Bug 1391886

Summary: Puppet's selmodule syncversion is called at each run even when the policy version has been loaded already
Product: [Fedora] Fedora EPEL Reporter: Andrea Veri <andrea.veri>
Component: puppetAssignee: Jeroen van Meeuwen <vanmeeuwen+fedora>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: epel7CC: dominic, fabian.arrotin, fedora, gchamoul, jbubeck, jose.p.oliveira.oss, k.georgiou, ktdreyer, marianne, mastahnke, mmagr, moses, peter.vreman, s, vanmeeuwen+fedora
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-23 09:56:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1392154, 1392573, 1395222    
Bug Blocks:    

Description Andrea Veri 2016-11-04 10:18:35 UTC
Description of problem:

With RHEL 7.3 the output of 'semodule -l' has changed and does not list the version of the loaded policy anymore. In case the Puppet's selmodule syncversion for a specific policy is set to true Puppet tries to parse the currently loaded policy by running 'semodule -l':

Debug: Selmodule[gnome_internal_postfix](provider=semodule): Checking syncversion on gnome_internal_postfix
Debug: Executing '/usr/sbin/semodule --list'
Debug: Selmodule[gnome_internal_postfix](provider=semodule): load version 
Debug: Executing '/usr/sbin/semodule --upgrade /usr/share/selinux/custom/gnome/gnome_internal_postfix.pp'
Notice: /Stage[main]/Selinux::Postfix/Selmodule[gnome_internal_postfix]/syncversion: syncversion changed 'false' to 'true'

With RHEL 7.3 this fails:

semodule -l | head -n 5

With RHEL 6 it works as expected:

semodule -l | head -n 5
abrt	1.2.0	
accountsd	1.0.0	
ada	1.4.0	
afs	1.5.3	
aiccu	1.0.0

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create a custom SELinux policy
2. Apply it to your node (an example: https://infrastructure.gnome.org/browse/puppet/tree/modules/selinux/manifests/bugzilla.pp)
3. Puppet agent run

Actual results:
syncversion is called over and over again.

Expected results:
If the policy has been loaded already a syncversion should not be needed.

Comment 1 Peter Vreman 2016-11-10 08:20:23 UTC
I have the same issue.

In RHEL7.2 there was no issue. The semodule also listed the versions:

vrempet@li-lc-1437 ~
$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.2 (Maipo)

vrempet@li-lc-1437 ~
$ sudo semodule -l | head -n 5
abrt    1.4.1
accountsd       1.1.0
acct    1.6.0
afs     1.9.0
aiccu   1.1.0

Comment 2 Peter Vreman 2016-11-10 08:26:00 UTC
See also https://bugzilla.redhat.com/show_bug.cgi?id=1392573

Comment 3 Dominic Cleal 2017-05-23 09:56:21 UTC
Fixed in RHEL 7.3.z via bug #1395733 and in 7.4 by bug #1392573, so closing this against Puppet.