[BUG] selinux is not updating the fcontext when execute using salt-call

[tzarskigss]

Description
When testing the states using salt-call, there is an issue with update the file context using selinux if the file was modified.

Setup

the was found in the RHEL9 and CentOS Stream release 9
State files:

root/test-one.txt:
  file.managed:
    - source: salt://files/resolv_conf-2.j2
    - user: root
    - group: root
    - mode: 0644
    - backup: minion
    - template: jinja

    - selinux:
        seuser: system_u
        serole: object_r
        setype: net_conf_t
        serange: s0

Please be as specific as possible and give set-up details.

• on-prem machine
• VM (Virtualbox, KVM, etc. please specify)
• VM running on a cloud service, please be explicit and add details
• container (Kubernetes, Docker, containerd, etc. please specify)
• or a combination, please be explicit
• jails if it is FreeBSD
• classic packaging
• onedir packaging
• used bootstrap to install

Steps to Reproduce the behavior

• make a test file:
  touch /root/test-one.txt
  check the file properties

 ls -lZ /root/test-one.txt
-rw-r--r--. 1 root root unconfined_u:object_r:admin_home_t:s0 0 Jul 12 04:07 /root/test-one.txt

Run the state using salt-call

salt-call state.apply eric/demo-6
local:
----------
          ID: /root/test-one.txt
    Function: file.managed
      Result: True
     Comment: File /root/test-one.txt updated
     Started: 04:07:42.466425
    Duration: 4151.225 ms
     Changes:
              ----------
              diff:
                  ---
                  +++
                  @@ -0,0 +1,12 @@
                  +# THIS FILE IS MANAGED BY SALTSTACK
                  +# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
                  +
                  +
                  +
                  +
                  +
                  +domain vcloud.local
                  +search vcloud.local
                  +nameserver 192.168.110.1
                  +
                  +
              selinux:
                  ----------
                  New:
                      User: system_u Type: net_conf_t
                  Old:
                      User: unconfined_u Type: admin_home_t

Summary for local
------------
Succeeded: 1 (changed=1)
Failed:    0
------------
Total states run:     1
Total run time:   4.151 s

File was updated properly, now check the file
ls -lZ /root/test-one.txt
-rw-r--r--. 1 root root system_u:object_r:net_conf_t:s0 176 Jul 12 04:07 /root/test-one.txt

semanage fcontext -C -l
SELinux fcontext type Context

/root/test-one.txt all files system_u:object_r:net_conf_t:s0

Now update the file
echo "hello" >> /root/test-one.txt
Check the file again

semanage fcontext -C -l
SELinux fcontext                                   type               Context

/root/test-one.txt                                 all files          system_u:object_r:net_conf_t:s0

ls -lZ /root/test-one.txt
-rw-r--r--. 1 root root system_u:object_r:net_conf_t:s0 182 Jul 12 04:09 /root/test-one.txt

Now trying to update the file again and getting error

date
Wed Jul 12 04:09:44 AM EDT 2023
 salt-call state.apply eric/demo-6
[ERROR   ] Command 'semanage' failed with return code: 1
[ERROR   ] stderr: ValueError: File context for /root/test-one.txt already defined
[ERROR   ] retcode: 1
[ERROR   ] Unable to manage file: Problem setting fcontext: {'pid': 43053, 'retcode': 1, 'stdout': '', 'stderr': 'ValueError: File context for /root/test-one.txt already defined'}
local:
----------
          ID: /root/test-one.txt
    Function: file.managed
      Result: False
     Comment: Unable to manage file: Problem setting fcontext: {'pid': 43053, 'retcode': 1, 'stdout': '', 'stderr': 'ValueError: File context for /root/test-one.txt already defined'}
     Started: 04:09:58.580838
    Duration: 2049.276 ms
     Changes:

Summary for local
------------
Succeeded: 0
Failed:    1
------------
Total states run:     1
Total run time:   2.049 s

Checking the file

 ls -lZ /root/test-one.txt
-rw-r--r--. 1 root root unconfined_u:object_r:net_conf_t:s0 176 Jul 12 04:09 /root/test-one.txt

  semanage fcontext -C -l
SELinux fcontext                                   type               Context

/root/test-one.txt                                 all files          system_u:object_r:net_conf_t:s0

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Versions Report
minion

Salt Version:
          Salt: 3005.1

Dependency Versions:
          cffi: 1.14.6
      cherrypy: 18.6.1
      dateutil: 2.8.1
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 3.1.0
       libgit2: Not Installed
      M2Crypto: Not Installed
          Mako: Not Installed
       msgpack: 1.0.2
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     pycparser: 2.21
      pycrypto: Not Installed
  pycryptodome: 3.9.8
        pygit2: Not Installed
        Python: 3.9.16 (main, Nov  1 2022, 00:00:00)
  python-gnupg: 0.4.8
        PyYAML: 5.4.1
         PyZMQ: 23.2.0
         smmap: Not Installed
       timelib: 0.2.4
       Tornado: 4.5.3
           ZMQ: 4.3.4

System Versions:
          dist: centos 9
        locale: utf-8
       machine: x86_64
       release: 5.14.0-319.el9.x86_64
        system: Linux
       version: CentOS Stream 9

SALT MASTER
Salt Version:
Salt: 3005.1

Dependency Versions:
cffi: 1.15.1
cherrypy: Not Installed
dateutil: Not Installed
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
Jinja2: 3.1.2
libgit2: Not Installed
M2Crypto: Not Installed
Mako: Not Installed
msgpack: 0.5.6
msgpack-pure: Not Installed
mysql-python: Not Installed
pycparser: 2.21
pycrypto: 2.6.1
pycryptodome: 3.18.0
pygit2: Not Installed
Python: 3.7.5 (default, Mar 22 2023, 17:31:55)
python-gnupg: Not Installed
PyYAML: 5.4.1
PyZMQ: 19.0.2
smmap: Not Installed
timelib: Not Installed
Tornado: 4.5.3
ZMQ: 4.3.4

Salt Extensions:
SSEAPE: 8.12.0.7

System Versions:
dist: photon 3.0 Photon
locale: utf-8
machine: x86_64
release: 4.19.277-1.ph3
system: Linux
version: VMware Photon OS 3.0 Photon

Additional context
The problem does not exist when do the same steps and run the state file form salt-master like
salt centos9 state.apply eric/demo-6
Checked with other minion/ OS combination.
The salt master is 3005.1
RHEL 7 minion is 3005.1
RHEL 8 minion is 3005.1
RHEL 9 minion is 3006.1

The issue is present on both RHEL 8 and RHEL 9, both on 3005.1 and 3006.1.

[welcome]

Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey.
Please be sure to review our Code of Conduct. Also, check out some of our community resources including:

• Community Wiki
• Salt’s Contributor Guide
• Join our Community Slack
• IRC on LiberaChat
• Salt Project YouTube channel
• Salt Project Twitch channel

There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar.
If you have additional questions, email us at saltproject@vmware.com. We’re glad you’ve joined our community and look forward to doing awesome things with you!

[OrangeDog]

This seems to be caused by #63336.

[tzarskigss]

is there any way to check this, as the issue is not random like in #63336
In this case it looks that salt-call act differently than commands sends by salt master
so if you update file locally like " echo "hello" >> /root/test-one.txt" and run the salt centos9 state.apply eric/demo-6 the issue never happen

[dmurphy18]

@tzarskigss it would be good to see what the contents of files salt://files/resolv_conf-2.j2 and eric/demo-6 in order to ensure correct duplication of the error. If the files contain private information, please strip them down such that the issue is repeatable, otherwise I can guess at the contents but may not cover the exact conditions you are encountering.

[dmurphy18]

@tzarskigss Btw: prsuming you have a typo since the example at the start needs a leading '/' otherwise

[root@Unknown salt]# salt-call --local state.apply test_demo
[ERROR   ] Specified file root/test-one.txt is not an absolute path
local:
----------
          ID: root/test-one.txt
    Function: file.managed
      Result: False
     Comment: Specified file root/test-one.txt is not an absolute path
     Started: 09:54:35.124726
    Duration: 10.962 ms
     Changes:   

Summary for local
------------
Succeeded: 0
Failed:    1
------------
Total states run:     1
Total run time:  10.962 ms

Also presuming the example is eric/demo state, able to reproduce the issue with an empty salt://files/resolv_conf-2.j2

[OrangeDog]

I assume #64950 didn't fix it then?

[dmurphy18]

@OrangeDog no something else is going on, following the read crumbs in the debugger as we speak :)

[dmurphy18]

Problem is due to file's fcontext existing and the command generated by Salt is --add which results in a ValueError, the correct command to use is --modify

[root@Unknown david]# semanage fcontext --add --type net_conf_t --seuser system_u /root/test-one.txt
ValueError: File context for /root/test-one.txt already defined
[root@Unknown david]# semanage fcontext --modify --type net_conf_t --seuser system_u /root/test-one.txt
[root@Unknown david]# ls -lZ /root/test-one.txt
-rw-r--r--. 1 root root unconfined_u:object_r:admin_home_t:s0 0 Aug 16 11:48 /root/test-one.txt
[root@Unknown david]# 

[dmurphy18]

Closing since associated PR #65003 is merged