = true
      Debug: Selmodule[puppet_nrpe](provider=semodule): Checking for module puppet_nrpe
      Debug: Executing '/usr/sbin/semodule --list'
      Debug: Selmodule[puppet_nrpe](provider=semodule): Checking syncversion on puppet_nrpe
      Debug: Executing '/usr/sbin/semodule --list'
      Debug: Selmodule[puppet_nrpe](provider=semodule): load version 1.4
      Debug: Selmodule[puppet_nrpe](provider=semodule): file version 1.4
       
      # RHEL <=7.2 - syncversion = false
      Debug: Selmodule[puppet_nrpe](provider=semodule): Checking for module puppet_nrpe
      Debug: Executing '/usr/sbin/semodule --list'
      Debug: Selmodule[puppet_nrpe](provider=semodule): Checking syncversion on puppet_nrpe
      Debug: Executing '/usr/sbin/semodule --list'
      Debug: Selmodule[puppet_nrpe](provider=semodule): load version 1.4
      Debug: Selmodule[puppet_nrpe](provider=semodule): file version 1.4
      Debug: Executing '/usr/sbin/semodule --upgrade /usr/local/share/selinux/puppet_nrpe.pp'
      Error: Could not upgrade policy module: libsemanage.get_direct_upgrade_filename: Previous module puppet_nrpe is same or newer. (No such file or directory).
      Error: /Stage[main]/Profile::Nrpe::Puppet/Selmodule[puppet_nrpe]/syncversion: change from true to false failed: Could not upgrade policy module: libsemanage.get_direct_upgrade_filename: Previous module puppet_nrpe is same or newer. (No such file or directory).
       
      # RHEL <=7.2 - syncversion = undef
      Debug: Selmodule[puppet_nrpe](provider=semodule): Checking for module puppet_nrpe
      Debug: Executing '/usr/sbin/semodule --list'
       
      # RHEL 7.3 - syncversion = true
      Debug: Selmodule[puppet_nrpe](provider=semodule): Checking for module puppet_nrpe
      Debug: Executing '/usr/sbin/semodule --list'
      Debug: Selmodule[puppet_nrpe](provider=semodule): Checking syncversion on puppet_nrpe
      Debug: Executing '/usr/sbin/semodule --list'
      Debug: Selmodule[puppet_nrpe](provider=semodule): load version
      Debug: Executing '/usr/sbin/semodule --upgrade /usr/local/share/selinux/puppet_nrpe.pp'
      Notice: /Stage[main]/Profile::Nrpe::Puppet/Selmodule[puppet_nrpe]/syncversion: syncversion changed 'false' to 'true'
      Debug: /Stage[main]/Profile::Nrpe::Puppet/Selmodule[puppet_nrpe]: The container Class[Profile::Nrpe::Puppet] will propagate my refresh event
       
      # RHEL 7.3 - syncversion = false
      Debug: Selmodule[puppet_nrpe](provider=semodule): Checking for module puppet_nrpe
      Debug: Executing '/usr/sbin/semodule --list'
      Debug: Selmodule[puppet_nrpe](provider=semodule): Checking syncversion on puppet_nrpe
      Debug: Executing '/usr/sbin/semodule --list'
      Debug: Selmodule[puppet_nrpe](provider=semodule): load version
       
      # RHEL 7.3 - syncversion = undef
      Debug: Selmodule[puppet_nrpe](provider=semodule): Checking for module puppet_nrpe
      Debug: Executing '/usr/sbin/semodule --list'
      

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  ajz AJ Zmudosky
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                  Dates

                  • Created:
                    Updated: