OpenStack-Ansible

Security role fails if SELinux is disabled

Bug #1649617 reported by Major Hayden on 2016-12-13

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack-Ansible	Fix Released	Low	Major Hayden

Bug Description

The RHEL 7 STIG playbook fails here if SELinux is completely disabled:

TASK [openstack-ansible-security : Check for unlabeled device files] ***********
fatal: [localhost]: FAILED! => {"changed": false, "cmd": ["find", "/dev", "-context", "*unlabeled_t*"], "delta": "0:00:00.004697", "end": "2016-12-13 15:35:04.512022", "failed": true, "rc": 1, "start": "2016-12-13 15:35:04.507325", "stderr": "find: invalid predicate -context: SELinux is not enabled.", "stdout": "", "stdout_lines": [], "warnings": []}

This should not be a failure.

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-12-13: Fix proposed to openstack-ansible-security (master)

Fix proposed to branch: master
Review: https://review.openstack.org/410294

Changed in openstack-ansible:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-03: Fix merged to openstack-ansible-security (master)

Reviewed: https://review.openstack.org/410294
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=3e908d3d7bb6a764d6075736912da767fa7f724e
Submitter: Jenkins
Branch: master

commit 3e908d3d7bb6a764d6075736912da767fa7f724e
Author: Major Hayden <email address hidden>
Date: Tue Dec 13 12:15:43 2016 -0600

Handle SELinux properly when it is disabled

    This patch skips the `find` task that searches for unlabeled content on
    systems with SELinux disabled. This fails because labels aren't loaded at that
    time.

    The patch also fixed an idempotent test failure that comes from the `selinux`
    Ansible module repeatedly trying to get SELinux into enforcing mode when it
    is disabled.

Closes-bug: 1649617
Change-Id: I7d30a07bd7e8a4461846660c281b9e53b0783461

Changed in openstack-ansible:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-27: Fix included in openstack/openstack-ansible-security 15.0.0.0b3

This issue was fixed in the openstack/openstack-ansible-security 15.0.0.0b3 development milestone.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-08: Fix proposed to openstack-ansible-security (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/430707

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-08: Fix merged to openstack-ansible-security (stable/newton)

Reviewed: https://review.openstack.org/430707
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=f33e72f8780ec4e8cb0ae9287962d8434d1510b3
Submitter: Jenkins
Branch: stable/newton

commit f33e72f8780ec4e8cb0ae9287962d8434d1510b3
Author: Christian Berendt <email address hidden>
Date: Wed Feb 8 11:23:07 2017 +0100

Handle SELinux properly when it is disabled

    This patch skips the `find` task that searches for unlabeled content on
    systems with SELinux disabled. This fails because labels aren't loaded at that
    time.

Manual partial backport from I7d30a07bd7e8a4461846660c281b9e53b0783461.

Change-Id: I85d02d6a20c98f1a3d507d9957b9f4d9438412a9
Closes-bug: 1649617

tags:

added: in-stable-newton

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-06: Fix included in openstack/openstack-ansible-security 14.1.0

This issue was fixed in the openstack/openstack-ansible-security 14.1.0 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.