Jira (FACT-2994) selinux fact is not properly detected by Facter 4

26 views
Skip to first unread message

Vadym Chepkov (Jira)

unread,
Mar 23, 2021, 1:10:04 PM3/23/21
to puppe...@googlegroups.com
Vadym Chepkov created an issue
 
Facter / Bug FACT-2994
selinux fact is not properly detected by Facter 4
Issue Type: Bug Bug
Assignee: Unassigned
Components: Facter 4
Created: 2021/03/23 10:09 AM
Priority: Normal Normal
Reporter: Vadym Chepkov

While evaluating facts difference using PE2019.8.5 / puppet 6.21.1 

# puppet facts diff
 
 
 
  "os.selinux.enabled": {
 
    "new_value": true,
 
    "old_value": false
 
  },
 
  "selinux": {
 
    "new_value": true,
 
    "old_value": false
 
  },

Similar bug was previously fixed in Facter 3

https://github.com/puppetlabs/facter/commit/125a79e4da408bb4d4a86ebb7dd71c0ca27e288f

But in my case selinux fs is not even mounted:

[root@infdevx-puppet202 ~]# grep -c selinuxfs /proc/self/mounts
 
0

Add Comment Add Comment
 
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
Atlassian logo

Nick Walker (Jira)

unread,
Mar 23, 2021, 1:31:02 PM3/23/21
to puppe...@googlegroups.com
Nick Walker updated an issue
Change By: Nick Walker
Priority: Normal Critical

Nick Walker (Jira)

unread,
Mar 23, 2021, 1:32:04 PM3/23/21
to puppe...@googlegroups.com
Nick Walker assigned an issue to Mihai Buzgau
Change By: Nick Walker
Assignee: Mihai Buzgau

Vadym Chepkov (Jira)

unread,
Mar 23, 2021, 1:47:03 PM3/23/21
to puppe...@googlegroups.com
Vadym Chepkov commented on Bug FACT-2994
 
Re: selinux fact is not properly detected by Facter 4

There can be bug in `puppet facts diff` itself.

puppet facts find --facterng reports correct values

 

Mihai Buzgau (Jira)

unread,
Mar 24, 2021, 6:01:03 AM3/24/21
to puppe...@googlegroups.com
Mihai Buzgau commented on Bug FACT-2994

Couldn't reproduce this on RedHat 8 with 6.21.1.

Since puppet `facts find --facterng` reports the correct value, we assume that the issue is in `puppet facts diff`.

To confirm this, Vadym Chepkov would it be possible to try out our latest nightly build that has the fixes for puppet facts diff. You can download it from here: http://nightlies.puppet.com/yum/puppet6-nightly/el/8/x86_64/puppet-agent-6.21.1.38.gfa642d3c3-1.el8.x86_64.rpm 

 

Vadym Chepkov (Jira)

unread,
Mar 24, 2021, 6:39:04 AM3/24/21
to puppe...@googlegroups.com

You should be able to reproduce the problem if you remove selinux-policy package and reboot

Nightly build still shows the discrepancy

 

 

Vadym Chepkov (Jira)

unread,
Mar 24, 2021, 6:41:03 AM3/24/21
to puppe...@googlegroups.com

btw, nightly build added three more differences to the list:

 

  "memorysize_mb": {
 
    "new_value": 3930.69,
 
    "old_value": 3930.69140625
 
  },
 
  "puppet_agent_pid": {
 
    "new_value": 2084,
 
    "old_value": 2002
 
  },
 
  "swapsize_mb": {
 
    "new_value": 2048,
 
    "old_value": 2047.99609375
 
  }

Mihai Buzgau (Jira)

unread,
Mar 24, 2021, 11:23:03 AM3/24/21
to puppe...@googlegroups.com
Mihai Buzgau commented on Bug FACT-2994

memorysize_mb and swapsize_mb should be fixed by this PR: https://github.com/puppetlabs/facter/pull/2321 Jira ticket: https://tickets.puppetlabs.com/browse/FACT-2967

 

Mihai Buzgau (Jira)

unread,
Mar 24, 2021, 11:28:03 AM3/24/21
to puppe...@googlegroups.com
Mihai Buzgau commented on Bug FACT-2994

removed selinux-policy

 yum remove selinux-policy
 
Updating Subscription Management repositories.
 
Unable to read consumer identity
 
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
 
Dependencies resolved.
 
======================================================================================================
 
 Package                           Arch             Version                 Repository           Size
 
======================================================================================================
 
Removing:
 
 selinux-policy                    noarch           3.14.1-61.el8           @anaconda            24 k
 
Removing dependent packages:
 
 selinux-policy-targeted           noarch           3.14.1-61.el8           @anaconda            49 M
 
Removing unused dependencies:
 
 rpm-plugin-selinux                x86_64           4.14.2-9.el8            @anaconda            12 kTransaction Summary
 
======================================================================================================
 
Remove  3 PackagesFreed space: 49 M
 
Is this ok [y/N]: y
 
Running transaction check
 
Transaction check succeeded.
 
Running transaction test
 
Transaction test succeeded.
 
Running transaction
 
  Preparing        :                                                                              1/1
 
  Erasing          : selinux-policy-3.14.1-61.el8.noarch                                          1/3
 
  Running scriptlet: selinux-policy-3.14.1-61.el8.noarch                                          1/3
 
  Erasing          : rpm-plugin-selinux-4.14.2-9.el8.x86_64                                       2/3
 
  Erasing          : selinux-policy-targeted-3.14.1-61.el8.noarch                                 3/3
 
  Running scriptlet: selinux-policy-targeted-3.14.1-61.el8.noarch                                 3/3
 
  Verifying        : rpm-plugin-selinux-4.14.2-9.el8.x86_64                                       1/3
 
  Verifying        : selinux-policy-3.14.1-61.el8.noarch                                          2/3
 
  Verifying        : selinux-policy-targeted-3.14.1-61.el8.noarch                                 3/3
 
Installed products updated.Removed:
 
  selinux-policy-3.14.1-61.el8.noarch            selinux-policy-targeted-3.14.1-61.el8.noarch
 
  rpm-plugin-selinux-4.14.2-9.el8.x86_64Complete!

rebooted:

[root@tasteful-prep ~]# reboot

I still don't get the diff in selinx facts:

[root@tasteful-prep ~]# puppet facts diff
 
{"hypervisors.vmware.version":{"new_value":"ESXi 6.7","old_value":""},"memorysize_mb":{"new_value":7813.84,"old_value":7813.8359375},"swapsize_mb":{"new_value":2048.0,"old_value":2047.99609375}}

do you have any specific modules installed? 

Mihai Buzgau (Jira)

unread,
Mar 25, 2021, 4:24:04 AM3/25/21
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
 
Change By: Mihai Buzgau
Team: Night's Watch

Mihai Buzgau (Jira)

unread,
Mar 25, 2021, 4:24:04 AM3/25/21
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: NW - 2021-03-31

Mihai Buzgau (Jira)

unread,
Mar 25, 2021, 4:24:04 AM3/25/21
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Story Points: 2

Gabriel Nagy (Jira)

unread,
Mar 25, 2021, 8:04:06 AM3/25/21
to puppe...@googlegroups.com
Gabriel Nagy commented on Bug FACT-2994
 
Re: selinux fact is not properly detected by Facter 4

Vadym Chepkov Indeed the selinux fact behaves differently on Facter 4 as it sets enabled = true as soon as it finds the mountpoint in /proc/self/mounts, without also checking for the config file. However, since you don't have selinux mounted at all, I'm not sure what would cause the fact to appear as true.

In any case, this might be fixed if we also check for the existence of the config file, like Facter 3 does.

Vadym Chepkov (Jira)

unread,
Mar 25, 2021, 12:20:04 PM3/25/21
to puppe...@googlegroups.com

I am still curious, why you can't reproduce it

In the kickstart we use to build image we have these packages section:

%packages
 
@^minimal-environment
 
dhcp-client
 
net-tools
 
network-scripts
 
tar
 
-NetworkManager*
 
-biosdevname
 
-dnf-plugin-spacewalk
 
-dracut-config-rescue
 
-firewalld
 
-iwl*firmware
 
-kexec-tools
 
-microcode_ctl
 
-plymouth
 
-policycoreutils
 
-selinux-policy-targeted
 
%end

I just checked it on CentOS 8 and it works same way

[root@centos8 ~]# puppet facts show |grep selinux
 
    "selinux": false,
 
[root@centos8 ~]# puppet facts show --facterng |grep selinux
 
    "selinux": true,

If you add selinux=0 to kernel's cmdline, then selinuxfs won't be mounted at all

In this case both facter 3 and facter 4 report value properly

Gabriel Nagy (Jira)

unread,
Mar 25, 2021, 12:28:02 PM3/25/21
to puppe...@googlegroups.com
Gabriel Nagy commented on Bug FACT-2994

From your previous comments I understood that selinuxfs wasn't mounted and Facter 4 still reported enabled=true

I have a PR open to fix the discrepancy between Facter 3 and 4: https://github.com/puppetlabs/facter/pull/2328

Once we have a nightly build out with this I'll let you know

Mihai Buzgau (Jira)

unread,
Mar 26, 2021, 2:49:03 AM3/26/21
to puppe...@googlegroups.com
Mihai Buzgau assigned an issue to Gabriel Nagy
 
Change By: Mihai Buzgau
Assignee: Mihai Buzgau Gabriel Nagy

Josh Cooper (Jira)

unread,
Mar 30, 2021, 12:04:08 PM3/30/21
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Fix Version/s: FACT 4.0.53

Claire Cadman (Jira)

unread,
Apr 13, 2021, 9:23:04 AM4/13/21
to puppe...@googlegroups.com
Claire Cadman updated an issue
Change By: Claire Cadman
Labels: doc_reviewed
This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97)
Atlassian logo
Reply all
Reply to author
Forward
0 new messages