Bug 2168164

Summary: Running foreman-selinux-relabel fails with an error
Product: Red Hat Satellite Reporter: Nagoor Shaik <nshaik>
Component: SELinuxAssignee: Nagoor Shaik <nshaik>
Status: CLOSED CURRENTRELEASE QA Contact: Lukáš Hellebrandt <lhellebr>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.13.0CC: ahumbe, aruzicka, egolov, ehelms, lhellebr
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-12-14 13:47:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nagoor Shaik 2023-02-08 10:55:16 UTC 
Description of problem:
While updating rubygem-foreman-tasks package %post scripts execute foreman-selinux-relabel command, which fails with the following error

/sbin/restorecon: SELinux: Could not get canonical path for /etc/puppet/node.rb restorecon: No such file or directory.

Version-Release number of selected component (if applicable):
satellite 6.13

How reproducible:
100%

Steps to Reproduce:
1. Install / update rubygem-foreman-tasks package which produces the above error
2. OR simply just execute the foreman-selinux-relabel command 

# foreman-selinux-relabel 
/sbin/restorecon: SELinux: Could not get canonical path for /etc/puppet/node.rb restorecon: No such file or directory.

# echo $?
0

Inspecting the foreman-selinux-label command, we see the restorecon command is called with -i switch, however this will only work if the pre-existing path exists on the file system.

On Satellite 6.12 and above the path /etc/puppet is non-existent so is the error, if the path exists then it silents skips if the file doesn't exist.


Actual results:


Expected results:
We should remove /etc/puppet/node.rb from the foreman-selinux-relabel script as it was related to Puppet 3 related path and non-existing since ages.


Additional info:
Comment 1 Adam Ruzicka 2023-02-15 17:18:16 UTC 
Propagating comments from https://github.com/theforeman/foreman-selinux/pull/151 , this was fixed in restorecon by BZ #2137965 and should be fixed in RHEL 8.8.
Comment 2 Adam Ruzicka 2023-02-22 11:01:11 UTC 
Per #1, could we throw this off 6.13 since the decision was to wait it out until it is fixed in rhel?
Comment 3 Evgeni Golov 2023-02-22 12:24:03 UTC 
Yes, please.

It's not a failure anyway, just a warning, the relabeling of the other files happens just fine.
It's not a regression either.
Comment 5 Adam Ruzicka 2023-06-09 11:52:59 UTC 
RHEL 8.8 is already out, moving to on_qa
Comment 6 Lukáš Hellebrandt 2023-06-22 11:12:29 UTC 
Verified with Sat 6.13, upgrade to 6.14 snap 3.0 and RHEL 8.8, selinux packages:
# rpm -qa | grep selinux
selinux-policy-3.14.3-117.el8_8.1.noarch
libselinux-2.9-8.el8.x86_64
libselinux-utils-2.9-8.el8.x86_64
python3-libselinux-2.9-8.el8.x86_64
rpm-plugin-selinux-4.14.3-26.el8.x86_64
foreman-selinux-3.8.0-0.1.develop.el8sat.noarch
candlepin-selinux-4.3.1-1.el8sat.noarch
katello-selinux-5.0.2-1.el8sat.noarch
selinux-policy-targeted-3.14.3-117.el8_8.1.noarch
pulpcore-selinux-1.3.2-1.el8pc.x86_64

1) Ran foreman-selinux-relabel, no warning shown.
2) Upgraded the package to its 6.14 version using yum, no warning shown.
3) # mkdir /etc/puppet
# echo test > /etc/puppet/node.rb
# ls -lZ /etc/puppet/node.rb 
-rw-r--r--. 1 root root unconfined_u:object_r:etc_t:s0 5 Jun 22 07:08 /etc/puppet/node.rb
# foreman-selinux-relabel
# ls -lZ /etc/puppet/node.rb 
-rw-r--r--. 1 root root unconfined_u:object_r:foreman_enc_t:s0 5 Jun 22 07:08 /etc/puppet/node.rb