salt icon indicating copy to clipboard operation
salt copied to clipboard

Published 20 hours ago verified publisher icon saltstack

[BUG] SELinux.fcontext_add_policy failes when using hyphen in filespec.

Open Munteano opened this issue 1 year ago • 1 comments

Description When running the SELinux fcontext_add_policy with a filespec that contains a hyphen in the name of the directory, the state fails with ValueError: File context for /vol/apache/dummy/bla-bla(/.*)? is not defined While setting the fcontext with SEmanage directly works with hyphens.

Setup Salt-master on Rocky-Linux to salt-minion on Amazon Linux 2023

Please be as specific as possible and give set-up details.

  • [ ] on-prem machine
  • [ ] VM (Virtualbox, KVM, etc. please specify)
  • [x] VM running on a cloud service, please be explicit and add details Running on latest Amazon Linux 2023 Image
  • [ ] container (Kubernetes, Docker, containerd, etc. please specify)
  • [ ] or a combination, please be explicit
  • [ ] jails if it is FreeBSD
  • [ ] classic packaging
  • [x] onedir packaging
  • [x] used bootstrap to install

Steps to Reproduce the behavior Running the selinux state like this:

salt 'amazon2023-dev-1' selinux.fcontext_add_policy '/vol/apache/dummy/bla-bla(/.*)?' sel_type=httpd_sys_content_t
amazon2023-dev-1:
    ----------
    pid:
        24222
    retcode:
        1
    stderr:
        ValueError: File context for /vol/apache/dummy/bla-bla(/.*)? is not defined
    stdout:

Running the fcontext_get_policy returns

salt 'amazon2023-dev-1' selinux.fcontext_get_policy "/vol/apache/dummy/bla-bla(/.*)?"
amazon2023-dev-1:
    The minion function caused an exception: Traceback (most recent call last):
      File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/minion.py", line 1969, in _thread_return
        return_data = minion_instance._execute_job_function(
      File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/minion.py", line 1925, in _execute_job_function
        return_data = self.executors[fname](opts, data, func, args, kwargs)
      File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 160, in __call__
        ret = self.loader.run(run_func, *args, **kwargs)
      File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 1269, in run
        return self._last_context.run(self._run_as, _func_or_method, *args, **kwargs)
      File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 1284, in _run_as
        return _func_or_method(*args, **kwargs)
      File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/executors/direct_call.py", line 10, in execute
        return func(*args, **kwargs)
      File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 160, in __call__
        ret = self.loader.run(run_func, *args, **kwargs)
      File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 1269, in run
        return self._last_context.run(self._run_as, _func_or_method, *args, **kwargs)
      File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 1284, in _run_as
        return _func_or_method(*args, **kwargs)
      File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/modules/selinux.py", line 507, in fcontext_get_policy
        "filespec": parts.group(1).strip(),
    AttributeError: 'NoneType' object has no attribute 'group'

While running it directly on VM with semanage

[root@amazon2023-dev-1 apache]# semanage fcontext -a -t httpd_sys_content_t '/vol/apache/dummy/bla-bla(/.*)?'
[root@amazon2023-dev-1 apache]# semanage fcontext -l | grep bla-bla
/vol/apache/dummy/bla-bla(/.*)?                    all files          system_u:object_r:httpd_sys_content_t:s0

Expected behavior Running the same state without hyphen

salt 'amazon2023-dev-1' selinux.fcontext_add_policy '/vol/apache/dummy/blabla(/.*)?' sel_type=httpd_sys_content_t
amazon2023-dev-1:
    ----------
    pid:
        24209
    retcode:
        0
    stderr:
    stdout:

Screenshots image

Versions Report Minion: [root@amazon2023-dev-1 /]# salt-minion --version salt-minion 3007.1 (Chlorine)

salt --versions-report (Provided by running salt --versions-report. Please also mention any differences in master/minion versions.) 
Salt Version:
          Salt: 3007.1

Python Version:
        Python: 3.10.14 (main, Apr  3 2024, 21:30:09) [GCC 11.2.0]

Dependency Versions:
          cffi: 1.16.0
      cherrypy: unknown
      dateutil: 2.8.2
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 3.1.4
       libgit2: Not Installed
  looseversion: 1.3.0
      M2Crypto: Not Installed
          Mako: Not Installed
       msgpack: 1.0.7
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     packaging: 23.1
     pycparser: 2.21
      pycrypto: Not Installed
  pycryptodome: 3.19.1
        pygit2: Not Installed
  python-gnupg: 0.5.2
        PyYAML: 6.0.1
         PyZMQ: 25.1.2
        relenv: 0.16.0
         smmap: Not Installed
       timelib: 0.3.0
       Tornado: 6.3.3
           ZMQ: 4.3.4

Salt Package Information:
  Package Type: onedir

System Versions:
          dist: rocky 8.10 Green Obsidian
        locale: utf-8
       machine: x86_64
       release: 4.18.0-553.8.1.el8_10.x86_64
        system: Linux
       version: Rocky Linux 8.10 Green Obsidian

Additional context Running the same command on a minion with Amazon Linux 2 works fine. My first contribution to the SaltStack community, please let me know if you need more info. Thanks!

Munteano avatar Aug 28 '24 12:08 Munteano

Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey. Please be sure to review our Code of Conduct. Also, check out some of our community resources including:

There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar. If you have additional questions, email us at [email protected]. We’re glad you’ve joined our community and look forward to doing awesome things with you!

welcome[bot] avatar Aug 28 '24 12:08 welcome[bot]

This is happening because Salt is running something like semanage fcontext -l | grep -E '^/some/path\-name\(/\.\*\)\?[ ]+all files[ ]+[^:]+:[^:]+:etc_t:[^:]+[ | ]*$', grep outputs a warning about the unnecessary \ before the -, and Salt tries to parse that warning as a fcontext. (which then obviously fails)

$ echo a-b | grep 'a\-b'
grep: warning: stray \ before -
a-b

Ideally, Salt should be using a correct POSIX ERE instead of a Python RE when using grep -E, but at the very least, it shouldn't be parsing stderr output.

omolenkamp avatar Aug 14 '25 11:08 omolenkamp