Bug 1391886 - Puppet's selmodule syncversion is called at each run even when the policy version has been loaded already
Summary: Puppet's selmodule syncversion is called at each run even when the policy ver...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: puppet
Version: epel7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jeroen van Meeuwen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 1392154 1392573 1395222
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-04 10:18 UTC by Andrea Veri
Modified: 2017-05-23 09:56 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-05-23 09:56:21 UTC


Attachments (Terms of Use)

Description Andrea Veri 2016-11-04 10:18:35 UTC
Description of problem:

With RHEL 7.3 the output of 'semodule -l' has changed and does not list the version of the loaded policy anymore. In case the Puppet's selmodule syncversion for a specific policy is set to true Puppet tries to parse the currently loaded policy by running 'semodule -l':

Debug: Selmodule[gnome_internal_postfix](provider=semodule): Checking syncversion on gnome_internal_postfix
Debug: Executing '/usr/sbin/semodule --list'
Debug: Selmodule[gnome_internal_postfix](provider=semodule): load version 
Debug: Executing '/usr/sbin/semodule --upgrade /usr/share/selinux/custom/gnome/gnome_internal_postfix.pp'
Notice: /Stage[main]/Selinux::Postfix/Selmodule[gnome_internal_postfix]/syncversion: syncversion changed 'false' to 'true'

With RHEL 7.3 this fails:

semodule -l | head -n 5
abrt
accountsd
acct
afs
aiccu

With RHEL 6 it works as expected:

semodule -l | head -n 5
abrt	1.2.0	
accountsd	1.0.0	
ada	1.4.0	
afs	1.5.3	
aiccu	1.0.0

Version-Release number of selected component (if applicable):
puppet-3.6.2-3.el7.noarch

How reproducible:
Always.


Steps to Reproduce:
1. Create a custom SELinux policy
2. Apply it to your node (an example: https://infrastructure.gnome.org/browse/puppet/tree/modules/selinux/manifests/bugzilla.pp)
3. Puppet agent run

Actual results:
syncversion is called over and over again.

Expected results:
If the policy has been loaded already a syncversion should not be needed.

Comment 1 Peter Vreman 2016-11-10 08:20:23 UTC
I have the same issue.

In RHEL7.2 there was no issue. The semodule also listed the versions:

vrempet@li-lc-1437 ~
$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.2 (Maipo)

vrempet@li-lc-1437 ~
$ sudo semodule -l | head -n 5
abrt    1.4.1
accountsd       1.1.0
acct    1.6.0
afs     1.9.0
aiccu   1.1.0

Comment 2 Peter Vreman 2016-11-10 08:26:00 UTC
See also https://bugzilla.redhat.com/show_bug.cgi?id=1392573

Comment 3 Dominic Cleal 2017-05-23 09:56:21 UTC
Fixed in RHEL 7.3.z via bug #1395733 and in 7.4 by bug #1392573, so closing this against Puppet.


Note You need to log in before you can comment on or make changes to this bug.