2168164 – Running foreman-selinux-relabel fails with an error

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2168164 - Running foreman-selinux-relabel fails with an error

Summary: Running foreman-selinux-relabel fails with an error

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	SELinux
Sub Component:
Version:	6.13.0
Hardware:	All
OS:	All
Priority:	medium
Severity:	medium
Target Milestone:	Unspecified
Assignee:	Nagoor Shaik
QA Contact:	Lukáš Hellebrandt
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-02-08 10:55 UTC by Nagoor Shaik
Modified:	2023-12-14 13:47 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-12-14 13:47:31 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	36069	Normal	Duplicate	Running foreman-selinux-relabel fails with an error	2023-02-27 06:12:31 UTC
Github	theforeman foreman-selinux pull 151	None	closed	Fixes #36069 - remove old Puppet node.rb path	2023-02-27 06:12:29 UTC
Red Hat Issue Tracker	SAT-15778	None	None	None	2023-02-09 15:24:50 UTC

Description Nagoor Shaik 2023-02-08 10:55:16 UTC

Description of problem:
While updating rubygem-foreman-tasks package %post scripts execute foreman-selinux-relabel command, which fails with the following error

/sbin/restorecon: SELinux: Could not get canonical path for /etc/puppet/node.rb restorecon: No such file or directory.

Version-Release number of selected component (if applicable):
satellite 6.13

How reproducible:
100%

Steps to Reproduce:
1. Install / update rubygem-foreman-tasks package which produces the above error
2. OR simply just execute the foreman-selinux-relabel command 

# foreman-selinux-relabel 
/sbin/restorecon: SELinux: Could not get canonical path for /etc/puppet/node.rb restorecon: No such file or directory.

# echo $?
0

Inspecting the foreman-selinux-label command, we see the restorecon command is called with -i switch, however this will only work if the pre-existing path exists on the file system.

On Satellite 6.12 and above the path /etc/puppet is non-existent so is the error, if the path exists then it silents skips if the file doesn't exist.


Actual results:


Expected results:
We should remove /etc/puppet/node.rb from the foreman-selinux-relabel script as it was related to Puppet 3 related path and non-existing since ages.


Additional info:

Comment 1 Adam Ruzicka 2023-02-15 17:18:16 UTC

Propagating comments from https://github.com/theforeman/foreman-selinux/pull/151 , this was fixed in restorecon by BZ #2137965 and should be fixed in RHEL 8.8.

Comment 2 Adam Ruzicka 2023-02-22 11:01:11 UTC

Per #1, could we throw this off 6.13 since the decision was to wait it out until it is fixed in rhel?

Comment 3 Evgeni Golov 2023-02-22 12:24:03 UTC

Yes, please.

It's not a failure anyway, just a warning, the relabeling of the other files happens just fine.
It's not a regression either.

Comment 5 Adam Ruzicka 2023-06-09 11:52:59 UTC

RHEL 8.8 is already out, moving to on_qa

Comment 6 Lukáš Hellebrandt 2023-06-22 11:12:29 UTC

Verified with Sat 6.13, upgrade to 6.14 snap 3.0 and RHEL 8.8, selinux packages:
# rpm -qa | grep selinux
selinux-policy-3.14.3-117.el8_8.1.noarch
libselinux-2.9-8.el8.x86_64
libselinux-utils-2.9-8.el8.x86_64
python3-libselinux-2.9-8.el8.x86_64
rpm-plugin-selinux-4.14.3-26.el8.x86_64
foreman-selinux-3.8.0-0.1.develop.el8sat.noarch
candlepin-selinux-4.3.1-1.el8sat.noarch
katello-selinux-5.0.2-1.el8sat.noarch
selinux-policy-targeted-3.14.3-117.el8_8.1.noarch
pulpcore-selinux-1.3.2-1.el8pc.x86_64

1) Ran foreman-selinux-relabel, no warning shown.
2) Upgraded the package to its 6.14 version using yum, no warning shown.
3) # mkdir /etc/puppet
# echo test > /etc/puppet/node.rb
# ls -lZ /etc/puppet/node.rb 
-rw-r--r--. 1 root root unconfined_u:object_r:etc_t:s0 5 Jun 22 07:08 /etc/puppet/node.rb
# foreman-selinux-relabel
# ls -lZ /etc/puppet/node.rb 
-rw-r--r--. 1 root root unconfined_u:object_r:foreman_enc_t:s0 5 Jun 22 07:08 /etc/puppet/node.rb

Note You need to log in before you can comment on or make changes to this bug.