NR-78587 Newer versions of semodule tool do not display the SELinux modules version

[sairaj18]

Changes in this PR

• Populating the value of versions as empty string when semodule -l doesn't give versions for the modules in the output
• Added test to verify the above

[DavSanchez]

Hi! As we discussed with @josemore, it might be worth it to get the list of SELinux modules anyway on RHEL 8+, even if we couldn't retrieve the version numbers anymore, as the module list could still be valuable (i.e. it's better to have a SELinux module list with no versions than no list at all).

So, we can instead run the semodule -l command the same as before, but make the version numbers optional.

We can modify the regexp we use in internal/plugins/linux/selinux.go:160 to make the second capture group optional:

	// Output of `semodule -l` might not include the version number in modern versions of RHEL
	// and derivatives. So we make the second capture group optional. The capture that would
	// match the version numbers is either not present or produces an empty string instead.
	moduleRegex := regexp.MustCompile(`(\S+)(?:\s+(\S+))?`)

or like this

        // Capture "zero-or-more elements" of whitespaces and non-whitespaces for the optional version field
	moduleRegex := regexp.MustCompile(`(\S+)\s*(\S*)`)

We might want to guard ourselves against the capture groups not having the number of matches we expect, just to be extra sure. We can do this in parseSemoduleOutput with:

        const captureGroupsMinLen = 2
        // ...
	moduleMatches := moduleRegex.FindAllStringSubmatch(line, -1)
		if moduleMatches != nil {
			id := moduleMatches[0][1]

			// Guard against the second capture group not existing
			version := ""

			if len(moduleMatches[0]) > captureGroupsMinLen {
				version = moduleMatches[0][2]
			}

			result = append(result, SELinuxPolicyModule{id, version})
		}

We should have some tests to cover the new scenarios. Similar to the ones you already added @sairaj18 but this time they should not return errors but valid SELinuxPolicyModules with version == "".

As discussed, printing a log line if the version is not found for each module is not worth it, we might leave this without logs for now or, if we want the logs anyway in the future, we can attempt an additional iteration over result after appending all elements, check if any version number is "", and print a log warn/debug saying that version numbers couldn't be retrieved.

[sairaj18]

Hey @DavSanchez, I have made the changes that you have mentioned the above comment and pushed those changes.

[DavSanchez]

LGTM! 🚀