[BUG] Error setting SELinux mode due to case sensitivity.

[PaulChristophel]

Description
There is a bug in Salt's code where it returns SELinux mode values in capital letters ("Enforcing", "Permissive", and "Disabled") in two functions: _refine_mode in salt/states/selinux.py and another function in salt/modules/selinux.py. However, SELinux is case sensitive and expects these values in all lowercase ("enforcing", "permissive", "disabled"). This error may be elsewhere in the code, these are just some specific locations I found.

Setup
(Please provide relevant configs and/or SLS files (be sure to remove sensitive info. There is no general set-up of Salt.)

Please be as specific as possible and give set-up details.

• on-prem machine
• VM (Virtualbox, KVM, etc. please specify)
• VM running on a cloud service, please be explicit and add details
• container (Kubernetes, Docker, containerd, etc. please specify)
• or a combination, please be explicit
• jails if it is FreeBSD
• classic packaging
• onedir packaging
• used bootstrap to install

Steps to Reproduce the behavior
When using the selinux state to try to set a system to any specific mode, the /etc/selinux/config file is set incorrectly.

for instance, SELINUX=Enforcing is incorrect:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=Enforcing
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

since selinux is case sensitive, this causes an error during state runs.

----------
          ID: Set SELinux to Permissive
    Function: selinux.mode
        Name: permissive
      Result: False
     Comment: Failed to set SELinux to Permissive mode
     Started: 12:16:34.760104
    Duration: 2.745 ms
     Changes:   
----------

Expected behavior
the SELINUX variable should be all lowercase:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Screenshots
If applicable, add screenshots to help explain your problem.

Versions Report

salt --versions-report

(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)

Salt Version:
          Salt: 3006.0
 
Python Version:
        Python: 3.10.11 (main, May  5 2023, 02:31:54) [GCC 11.2.0]
 
Dependency Versions:
          cffi: 1.14.6
      cherrypy: 18.6.1
      dateutil: 2.8.1
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 3.1.2
       libgit2: Not Installed
  looseversion: 1.1.2
      M2Crypto: Not Installed
          Mako: Not Installed
       msgpack: 1.0.5
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     packaging: 23.1
     pycparser: 2.21
      pycrypto: Not Installed
  pycryptodome: 3.17
        pygit2: Not Installed
  python-gnupg: 0.4.8
        PyYAML: 6.0
         PyZMQ: 25.0.2
        relenv: 0.12.3
         smmap: Not Installed
       timelib: 0.2.4
       Tornado: 4.5.3
           ZMQ: 4.3.4
 
System Versions:
          dist: rhel 8.7 Ootpa
        locale: utf-8
       machine: x86_64
       release: 4.18.0-425.13.1.el8_7.x86_64
        system: Linux
       version: Red Hat Enterprise Linux 8.7 Ootpa

(This system is running 3006.1 despite the report saying 3006.0)

Additional context

The bug is located in these two functions (and possibly more):

_refine_mode in salt/states/selinux.py:

salt/salt/states/selinux.py

Line 37 in b897734

def _refine_mode(mode):

Function in salt/modules/selinux.py:

salt/salt/modules/selinux.py

Lines 79 to 100 in b897734

	def getenforce():
	"""
	Return the mode selinux is running in
	CLI Example:
	.. code-block:: bash
	salt '*' selinux.getenforce
	"""
	_selinux_fs_path = selinux_fs_path()
	if _selinux_fs_path is None:
	return "Disabled"
	try:
	enforce = os.path.join(_selinux_fs_path, "enforce")
	with salt.utils.files.fopen(enforce, "r") as _fp:
	if salt.utils.stringutils.to_unicode(_fp.readline()).strip() == "0":
	return "Permissive"
	else:
	return "Enforcing"
	except (OSError, AttributeError):
	return "Disabled"

The expected return values according to SELinux's case sensitivity requirements are "enforcing", "permissive", and "disabled", but the current return values are "Enforcing", "Permissive", and "Disabled".

[dmurphy18]

The current https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/#getting-started-with-selinux-selinux-states-and-modes shows these with initial Uppercase letters, and uppercase letters are returned when using getenforce on Centos 9

[root@Unknown dev]# getenforce 
Disabled
[root@Unknown dev]# cat /etc/redhat-release 
CentOS Stream release 9
[root@Unknown dev]#

However if the /etc/selinux/config is set to Permissive instead of permissive, get failure to boot due to SELinux target policy failures. Appears to be an issue in tools (getenforce, setenforce) using leading uppercase and settings in /etc/selinux/config using leading lowercase. Need to ensure that all writes to /etc/selinux/config utilize leading lowercase settings.

Note: with Centos 9, found setting /etc/selinux/config SELINUX=Permissive showed no errors, but best to be correct than rely on some current implementation that ignore the leading case of the word

[dmurphy18]

Closing since PR #64352 is merged