Bug 2077120

Summary: augeas cannot parse /etc/selinux/semanage.conf from RHEL 9
Product: Red Hat Enterprise Linux 9 Reporter: Richard W.M. Jones <rjones>
Component: augeasAssignee: Richard W.M. Jones <rjones>
Status: CLOSED ERRATA QA Contact: YongkuiGuo <yoguo>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.1CC: jmaloy, lersek, yoguo
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: augeas-1.13.0-3.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-09 07:30:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Richard W.M. Jones 2022-04-20 17:21:28 UTC 
Description of problem:

Note I'm mainly filing this bug to document a test failure, not
as an intent to fix it any time soon.

Augeas cannot parse /etc/selinux/semanage.conf from RHEL 9.

Version-Release number of selected component (if applicable):

augeas-1.13.0-2.el9

How reproducible:

100%

Steps to Reproduce:

On a RHEL 9 machine do:

$ augtool
augtool> print /augeas//error

You will see several errors including:

/augeas/files/etc/selinux/semanage.conf/error = "parse_failed"
/augeas/files/etc/selinux/semanage.conf/error/pos = "2499"
/augeas/files/etc/selinux/semanage.conf/error/line = "54"
/augeas/files/etc/selinux/semanage.conf/error/char = "16"
/augeas/files/etc/selinux/semanage.conf/error/lens = "/usr/share/augeas/lenses/dist/semanage.aug:32.10-.27:"
/augeas/files/etc/selinux/semanage.conf/error/lens/last_matched = "/usr/share/augeas/lenses/dist/inifile.aug:218.18-.41:"
/augeas/files/etc/selinux/semanage.conf/error/lens/next_not_matched = "/usr/share/augeas/lenses/dist/inifile.aug:218.44-.56:"
/augeas/files/etc/selinux/semanage.conf/error/message = "Iterated lens matched less than it should"
Comment 1 Richard W.M. Jones 2022-04-20 17:23:24 UTC 
The problem seems to be on this line and character:

ignoredirs=/root;/bin;/boot;/dev;/etc;/lib;/lib64;/proc;/run;/sbin;/sys;/tmp;/usr;/var
                ^
Comment 2 YongkuiGuo 2022-04-21 08:32:30 UTC 
There is the same issue on RHEL8. See https://bugzilla.redhat.com/show_bug.cgi?id=1931058
Comment 3 Laszlo Ersek 2022-04-21 16:07:23 UTC 
(In reply to Richard W.M. Jones from comment #0)

> Note I'm mainly filing this bug to document a test failure, not
> as an intent to fix it any time soon.

With your permission then, I'm setting "Devel Cond-NAK: Capacity". Please undo it if you disagree. Thanks.
Comment 4 Richard W.M. Jones 2022-04-21 16:43:57 UTC 
I did actually fix it upstream, it was a surprise even to me.
However as usual it hasn't had any attention yet so we'll need to
wait to see if the fix goes upstream.  If it does I will update
the RHEL package.
Comment 5 Richard W.M. Jones 2022-10-06 11:36:02 UTC 
Upstream in
https://github.com/hercules-team/augeas/commit/a3ba6e2d32b95507e2474a219e788ac3d54bc4a1
Comment 6 Richard W.M. Jones 2022-10-06 14:55:03 UTC 
There's a Xen CI test failure that I don't understand:
https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/48157001?focus=tc:xen-ci.brew-build.tier1.functional
Comment 7 YongkuiGuo 2022-10-08 08:05:11 UTC 
(In reply to Richard W.M. Jones from comment #6)
> There's a Xen CI test failure that I don't understand:
> https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/
> 48157001?focus=tc:xen-ci.brew-build.tier1.functional

There was an issue with the brew tool in our jslave env when downloading the latest augeas package. Anyway, this gating test passed.
Comment 8 YongkuiGuo 2022-10-08 08:20:03 UTC 
Tested with package:
augeas-1.13.0-3.el9.x86_64


Steps:

1. On RHEL9.2 host
$ augtool print /files/etc/selinux/semanage.conf
...
/files/etc/selinux/semanage.conf/ignoredirs
/files/etc/selinux/semanage.conf/ignoredirs/1 = "/root"
/files/etc/selinux/semanage.conf/ignoredirs/2 = "/bin"
/files/etc/selinux/semanage.conf/ignoredirs/3 = "/boot"
/files/etc/selinux/semanage.conf/ignoredirs/4 = "/dev"
/files/etc/selinux/semanage.conf/ignoredirs/5 = "/etc"
/files/etc/selinux/semanage.conf/ignoredirs/6 = "/lib"
/files/etc/selinux/semanage.conf/ignoredirs/7 = "/lib64"
/files/etc/selinux/semanage.conf/ignoredirs/8 = "/proc"
/files/etc/selinux/semanage.conf/ignoredirs/9 = "/run"
/files/etc/selinux/semanage.conf/ignoredirs/10 = "/sbin"
/files/etc/selinux/semanage.conf/ignoredirs/11 = "/sys"
/files/etc/selinux/semanage.conf/ignoredirs/12 = "/tmp"
/files/etc/selinux/semanage.conf/ignoredirs/13 = "/usr"
/files/etc/selinux/semanage.conf/ignoredirs/14 = "/var"
/files/etc/selinux/semanage.conf/optimize-policy = "true"
/files/etc/selinux/semanage.conf/@group = "sefcontext_compile"
/files/etc/selinux/semanage.conf/@group/path = "/usr/sbin/sefcontext_compile"
/files/etc/selinux/semanage.conf/@group/args = "-r $@"

Augeas can be able to parse /etc/selinux/semanage.conf correctly.
Comment 11 YongkuiGuo 2022-10-26 08:35:48 UTC 
Verified this bug since the test case for this bug has been automated and passed in the latest nightly compose test.
Comment 13 errata-xmlrpc 2023-05-09 07:30:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (augeas bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2186