Bug 1891210

Summary: validate-selinux validation fails if there are no log messages with denied word in audit.log
Product: Red Hat OpenStack Reporter: Alex Stupnikov <astupnik>
Component: validations-commonAssignee: Gaël Chamoulaud <gchamoul>
Status: CLOSED ERRATA QA Contact: nlevinki <nlevinki>
Severity: low Docs Contact:
Priority: low    
Version: 16.1 (Train)CC: aschultz, dpeacock, gchamoul, jbuchta, jpichon, mgarciac, msufiyan
Target Milestone: z4Keywords: Triaged
Target Release: 16.1 (Train on RHEL 8.2)   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: validations-common-1.1.2-1.20200914180306.el8ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-17 15:33:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1912879    
Bug Blocks:    

Description Alex Stupnikov 2020-10-24 12:05:04 UTC 
Description of problem:

In my RHOSP 16.1 lab I noticed that validate-selinux fails if ansible fails to find denied word in audit.log [1]. I noticed that appropriate play has "ignore_errors: true":
https://github.com/openstack/validations-common/blob/master/validations_common/roles/validate_selinux/tasks/main.yml#L54

In this case ansible will still generate FAILED message, but will add "ignoring" line. It looks like validations framework fails to process such situation properly

[1]
                        "compute-0": {
                            "_ansible_no_log": false,
                            "action": "command",
                            "changed": false,
                            "cmd": "set -o pipefail\ngrep denied /var/log/audit/audit.log > /tmp/denials.log\n",
                            "delta": "0:00:00.007134",
                            "end": "2020-10-06 11:00:36.621651",
                            "failed": true,
                            "invocation": {
                                "module_args": {
                                    "_raw_params": "set -o pipefail\ngrep denied /var/log/audit/audit.log > /tmp/denials.log\n",
                                    "_uses_shell": true,
                                    "argv": null,
                                    "chdir": null,
                                    "creates": null,
                                    "executable": null,
                                    "removes": null,
                                    "stdin": null,
                                    "stdin_add_newline": true,
                                    "strip_empty_ends": true,
                                    "warn": true
                                }
                            },
                            "msg": "non-zero return code",
                            "rc": 1,
                            "start": "2020-10-06 11:00:36.614517",
                            "stderr": "",
                            "stderr_lines": [],
                            "stdout": "",
                            "stdout_lines": []
                        },
Comment 1 Alex Stupnikov 2020-10-24 12:07:00 UTC 
Here is an example output that were generated by adjusted playbook:

    fatal: [localhost]: FAILED! => {"changed": true, "cmd": "set -o pipefail\ngrep denieds /var/log/audit/audit.log > /tmp/denials.log\n", "delta": "0:00:00.011958", "end": "2020-10-10 17:42:54.427789", "msg": "non-zero return code", "rc": 1, "start": "2020-10-10 17:42:54.415831", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}
    ...ignoring
Comment 2 Gaël Chamoulaud 2020-12-03 10:09:56 UTC 
*** Bug 1893893 has been marked as a duplicate of this bug. ***
Comment 13 errata-xmlrpc 2021-03-17 15:33:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 16.1.4 director bug fix advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0817