1931058 – augeas cannot parse 'ignoredirs' option in semanage.conf file

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1931058 - augeas cannot parse 'ignoredirs' option in semanage.conf file

Summary: augeas cannot parse 'ignoredirs' option in semanage.conf file

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	augeas
Sub Component:
Version:	8.4
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Richard W.M. Jones
QA Contact:	YongkuiGuo
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-02-20 11:08 UTC by YongkuiGuo
Modified:	2023-05-16 11:00 UTC (History)
CC List:	1 user (show)
Fixed In Version:	augeas-1.12.0-8.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-05-16 09:03:35 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)
semanage.conf (2.58 KB, text/plain) 2021-02-20 11:08 UTC, YongkuiGuo	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	hercules-team augeas pull 758	0	None	open	semanage: Fix parsing of ignoredirs	2022-04-21 09:08:28 UTC
Red Hat Product Errata	RHBA-2023:2961	0	None	None	None	2023-05-16 09:03:37 UTC

Description YongkuiGuo 2021-02-20 11:08:28 UTC

Created attachment 1758417 [details]
semanage.conf

Description of problem:
augeas cannot parse /etc/selinux/semanage.conf on rhel8.4. The 'ignoredirs' option has been changed.

Old ignoredirs value:
ignoredirs=/root

New ignoredirs value:
ignoredirs=/root;/bin;/boot;/dev;/etc;/lib;/lib64;/proc;/run;/sbin;/sys;/tmp;/usr;/var


Version-Release number of selected component (if applicable):
augeas-1.12.0-6.el8.x86_64
selinux-policy-3.14.3-63.el8.noarch


How reproducible:
100%


Steps:

1. On rhel8.4 host with RHEL-8.4.0-20210218.n.0 compose
# augtool print /files/etc/selinux/semanage.conf

There is no output.


2.
#augtool print /augeas//error
...
/augeas/files/etc/selinux/semanage.conf/error = "parse_failed"
/augeas/files/etc/selinux/semanage.conf/error/pos = "2499"
/augeas/files/etc/selinux/semanage.conf/error/line = "54"
/augeas/files/etc/selinux/semanage.conf/error/char = "16"
/augeas/files/etc/selinux/semanage.conf/error/lens = "/usr/share/augeas/lenses/dist/semanage.aug:32.10-.27:"
/augeas/files/etc/selinux/semanage.conf/error/lens/last_matched = "/usr/share/augeas/lenses/dist/inifile.aug:218.18-.41:"
/augeas/files/etc/selinux/semanage.conf/error/lens/next_not_matched = "/usr/share/augeas/lenses/dist/inifile.aug:218.44-.56:"
/augeas/files/etc/selinux/semanage.conf/error/message = "Iterated lens matched less than it should"


Actual results:
As above

Expected results:
The 'ignoredirs' option in semanage.conf cannot be parsed.

Additional info:

Comment 1 Richard W.M. Jones 2022-01-12 17:32:03 UTC

Just a note that there is no fix upstream at time of writing.

Comment 3 YongkuiGuo 2022-10-12 09:39:41 UTC

Hi,rjones

Do you plan to fix this bug? The same issue（bug 2077120）on RHEL9 was fixed a few days ago.

Comment 4 Richard W.M. Jones 2022-10-12 12:04:29 UTC

Yes, let's fix this.

Comment 5 Richard W.M. Jones 2022-10-12 12:22:03 UTC

https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/48245594

Comment 6 Richard W.M. Jones 2022-10-12 12:43:05 UTC

There's a new grub failure in the tests:

https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/48245594?focus=tc:osci.brew-build.tier0.functional

It's hard to know what is causing it without being able to see the
/etc/default/grub file itself.

Comment 7 YongkuiGuo 2022-10-12 13:38:26 UTC

(In reply to Richard W.M. Jones from comment #6)
> There's a new grub failure in the tests:
> 
> https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/
> 48245594?focus=tc:osci.brew-build.tier0.functional
> 
> It's hard to know what is causing it without being able to see the
> /etc/default/grub file itself.

I can not see this problem on the latest RHEL8.8 nightly compose.

$ rpm -q grub2-tools
grub2-tools-2.02-142.el8.x86_64

$ augtool print /files/etc/default/grub
/files/etc/default/grub
/files/etc/default/grub/GRUB_TIMEOUT = "5"
/files/etc/default/grub/GRUB_DISTRIBUTOR = "\"$(sed 's, release .*$,,g' /etc/system-release)\""
/files/etc/default/grub/GRUB_DEFAULT = "saved"
/files/etc/default/grub/GRUB_DISABLE_SUBMENU = "true"
/files/etc/default/grub/GRUB_TERMINAL_OUTPUT = "\"console\""
/files/etc/default/grub/GRUB_CMDLINE_LINUX = "\"crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet\""
/files/etc/default/grub/GRUB_DISABLE_RECOVERY = "\"true\""
/files/etc/default/grub/GRUB_ENABLE_BLSCFG = "true"

$ cat /etc/default/grub
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet"
GRUB_DISABLE_RECOVERY="true"
GRUB_ENABLE_BLSCFG=true

Comment 8 Richard W.M. Jones 2022-10-12 13:43:01 UTC

That's identical to /etc/default/grub on my RHEL 8 machine too, so I guess
the file on the test machine has been modified.  I asked in #osci if
anyone could grab that file, but no one has answered so far.

Comment 9 YongkuiGuo 2022-10-13 07:53:16 UTC

(In reply to Richard W.M. Jones from comment #8)
> That's identical to /etc/default/grub on my RHEL 8 machine too, so I guess
> the file on the test machine has been modified.  

I agree.

> I asked in #osci if anyone could grab that file, but no one has answered so far.

After completing the gating test, the reserved env will be released probably.

I rerun the 'osci.brew-build.tier0.functional' gating test, which still failed with the same error. The Jenkins console log: https://cyborg-jenkins.osci.redhat.com/job/OSCI-Pipelines/job/osci-pipelines%252Fdist-git-pipeline/job/master/40643/console.

If my investigation is not wrong, the 'osci.brew-build.tier0.functional' gating test uses the RHEL8.8 nightly compose which is defined in https://gitlab.cee.redhat.com/baseos-qe/citool-config/-/blob/production/variables-composes.yaml.  

<snip>
RHEL_8_8_0:
  ...
  compose: RHEL-8.8.0-20221006.0
  symbolic_compose: RHEL-8.8.0-Nightly
  buildroot: BUILDROOT-8.8.0-RHEL-8-20221006.0

  aws:
    image: TF-BUILD-RHEL-8.8.0-20221006.0

    add-arch-suffix-for-artemis: true

  openstack:
    image: TF-BUILD-RHEL-8.8.0-20221006.0-x86_64

  beaker:
    distro: RHEL-8.8.0-20221006.0
<snip>

So at present, the 'osci.brew-build.tier0.functional' gating test reserves the test env with RHEL-8.8.0-20221006.0 compose. I also tried RHEL-8.8.0-20221006.0 compose on openstack env, and augeas can parse /etc/default/grub file.

[root@ci-vm-10-0-138-179 yum.repos.d]# augtool print /files/etc/default/grub
/files/etc/default/grub
/files/etc/default/grub/GRUB_TIMEOUT = "5"
/files/etc/default/grub/GRUB_DISTRIBUTOR = "\"$(sed 's, release .*$,,g' /etc/system-release)\""
/files/etc/default/grub/GRUB_DEFAULT = "saved"
/files/etc/default/grub/GRUB_DISABLE_SUBMENU = "true"
/files/etc/default/grub/GRUB_TERMINAL_OUTPUT = "\"console\""
/files/etc/default/grub/GRUB_CMDLINE_LINUX = "\"crashkernel=auto net.ifnames=0 rhgb quiet\""
/files/etc/default/grub/GRUB_DISABLE_RECOVERY = "\"true\""
/files/etc/default/grub/GRUB_ENABLE_BLSCFG = "true"

Comment 10 YongkuiGuo 2022-10-13 09:50:06 UTC

Tested with package:
augeas-1.12.0-8.el8.x86_64

Steps:

1. On RHEL8.8 host

$ augtool print /files/etc/selinux/semanage.conf
...
/files/etc/selinux/semanage.conf/ignoredirs
/files/etc/selinux/semanage.conf/ignoredirs/1 = "/root"
/files/etc/selinux/semanage.conf/ignoredirs/2 = "/bin"
/files/etc/selinux/semanage.conf/ignoredirs/3 = "/boot"
/files/etc/selinux/semanage.conf/ignoredirs/4 = "/dev"
/files/etc/selinux/semanage.conf/ignoredirs/5 = "/etc"
/files/etc/selinux/semanage.conf/ignoredirs/6 = "/lib"
/files/etc/selinux/semanage.conf/ignoredirs/7 = "/lib64"
/files/etc/selinux/semanage.conf/ignoredirs/8 = "/proc"
/files/etc/selinux/semanage.conf/ignoredirs/9 = "/run"
/files/etc/selinux/semanage.conf/ignoredirs/10 = "/sbin"
/files/etc/selinux/semanage.conf/ignoredirs/11 = "/sys"
/files/etc/selinux/semanage.conf/ignoredirs/12 = "/tmp"
/files/etc/selinux/semanage.conf/ignoredirs/13 = "/usr"
/files/etc/selinux/semanage.conf/ignoredirs/14 = "/var"
/files/etc/selinux/semanage.conf/@group = "sefcontext_compile"
/files/etc/selinux/semanage.conf/@group/path = "/usr/sbin/sefcontext_compile"
/files/etc/selinux/semanage.conf/@group/args = "-r $@"

Augeas can parse /etc/selinux/semanage.conf file successfully.

Comment 13 YongkuiGuo 2022-10-26 08:33:45 UTC

Verified this bug since the test case for this bug has been automated and passed in the latest nightly compose test.

Comment 15 errata-xmlrpc 2023-05-16 09:03:35 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (augeas bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2961

Note You need to log in before you can comment on or make changes to this bug.