"checkloaded" exec always schedules build/install on RHEL7 / CentOS 7

[talisto]

I'm setting up a basic rule, e.g. giving Varnish the fowner capability. I've created a module with the following:

selinux::module { 'varnish_ownership':
    source   => 'puppet:///modules/varnish/selinux/varnish_ownership.te',
}

on the first run it installs it just fine:

Notice: /Stage[main]/varnish/Selinux::Module[varnish_ownership]/File[/usr/share/selinux/varnish_ownership.te]/ensure: defined content as '{md5}3f9c1e202f1630d82169b7c426577700'
Info: /Stage[main]/varnish/Selinux::Module[varnish_ownership]/File[/usr/share/selinux/varnish_ownership.te]: Scheduling refresh of Exec[varnish_ownership-buildmod]
Notice: /Stage[main]/varnish/Selinux::Module[varnish_ownership]/Exec[varnish_ownership-checkloaded]/returns: executed successfully
Info: /Stage[main]/varnish/Selinux::Module[varnish_ownership]/Exec[varnish_ownership-checkloaded]: Scheduling refresh of Exec[varnish_ownership-buildmod]
Notice: /Stage[main]/varnish/Selinux::Module[varnish_ownership]/Exec[varnish_ownership-buildmod]: Triggered 'refresh' from 2 events
Info: /Stage[main]/varnish/Selinux::Module[varnish_ownership]/Exec[varnish_ownership-buildmod]: Scheduling refresh of Exec[varnish_ownership-buildpp]
Notice: /Stage[main]/varnish/Selinux::Module[varnish_ownership]/Exec[varnish_ownership-buildpp]: Triggered 'refresh' from 1 events
Info: /Stage[main]/varnish/Selinux::Module[varnish_ownership]/Exec[varnish_ownership-buildpp]: Scheduling refresh of Exec[varnish_ownership-install]
Notice: /Stage[main]/varnish/Selinux::Module[varnish_ownership]/Exec[varnish_ownership-install]: Triggered 'refresh' from 1 events
Notice: /File[/usr/share/selinux/varnish_ownership.mod]/seluser: seluser changed 'unconfined_u' to 'system_u'
Notice: /File[/usr/share/selinux/varnish_ownership.pp]/seluser: seluser changed 'unconfined_u' to 'system_u'

...which is great, however on subsequent runs, it seems to be re-building and re-installing it even though the "checkloaded" exec returns successfully:

Notice: /Stage[main]/varnish/Selinux::Module[varnish_ownership]/Exec[varnish_ownership-checkloaded]/returns: executed successfully
Info: /Stage[main]/varnish/Selinux::Module[varnish_ownership]/Exec[varnish_ownership-checkloaded]: Scheduling refresh of Exec[varnish_ownership-buildmod]
Notice: /Stage[main]/varnish/Selinux::Module[varnish_ownership]/Exec[varnish_ownership-buildmod]: Triggered 'refresh' from 1 events
Info: /Stage[main]/varnish/Selinux::Module[varnish_ownership]/Exec[varnish_ownership-buildmod]: Scheduling refresh of Exec[varnish_ownership-buildpp]
Notice: /Stage[main]/varnish/Selinux::Module[varnish_ownership]/Exec[varnish_ownership-buildpp]: Triggered 'refresh' from 1 events
Info: /Stage[main]/varnish/Selinux::Module[varnish_ownership]/Exec[varnish_ownership-buildpp]: Scheduling refresh of Exec[varnish_ownership-install]
Notice: /Stage[main]/varnish/Selinux::Module[varnish_ownership]/Exec[varnish_ownership-install]: Triggered 'refresh' from 1 events

Is this the intended behaviour? Everything works in the end, so it's not a deal-breaker, but it slows down the puppet agent significantly.

This is running on a CentOS 7.0 VM with Puppet v3.6.2.

Thanks!

[talisto]

I've determined that this is probably an issue with Facter on RHEL7/CentOS7. The module class is using the fact ::selinux_config_policy in the path to check if the module exists or not, but in RHEL7/CentOS 7, that fact returns unknown:

[root@host ~]# facter selinux_config_policy
unknown

I see there's already a bug report in the Facter issues here: https://tickets.puppetlabs.com/browse/FACT-756

..so I'm assuming this may be an issue with Facter, not your module, but perhaps some workaround could be implemented? Maybe a way to override that variable as a parameter?

[talisto]

i fixed this on my own system by editing module.pp and changing the class definition to:

define selinux::module(
  $source,
  $ensure         = 'present',
  $use_makefile   = false,
  $makefile       = '/usr/share/selinux/devel/Makefile',
  $policy         = $::selinux_config_policy
) {

and changed the checkloaded exec to:

  exec { "${name}-checkloaded":
    refreshonly => false,
    creates     => "/etc/selinux/${policy}/modules/active/modules/${name}.pp",
    command     => 'true',
    notify      => Exec["${name}-buildmod"],
  }

and then changed my selinux rules to specify the policy:

selinux::module { 'varnish_ownership':
    source   => 'puppet:///modules/varnish/selinux/varnish_ownership.te',
    policy   => 'targeted'
}

[batman1007]

Actually the lib/facter code for us had several issues:

• Missing require 'facter'
• Confine ... selinux => true missing single quotes, i.e. selinux => 'true'
• Facter::Core::Execution.exec didn't work

So our facter selinux_custom_policy.rb now looks like this:
require 'facter'

Facter.add(:selinux_custom_policy) do
confine :kernel => 'Linux', :osfamily => 'RedHat', :operatingsystemmajrelease => '7', :selinux => 'true'
setcode {Facter::Util::Resolution.exec('sestatus | grep "Loaded policy name" | awk '{print $4}'') }
end

[belminf]

@batman1007 confirmed issue on my servers as well. Submitted PR #45.

[belminf]

Resubmitted after noticing I missed the confine issue + escaping for awk. PR #46

[batman1007]

As mentioned above, I think that we are seeing an issue with facter 'selinux' returning a string rather than a boolean, hence why we had to quote true in the facter code - it didn't confine correctly otherwise.

We're on facter version 1.7.5 and I notice this:
rodjek/puppet-lint#197

Thanks,
Dan.

[belminf]

@batman1007 agreed, that's why I added a quoted value in the confine.