Bug 1931058

Summary: augeas cannot parse 'ignoredirs' option in semanage.conf file
Product: Red Hat Enterprise Linux 8 Reporter: YongkuiGuo <yoguo>
Component: augeasAssignee: Richard W.M. Jones <rjones>
Status: CLOSED ERRATA QA Contact: YongkuiGuo <yoguo>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.4CC: rjones
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: augeas-1.12.0-8.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-16 09:03:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
semanage.conf none

Description YongkuiGuo 2021-02-20 11:08:28 UTC 
Created attachment 1758417 [details]
semanage.conf

Description of problem:
augeas cannot parse /etc/selinux/semanage.conf on rhel8.4. The 'ignoredirs' option has been changed.

Old ignoredirs value:
ignoredirs=/root

New ignoredirs value:
ignoredirs=/root;/bin;/boot;/dev;/etc;/lib;/lib64;/proc;/run;/sbin;/sys;/tmp;/usr;/var


Version-Release number of selected component (if applicable):
augeas-1.12.0-6.el8.x86_64
selinux-policy-3.14.3-63.el8.noarch


How reproducible:
100%


Steps:

1. On rhel8.4 host with RHEL-8.4.0-20210218.n.0 compose
# augtool print /files/etc/selinux/semanage.conf

There is no output.


2.
#augtool print /augeas//error
...
/augeas/files/etc/selinux/semanage.conf/error = "parse_failed"
/augeas/files/etc/selinux/semanage.conf/error/pos = "2499"
/augeas/files/etc/selinux/semanage.conf/error/line = "54"
/augeas/files/etc/selinux/semanage.conf/error/char = "16"
/augeas/files/etc/selinux/semanage.conf/error/lens = "/usr/share/augeas/lenses/dist/semanage.aug:32.10-.27:"
/augeas/files/etc/selinux/semanage.conf/error/lens/last_matched = "/usr/share/augeas/lenses/dist/inifile.aug:218.18-.41:"
/augeas/files/etc/selinux/semanage.conf/error/lens/next_not_matched = "/usr/share/augeas/lenses/dist/inifile.aug:218.44-.56:"
/augeas/files/etc/selinux/semanage.conf/error/message = "Iterated lens matched less than it should"


Actual results:
As above

Expected results:
The 'ignoredirs' option in semanage.conf cannot be parsed.

Additional info:
Comment 1 Richard W.M. Jones 2022-01-12 17:32:03 UTC 
Just a note that there is no fix upstream at time of writing.
Comment 3 YongkuiGuo 2022-10-12 09:39:41 UTC 
Hi,rjones

Do you plan to fix this bug? The same issue(bug 2077120)on RHEL9 was fixed a few days ago.
Comment 4 Richard W.M. Jones 2022-10-12 12:04:29 UTC 
Yes, let's fix this.
Comment 5 Richard W.M. Jones 2022-10-12 12:22:03 UTC 
https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/48245594
Comment 6 Richard W.M. Jones 2022-10-12 12:43:05 UTC 
There's a new grub failure in the tests:

https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/48245594?focus=tc:osci.brew-build.tier0.functional

It's hard to know what is causing it without being able to see the
/etc/default/grub file itself.
Comment 7 YongkuiGuo 2022-10-12 13:38:26 UTC 
(In reply to Richard W.M. Jones from comment #6)
> There's a new grub failure in the tests:
> 
> https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/
> 48245594?focus=tc:osci.brew-build.tier0.functional
> 
> It's hard to know what is causing it without being able to see the
> /etc/default/grub file itself.

I can not see this problem on the latest RHEL8.8 nightly compose.

$ rpm -q grub2-tools
grub2-tools-2.02-142.el8.x86_64

$ augtool print /files/etc/default/grub
/files/etc/default/grub
/files/etc/default/grub/GRUB_TIMEOUT = "5"
/files/etc/default/grub/GRUB_DISTRIBUTOR = "\"$(sed 's, release .*$,,g' /etc/system-release)\""
/files/etc/default/grub/GRUB_DEFAULT = "saved"
/files/etc/default/grub/GRUB_DISABLE_SUBMENU = "true"
/files/etc/default/grub/GRUB_TERMINAL_OUTPUT = "\"console\""
/files/etc/default/grub/GRUB_CMDLINE_LINUX = "\"crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet\""
/files/etc/default/grub/GRUB_DISABLE_RECOVERY = "\"true\""
/files/etc/default/grub/GRUB_ENABLE_BLSCFG = "true"

$ cat /etc/default/grub
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet"
GRUB_DISABLE_RECOVERY="true"
GRUB_ENABLE_BLSCFG=true
Comment 8 Richard W.M. Jones 2022-10-12 13:43:01 UTC 
That's identical to /etc/default/grub on my RHEL 8 machine too, so I guess
the file on the test machine has been modified.  I asked in #osci if
anyone could grab that file, but no one has answered so far.
Comment 9 YongkuiGuo 2022-10-13 07:53:16 UTC 
(In reply to Richard W.M. Jones from comment #8)
> That's identical to /etc/default/grub on my RHEL 8 machine too, so I guess
> the file on the test machine has been modified.  

I agree.

> I asked in #osci if anyone could grab that file, but no one has answered so far.

After completing the gating test, the reserved env will be released probably.

I rerun the 'osci.brew-build.tier0.functional' gating test, which still failed with the same error. The Jenkins console log: https://cyborg-jenkins.osci.redhat.com/job/OSCI-Pipelines/job/osci-pipelines%252Fdist-git-pipeline/job/master/40643/console.

If my investigation is not wrong, the 'osci.brew-build.tier0.functional' gating test uses the RHEL8.8 nightly compose which is defined in https://gitlab.cee.redhat.com/baseos-qe/citool-config/-/blob/production/variables-composes.yaml.  

<snip>
RHEL_8_8_0:
  ...
  compose: RHEL-8.8.0-20221006.0
  symbolic_compose: RHEL-8.8.0-Nightly
  buildroot: BUILDROOT-8.8.0-RHEL-8-20221006.0

  aws:
    image: TF-BUILD-RHEL-8.8.0-20221006.0

    add-arch-suffix-for-artemis: true

  openstack:
    image: TF-BUILD-RHEL-8.8.0-20221006.0-x86_64

  beaker:
    distro: RHEL-8.8.0-20221006.0
<snip>

So at present, the 'osci.brew-build.tier0.functional' gating test reserves the test env with RHEL-8.8.0-20221006.0 compose. I also tried RHEL-8.8.0-20221006.0 compose on openstack env, and augeas can parse /etc/default/grub file.

[root@ci-vm-10-0-138-179 yum.repos.d]# augtool print /files/etc/default/grub
/files/etc/default/grub
/files/etc/default/grub/GRUB_TIMEOUT = "5"
/files/etc/default/grub/GRUB_DISTRIBUTOR = "\"$(sed 's, release .*$,,g' /etc/system-release)\""
/files/etc/default/grub/GRUB_DEFAULT = "saved"
/files/etc/default/grub/GRUB_DISABLE_SUBMENU = "true"
/files/etc/default/grub/GRUB_TERMINAL_OUTPUT = "\"console\""
/files/etc/default/grub/GRUB_CMDLINE_LINUX = "\"crashkernel=auto net.ifnames=0 rhgb quiet\""
/files/etc/default/grub/GRUB_DISABLE_RECOVERY = "\"true\""
/files/etc/default/grub/GRUB_ENABLE_BLSCFG = "true"
Comment 10 YongkuiGuo 2022-10-13 09:50:06 UTC 
Tested with package:
augeas-1.12.0-8.el8.x86_64

Steps:

1. On RHEL8.8 host

$ augtool print /files/etc/selinux/semanage.conf
...
/files/etc/selinux/semanage.conf/ignoredirs
/files/etc/selinux/semanage.conf/ignoredirs/1 = "/root"
/files/etc/selinux/semanage.conf/ignoredirs/2 = "/bin"
/files/etc/selinux/semanage.conf/ignoredirs/3 = "/boot"
/files/etc/selinux/semanage.conf/ignoredirs/4 = "/dev"
/files/etc/selinux/semanage.conf/ignoredirs/5 = "/etc"
/files/etc/selinux/semanage.conf/ignoredirs/6 = "/lib"
/files/etc/selinux/semanage.conf/ignoredirs/7 = "/lib64"
/files/etc/selinux/semanage.conf/ignoredirs/8 = "/proc"
/files/etc/selinux/semanage.conf/ignoredirs/9 = "/run"
/files/etc/selinux/semanage.conf/ignoredirs/10 = "/sbin"
/files/etc/selinux/semanage.conf/ignoredirs/11 = "/sys"
/files/etc/selinux/semanage.conf/ignoredirs/12 = "/tmp"
/files/etc/selinux/semanage.conf/ignoredirs/13 = "/usr"
/files/etc/selinux/semanage.conf/ignoredirs/14 = "/var"
/files/etc/selinux/semanage.conf/@group = "sefcontext_compile"
/files/etc/selinux/semanage.conf/@group/path = "/usr/sbin/sefcontext_compile"
/files/etc/selinux/semanage.conf/@group/args = "-r $@"

Augeas can parse /etc/selinux/semanage.conf file successfully.
Comment 13 YongkuiGuo 2022-10-26 08:33:45 UTC 
Verified this bug since the test case for this bug has been automated and passed in the latest nightly compose test.
Comment 15 errata-xmlrpc 2023-05-16 09:03:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (augeas bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2961