Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Puppet file resource applies old file-context #188

Open
vinzent opened this issue Jan 22, 2017 · 5 comments
Open

Puppet file resource applies old file-context #188

vinzent opened this issue Jan 22, 2017 · 5 comments
Labels
needs-help Extra attention is needed

Comments

@vinzent
Copy link
Contributor

vinzent commented Jan 22, 2017

problem

If a user adds a filecontext with puppet-selinux (or just plain exec calling semanage fcontext) and a file is managed by puppet which is affected by this change the managed file will get the old file context.

puppet code:

selinux::fcontext { '/tmp/testfile':
  pathname => '/tmp/testfile',
  context => 'alsa_tmp_t',
} ->
file { '/tmp/testfile':
  content => 'test',
} -> 
exec { '/bin/ls -lZ /tmp/testfile': }

result: the /tmp/testfile will not have the alsa_tmp_t type.

workaround

  • puppet apply: the second run it will apply the correct file-context
  • puppet agent daemon: restart daemon is required

references
@vinzent vinzent added the needs-help Extra attention is needed label Jan 22, 2017
@vchepkov
Copy link
Contributor

vchepkov commented Mar 5, 2017
edited
Loading

add selinux_ignore_defaults => true to File resource

@vinzent
Copy link
Contributor Author

vinzent commented Mar 11, 2017

@vchepkov but then puppet will also never correct wrong selinux labels on files.

@vchepkov
Copy link
Contributor

vchepkov commented Mar 11, 2017
edited
Loading

You are managing selinux context by two resources, file and selinux::fcontext
You either use only one (my preference) or make them both to match, by adding seltype, selrange, seluser, selrole to file resource.

@vchepkov
Copy link
Contributor

And I understand your concern - puppet won't be enforcing defined policy for this particular directory.
But what about all objects inside the directory? Having puppet to enforce every single selinux context each run would be very resource consuming. If there is a concern that something will modify context after it was set, I would be more concerned not about 'user' files, but context of system binaries libraries. You can run fixfiles or restorecon from cron to ease your mind, but I don't think this is something Puppet can be responsible for, IMHO.

@bschonec
Copy link

Is there any sane solution to this? I've been struggling for two days with this exact problem. Puppet sees the context of default_t for my file resources the Selinux:Fcontext has been applied first. The new files are created with default_t (which is incorrect) but on the next run Puppet corrects the files.

I thought that it should work:

selinux::fcontext {'

Unfortunately, that's not what's happening. Only if one applies selinux::exec_restorecon does the context get applied properly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs-help Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vinzent @vchepkov @bschonec