New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sh: semanage: command not found #85

Closed
erinn opened this Issue Jul 26, 2018 · 7 comments

Comments

Projects
None yet
5 participants
@erinn
Copy link

erinn commented Jul 26, 2018

Cookbook version

latest

Chef-client version

14.2

Platform Details

RHEL 7.5

Scenario:

Chef client 14.2 changed the way execute works, from the release notes:

default_env Property in Execute Resource

The shell_out helper has been extended with a new option default_env to allow disabling Chef from modifying PATH and LOCALE environmental variables as it shells out. This new option defaults to true (modify the environment), preserving the previous behavior of the helper.

The execute resource has also been updated with a new property default_env that allows utilizing this the ENV sanity functionality in shell_out. The new property defaults to false, but it can be set to true in order to ensure a sane PATH and LOCALE when shelling out. If you find that binaries cannot be found when using the execute resource, default_env set to true may resolve those issues.

Steps to Reproduce:

Use chef-client 14.2, run from cron (we use sudo seems to inherit env and run just fine that way).

Expected Result:

Chef client to run cleanly

Actual Result:

  Mixlib::ShellOut::ShellCommandFailed
  ------------------------------------
  Expected process to exit with [0], but received '127'
  ---- Begin output of semanage fcontext -a -f a -t etc_t '/etc/nagios/nrpe.

cfg' ----
STDOUT:
STDERR: sh: semanage: command not found
---- End output of semanage fcontext -a -f a -t etc_t '/etc/nagios/nrpe.cf
g' ----
Ran semanage fcontext -a -f a -t etc_t '/etc/nagios/nrpe.cfg' returned 127

  Cookbook Trace:
  ---------------
  /var/chef/cache/cookbooks/selinux_policy/providers/fcontext.rb:92:in `block in class_from_file'
@tnguyen14

This comment has been minimized.

Copy link

tnguyen14 commented Jul 26, 2018

I am seeing a similar issue with semodule

selinux_policy_module[my_module] (my_cookbook::my_recipe line 49) had an error: Errno::ENOENT: execute[semodule-install-my_module] (/var/chef/cache/cookbooks/selinux_policy/providers/module.rb line 58) had an error: Errno::ENOENT: No such file or directory - semodule

This is happening on a RHEL 7.5 box, only during chef-client cron job run.

The problem is due to PATH for cron job defaults to PATH=/usr/bin:bin, while semodule lives at /sbin/semodule.

If I modify the chef_client environment_variables attribute to include /sbin in PATH, it seems to work fine.

@jqassar

This comment has been minimized.

Copy link

jqassar commented Sep 6, 2018

Also occurs with items in /usr/sbin (getsebool, setsebool).

@damacus

This comment has been minimized.

Copy link
Member

damacus commented Sep 7, 2018

Yep. This cookbook is currently pretty hard to integration test on Travis due to how it works.

If anyone has a time we'd love some help in getting this tested on even one platform automatically. Until then we can't easily fix bugs or improve the cookbook

@jqassar

This comment has been minimized.

Copy link

jqassar commented Sep 7, 2018

What is the issue with CI?
Downgrading to 2.0.0 (where the execute commands are absolute paths, except for the semanage ones) works fine (except for the semanage calls) on Chef 14. If the *sbin* paths to SELinux utilities are the same across all SELinux distros, making them all absolute would be good enough for now. If they're not, then a helper to determine the paths and a setting of the environment variable in the execute resources would probably do the same?

@damacus

This comment has been minimized.

Copy link
Member

damacus commented Nov 21, 2018

Feel free to revert to full paths if they're all the same on every platform.

Id just like to know we're not breaking more than we're fixing which isn't the case with the latest release

@sspans

This comment has been minimized.

Copy link
Contributor

sspans commented Nov 27, 2018

The pull breaks more than it fixes. The best place to fix this would be the chef-client configuration.
Not sure the cookbook can do much besides giving a better error message.

@sspans sspans referenced this issue Nov 28, 2018

Merged

use chef/mixin/which to locate selinux binaries #97

3 of 3 tasks complete
@damacus

This comment has been minimized.

Copy link
Member

damacus commented Nov 29, 2018

Closing with #97

@damacus damacus closed this Nov 29, 2018

@sous-chefs sous-chefs locked as resolved and limited conversation to collaborators Nov 29, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.