Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CentOS 8 Stream: selinux_policy_fcontext: Chef::Exceptions::InvalidCookbookVersion '8' does not match 'x.y.z' or 'x.y' #150

Open
maxwax opened this issue Feb 3, 2022 · 1 comment
Open

CentOS 8 Stream: selinux_policy_fcontext: Chef::Exceptions::InvalidCookbookVersion '8' does not match 'x.y.z' or 'x.y' #150

maxwax opened this issue Feb 3, 2022 · 1 comment

Comments

@maxwax
Copy link

maxwax commented Feb 3, 2022
edited
Loading

👻 Brief Description

selinux_policy_fcontext is unable to execute properly on CentOS 8 Stream. The same code works fine on RHEL 8 and CentOS 8 (non-Stream) such as CentOS 8 8.5.2111. and 8.0.1905.

🥞 Cookbook version

  • selinux_policy (2.4.3)

👩‍🍳 Chef-Infra Version

Chef Infra Client, version 17.9.42

🎩 Platform details

CentOS 8 Stream installed from ISO CentOS-Stream-8-x86_64-20220202-dvd1.iso
or CentOS 8 converted to CentOS 8 Stream.

# rpm -qa | grep centos
centos-gpg-keys-8-4.el8.noarch
centos-stream-release-8.6-1.el8.noarch
centos-stream-repos-8-4.el8.noarch

Steps To Reproduce

Steps to reproduce the behavior:

Primary process using a native CentOS 8 Stream install:

  1. Install CentOS 8 Stream on a node from dvd
  2. Bootstrap with Chef
  3. Attempt to use a coobkook that modifies a single directory using selinux_policy_fcontext
  4. Observe failure (see below)

Alternative process using a CentOS 8 to CentOS 8 Stream conversion:

  1. Install CentOS 8 (non-Stream) node
  2. Bootstrap with Chef
  3. Execute cookbook with selinux_policy_fcontext and observe success
  4. Convert CentOS 8 to CentOS 8 Stream with
dnf --disablerepo '*' --enablerepo=extras swap centos-linux-repos centos-stream-repos
dnf distro-sync
  1. Attempt to use a coobook that modifies a single directory using selinux_policy_fcontext
  2. Observe failure (see below)

🚓 Expected behavior

  • On Centos 8, RHEL 8, etc, it should modify the SELinux file context of a directory and proceed without error.

➕ Additional context

This error is observed when deploying the same cookbook on:

  • CentOS 8.5.2111 node converted to CentOS 8 Stream
  • CentOS 8.0.1905 node converted to CentOS 8 Stream
  • CentOS 8 Stream installed using CentOS-Stream-8-x86_64-20220202-dvd1.iso
Recipe: nginx_repo::deploy
  * selinux_policy_fcontext[/repo(/.*)?] action addormodify
    
    ================================================================================
    Error executing action `addormodify` on resource 'selinux_policy_fcontext[/repo(/.*)?]'
    ================================================================================
    
    Chef::Exceptions::InvalidCookbookVersion
    ----------------------------------------
    '8' does not match 'x.y.z' or 'x.y'
    
    Cookbook Trace: (most recent call first)
    ----------------------------------------
    /var/chef/cache/cookbooks/selinux_policy/libraries/helpers.rb:73:in `semanage_options'
    /var/chef/cache/cookbooks/selinux_policy/resources/fcontext.rb:41:in `block (2 levels) in class_from_file'
    /var/chef/cache/cookbooks/selinux_policy/resources/fcontext.rb:40:in `block in class_from_file'
    /var/chef/cache/cookbooks/selinux_policy/resources/fcontext.rb:10:in `block in class_from_file'
    
    Resource Declaration:
    ---------------------
    # In /var/chef/cache/cookbooks/nginx_repo/recipes/deploy.rb
    
     97:     selinux_policy_fcontext "#{http_dir}(/.*)?" do
     98:       secontext 'httpd_sys_content_t'
     99:     end
    100: 
    
    Compiled Resource:
    ------------------
    # Declared in /var/chef/cache/cookbooks/nginx_repo/recipes/deploy.rb:97:in `block in from_file'
    
    selinux_policy_fcontext("/repo(/.*)?") do
      action [:addormodify]
      default_guard_interpreter :default
      declared_type :selinux_policy_fcontext
      cookbook_name "nginx_repo"
      recipe_name "deploy"
      secontext "httpd_sys_content_t"
      file_type "a"
    end
    
    System Info:
    ------------
    chef_version=17.9.42
    platform=centos
    platform_version=8
    ruby=ruby 3.0.3p157 (2021-11-24 revision 3fb7d2cadc) [x86_64-linux]
    program_name=/usr/bin/chef-client
    executable=/opt/chef/bin/chef-client
    
  * service[nginx] action reload (up to date)

Running handlers:
[2022-02-03T15:24:06-07:00] ERROR: Running exception handlers
Running handlers complete
[2022-02-03T15:24:06-07:00] ERROR: Exception handlers complete
Infra Phase failed. 18 resources updated in 01 minutes 16 seconds
[2022-02-03T15:24:06-07:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
[2022-02-03T15:24:06-07:00] FATAL: ---------------------------------------------------------------------------------------
[2022-02-03T15:24:06-07:00] FATAL: PLEASE PROVIDE THE CONTENTS OF THE stacktrace.out FILE (above) IF YOU FILE A BUG REPORT
[2022-02-03T15:24:06-07:00] FATAL: ---------------------------------------------------------------------------------------
[2022-02-03T15:24:06-07:00] FATAL: Chef::Exceptions::InvalidCookbookVersion: selinux_policy_fcontext[/repo(/.*)?] (nginx_repo::deploy line 97) had an error: Chef::Exceptions::InvalidCookbookVersion: '8' does not match 'x.y.z' or 'x.y'
@detjensrobert
Copy link
Contributor

detjensrobert commented May 28, 2022
edited
Loading

Have you tried the resources from the selinux cookbook? This cookbook's resources were moved to selinux in sous-chefs/selinux#79, and should have been deprecated here. The resources there should be drop-in replacements and have been updated and tested on CentOS Stream.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@maxwax @detjensrobert