Bug 2168164 - Running foreman-selinux-relabel fails with an error
Summary: Running foreman-selinux-relabel fails with an error
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: SELinux
Version: 6.13.0
Hardware: All
OS: All
medium
medium
Target Milestone: Unspecified
Assignee: Nagoor Shaik
QA Contact: Lukáš Hellebrandt
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-02-08 10:55 UTC by Nagoor Shaik
Modified: 2023-08-03 17:35 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 36069 0 Normal Duplicate Running foreman-selinux-relabel fails with an error 2023-02-27 06:12:31 UTC
Github theforeman foreman-selinux pull 151 0 None closed Fixes #36069 - remove old Puppet node.rb path 2023-02-27 06:12:29 UTC
Red Hat Issue Tracker SAT-15778 0 None None None 2023-02-09 15:24:50 UTC

Description Nagoor Shaik 2023-02-08 10:55:16 UTC 
Description of problem:
While updating rubygem-foreman-tasks package %post scripts execute foreman-selinux-relabel command, which fails with the following error

/sbin/restorecon: SELinux: Could not get canonical path for /etc/puppet/node.rb restorecon: No such file or directory.

Version-Release number of selected component (if applicable):
satellite 6.13

How reproducible:
100%

Steps to Reproduce:
1. Install / update rubygem-foreman-tasks package which produces the above error
2. OR simply just execute the foreman-selinux-relabel command 

# foreman-selinux-relabel 
/sbin/restorecon: SELinux: Could not get canonical path for /etc/puppet/node.rb restorecon: No such file or directory.

# echo $?
0

Inspecting the foreman-selinux-label command, we see the restorecon command is called with -i switch, however this will only work if the pre-existing path exists on the file system.

On Satellite 6.12 and above the path /etc/puppet is non-existent so is the error, if the path exists then it silents skips if the file doesn't exist.


Actual results:


Expected results:
We should remove /etc/puppet/node.rb from the foreman-selinux-relabel script as it was related to Puppet 3 related path and non-existing since ages.


Additional info:
Comment 1 Adam Ruzicka 2023-02-15 17:18:16 UTC 
Propagating comments from https://github.com/theforeman/foreman-selinux/pull/151 , this was fixed in restorecon by BZ #2137965 and should be fixed in RHEL 8.8.
Comment 2 Adam Ruzicka 2023-02-22 11:01:11 UTC 
Per #1, could we throw this off 6.13 since the decision was to wait it out until it is fixed in rhel?
Comment 3 Evgeni Golov 2023-02-22 12:24:03 UTC 
Yes, please.

It's not a failure anyway, just a warning, the relabeling of the other files happens just fine.
It's not a regression either.
Comment 5 Adam Ruzicka 2023-06-09 11:52:59 UTC 
RHEL 8.8 is already out, moving to on_qa
Comment 6 Lukáš Hellebrandt 2023-06-22 11:12:29 UTC 
Verified with Sat 6.13, upgrade to 6.14 snap 3.0 and RHEL 8.8, selinux packages:
# rpm -qa | grep selinux
selinux-policy-3.14.3-117.el8_8.1.noarch
libselinux-2.9-8.el8.x86_64
libselinux-utils-2.9-8.el8.x86_64
python3-libselinux-2.9-8.el8.x86_64
rpm-plugin-selinux-4.14.3-26.el8.x86_64
foreman-selinux-3.8.0-0.1.develop.el8sat.noarch
candlepin-selinux-4.3.1-1.el8sat.noarch
katello-selinux-5.0.2-1.el8sat.noarch
selinux-policy-targeted-3.14.3-117.el8_8.1.noarch
pulpcore-selinux-1.3.2-1.el8pc.x86_64

1) Ran foreman-selinux-relabel, no warning shown.
2) Upgraded the package to its 6.14 version using yum, no warning shown.
3) # mkdir /etc/puppet
# echo test > /etc/puppet/node.rb
# ls -lZ /etc/puppet/node.rb 
-rw-r--r--. 1 root root unconfined_u:object_r:etc_t:s0 5 Jun 22 07:08 /etc/puppet/node.rb
# foreman-selinux-relabel
# ls -lZ /etc/puppet/node.rb 
-rw-r--r--. 1 root root unconfined_u:object_r:foreman_enc_t:s0 5 Jun 22 07:08 /etc/puppet/node.rb
Note You need to log in before you can comment on or make changes to this bug.