Seeing a bunch of "Failed to set SELinux context" warning

[wlrmurphy]

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 8.6.0
• Ruby:
• Distribution: PE 2023.7.0
• Module version: 6.0.0

How to reproduce (e.g Puppet code you use)

What are you seeing

A bunch of warning similar to

Failed to set SELinux context system_u:object_r:icinga2_etc_t:s0 on /etc/icinga2/features-available/command.conf

What behaviour did you expect instead

To apply SELinux context properly

Output log

2024-09-0407:44 -05:00	warning	Failed to set SELinux context system_u:object_r:icinga2_etc_t:s0 on /etc/icinga2/features-available/command.confSource:Puppet
2024-09-0407:44 -05:00	notice	seltype changed 'etc_t' to 'icinga2_etc_t' (corrective)Source:/Stage[main]/Icinga2::Feature::Notification/Icinga2::Feature[notification]/File[/etc/icinga2/features-enabled/notification.conf]/seltypeFile:/etc/puppetlabs/code/environments/linux_test/modules/icinga2/manifests/feature.ppLine:22
2024-09-0407:44 -05:00	warning	Failed to set SELinux context unconfined_u:object_r:icinga2_etc_t:s0 on /etc/icinga2/features-enabled/notification.confSource:Puppet
2024-09-0407:44 -05:00	notice	seltype changed 'etc_t' to 'icinga2_etc_t' (corrective)Source:/Stage[main]/Icinga2::Feature::Notification/Icinga2::Object[icinga2::object::NotificationComponent::notification]/Concat[/etc/icinga2/features-available/notification.conf]/File[/etc/icinga2/features-available/notification.conf]/seltype
2024-09-0407:44 -05:00	warning	Failed to set SELinux context system_u:object_r:icinga2_etc_t:s0 on /etc/icinga2/features-available/notification.confSource:Puppet
2024-09-0407:44 -05:00	notice	seltype changed 'etc_t' to 'icinga2_etc_t' (corrective)Source:/Stage[main]/Icinga2::Feature::Mainlog/Icinga2::Feature[mainlog]/File[/etc/icinga2/features-enabled/mainlog.conf]/seltypeFile:/etc/puppetlabs/code/environments/linux_test/modules/icinga2/manifests/feature.ppLine:22

Any additional information you'd like to impart

[lbetz]

Hi, thx for reporting.
Which distribution is used, what does the selinux (facter os.seliux output) configuration look like?

[wlrmurphy]

oops... sorry, haven't had the morning coffe yet.

OS Distribution is RHEL 8

facter os.selinux
{
  config_mode => "enforcing",
  config_policy => "targeted",
  current_mode => "enforcing",
  enabled => true,
  enforced => true,
  policy_version => "33"
}

[lbetz]

I forgot, how icinga2::manage_selinux is set?

[wlrmurphy]

ooooh, I don't have that set at all

[lbetz]

Ok, the default ist false.
I was able to reproduce the warnings.

[lbetz]

If you have enforcing you have to set icinga2::manage_selinux = true.

[wlrmurphy]

Looking at the code, all that does is make sure icinga2-selinux package is installed, right? Which we install anyway.

[lbetz]

Yes, but if it is installed, the errors cannot occur.

[wlrmurphy]

Looking at our code, looks like its only getting installed on the agents on the not the server itself. I'll work on that and let you know. Thanks.

[lbetz]

Keep in mind, here we have a module for icinga2 only. The modules icingaweb2 and icingadb havn't selinux support. And Icinga doesn't deliver a selinux packages for icingadb.

[wlrmurphy]

Yeah, we're dead in the water no so I'll need to work on that