Uploaded image for project: 'Puppet Agent'
  1. Puppet Agent
  2. PA-5141

selmodule syncversion => false behavior incorrect

    XMLWordPrintable

Details

    • Bug
    • Status: Accepted
    • Normal
    • Resolution: Unresolved
    • None
    • None
    • selinux_core

    • Puppet Open Source 3.8.5
      (Issue applies to 3.8.5 and latest version of Puppet)

    • Platform OS

    Description

      The documentation for the 'selmodule' type states that the default value of 'syncversion' is 'false'. However it is actually 'undef' (the type does not set 'defaultto' for this parameter).

      If 'syncversion' is explicitly set to false, Puppet runs on RHEL <=7.2 fail because the semodule provider still calls the syncversion method which raises an exception when '/usr/sbin/semodule --upgrade ...' fails because the module is the same version on disk and loaded.

      However, in RHEL7.3, Red Hat updated SELinux's policycoreutils which changed the behavior of the semodule utility that Puppet's selmodule provider depends on. The utility no longer reports the version of loaded SELinux modules. This has been reported in PUP-5649.

      The effect is that every Puppet run on RHEL7.3 reports a change in Selmodule resources where syncversion is set to true.

      The semodule provider's 'syncversion=' method does not check it's dosync parameter and unconditionally calls semodule --upgrade, which fails if the versions match on RHEL 7.2 and earlier.

      syncversion is called when the parameter value isn't undef.

      syncversion= appears the be called when

      • the syncversion parameter is false and the syncversion method returns :true (matching load and file versions)
      • the syncversion parameter is true and the syncversion method returns :false (when load version is 'nil' for RHEL7.3)

      The workaround appears to be to use undef instead of false, and I'm not clear on when/how Puppet decides to call the provider methods 'syncversion' and 'syncversion='.

      Here are the differences in behavior:

      # RHEL <=7.2 - syncversion = true
      		 
      Debug: Selmodule[puppet_nrpe](provider=semodule): Checking for module puppet_nrpe
      		 
      Debug: Executing '/usr/sbin/semodule --list'
      		 
      Debug: Selmodule[puppet_nrpe](provider=semodule): Checking syncversion on puppet_nrpe
      		 
      Debug: Executing '/usr/sbin/semodule --list'
      		 
      Debug: Selmodule[puppet_nrpe](provider=semodule): load version 1.4
      		 
      Debug: Selmodule[puppet_nrpe](provider=semodule): file version 1.4
      		 
       
      		 
      # RHEL <=7.2 - syncversion = false
      		 
      Debug: Selmodule[puppet_nrpe](provider=semodule): Checking for module puppet_nrpe
      		 
      Debug: Executing '/usr/sbin/semodule --list'
      		 
      Debug: Selmodule[puppet_nrpe](provider=semodule): Checking syncversion on puppet_nrpe
      		 
      Debug: Executing '/usr/sbin/semodule --list'
      		 
      Debug: Selmodule[puppet_nrpe](provider=semodule): load version 1.4
      		 
      Debug: Selmodule[puppet_nrpe](provider=semodule): file version 1.4
      		 
      Debug: Executing '/usr/sbin/semodule --upgrade /usr/local/share/selinux/puppet_nrpe.pp'
      		 
      Error: Could not upgrade policy module: libsemanage.get_direct_upgrade_filename: Previous module puppet_nrpe is same or newer. (No such file or directory).
      		 
      Error: /Stage[main]/Profile::Nrpe::Puppet/Selmodule[puppet_nrpe]/syncversion: change from true to false failed: Could not upgrade policy module: libsemanage.get_direct_upgrade_filename: Previous module puppet_nrpe is same or newer. (No such file or directory).
      		 
       
      		 
      # RHEL <=7.2 - syncversion = undef
      		 
      Debug: Selmodule[puppet_nrpe](provider=semodule): Checking for module puppet_nrpe
      		 
      Debug: Executing '/usr/sbin/semodule --list'
      		 
       
      		 
      # RHEL 7.3 - syncversion = true
      		 
      Debug: Selmodule[puppet_nrpe](provider=semodule): Checking for module puppet_nrpe
      		 
      Debug: Executing '/usr/sbin/semodule --list'
      		 
      Debug: Selmodule[puppet_nrpe](provider=semodule): Checking syncversion on puppet_nrpe
      		 
      Debug: Executing '/usr/sbin/semodule --list'
      		 
      Debug: Selmodule[puppet_nrpe](provider=semodule): load version
      		 
      Debug: Executing '/usr/sbin/semodule --upgrade /usr/local/share/selinux/puppet_nrpe.pp'
      		 
      Notice: /Stage[main]/Profile::Nrpe::Puppet/Selmodule[puppet_nrpe]/syncversion: syncversion changed 'false' to 'true'
      		 
      Debug: /Stage[main]/Profile::Nrpe::Puppet/Selmodule[puppet_nrpe]: The container Class[Profile::Nrpe::Puppet] will propagate my refresh event
      		 
       
      		 
      # RHEL 7.3 - syncversion = false
      		 
      Debug: Selmodule[puppet_nrpe](provider=semodule): Checking for module puppet_nrpe
      		 
      Debug: Executing '/usr/sbin/semodule --list'
      		 
      Debug: Selmodule[puppet_nrpe](provider=semodule): Checking syncversion on puppet_nrpe
      		 
      Debug: Executing '/usr/sbin/semodule --list'
      		 
      Debug: Selmodule[puppet_nrpe](provider=semodule): load version
      		 
       
      		 
      # RHEL 7.3 - syncversion = undef
      		 
      Debug: Selmodule[puppet_nrpe](provider=semodule): Checking for module puppet_nrpe
      		 
      Debug: Executing '/usr/sbin/semodule --list'

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. PA-5172 "syncversion" maybe obsolete for selmodule type in Fedora >= 23

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Accepted

          Activity

            People

              Unassigned Unassigned
              ajz AJ Zmudosky
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:

                Zendesk Support