1891210 – validate-selinux validation fails if there are no log messages with denied word in audit.log

Bug 1891210 - validate-selinux validation fails if there are no log messages with denied word in audit.log

Summary: validate-selinux validation fails if there are no log messages with denied wo...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	validations-common
Sub Component:
Version:	16.1 (Train)
Hardware:	All
OS:	All
Priority:	low
Severity:	low
Target Milestone:	z4
Target Release:	16.1 (Train on RHEL 8.2)
Assignee:	Gaël Chamoulaud
QA Contact:	nlevinki
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1893893 (view as bug list)
Depends On:	1912879
Blocks:
TreeView+	depends on / blocked

Reported:	2020-10-24 12:05 UTC by Alex Stupnikov
Modified:	2021-03-17 15:35 UTC (History)
CC List:	7 users (show)
Fixed In Version:	validations-common-1.1.2-1.20200914180306.el8ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-03-17 15:33:21 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
OpenStack gerrit	765163	0	None	MERGED	Exit with zero status when denials are not found in audit log	2021-02-15 19:14:10 UTC
Red Hat Product Errata	RHBA-2021:0817	0	None	None	None	2021-03-17 15:35:27 UTC

Description Alex Stupnikov 2020-10-24 12:05:04 UTC

Description of problem:

In my RHOSP 16.1 lab I noticed that validate-selinux fails if ansible fails to find denied word in audit.log [1]. I noticed that appropriate play has "ignore_errors: true":
https://github.com/openstack/validations-common/blob/master/validations_common/roles/validate_selinux/tasks/main.yml#L54

In this case ansible will still generate FAILED message, but will add "ignoring" line. It looks like validations framework fails to process such situation properly

[1]
                        "compute-0": {
                            "_ansible_no_log": false,
                            "action": "command",
                            "changed": false,
                            "cmd": "set -o pipefail\ngrep denied /var/log/audit/audit.log > /tmp/denials.log\n",
                            "delta": "0:00:00.007134",
                            "end": "2020-10-06 11:00:36.621651",
                            "failed": true,
                            "invocation": {
                                "module_args": {
                                    "_raw_params": "set -o pipefail\ngrep denied /var/log/audit/audit.log > /tmp/denials.log\n",
                                    "_uses_shell": true,
                                    "argv": null,
                                    "chdir": null,
                                    "creates": null,
                                    "executable": null,
                                    "removes": null,
                                    "stdin": null,
                                    "stdin_add_newline": true,
                                    "strip_empty_ends": true,
                                    "warn": true
                                }
                            },
                            "msg": "non-zero return code",
                            "rc": 1,
                            "start": "2020-10-06 11:00:36.614517",
                            "stderr": "",
                            "stderr_lines": [],
                            "stdout": "",
                            "stdout_lines": []
                        },

Comment 1 Alex Stupnikov 2020-10-24 12:07:00 UTC

Here is an example output that were generated by adjusted playbook:

    fatal: [localhost]: FAILED! => {"changed": true, "cmd": "set -o pipefail\ngrep denieds /var/log/audit/audit.log > /tmp/denials.log\n", "delta": "0:00:00.011958", "end": "2020-10-10 17:42:54.427789", "msg": "non-zero return code", "rc": 1, "start": "2020-10-10 17:42:54.415831", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}
    ...ignoring

Comment 2 Gaël Chamoulaud 2020-12-03 10:09:56 UTC

*** Bug 1893893 has been marked as a duplicate of this bug. ***

Comment 13 errata-xmlrpc 2021-03-17 15:33:21 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 16.1.4 director bug fix advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0817

Note You need to log in before you can comment on or make changes to this bug.