puppet-selinux icon indicating copy to clipboard operation
puppet-selinux copied to clipboard

Published 20 hours ago verified publisher icon voxpupuli

Puppet file resource applies old file-context

Open vinzent opened this issue 8 years ago • 5 comments

problem

If a user adds a filecontext with puppet-selinux (or just plain exec calling semanage fcontext) and a file is managed by puppet which is affected by this change the managed file will get the old file context.

puppet code:

selinux::fcontext { '/tmp/testfile':
  pathname => '/tmp/testfile',
  context => 'alsa_tmp_t',
} ->
file { '/tmp/testfile':
  content => 'test',
} -> 
exec { '/bin/ls -lZ /tmp/testfile': }

result: the /tmp/testfile will not have the alsa_tmp_t type.

workaround

  • puppet apply: the second run it will apply the correct file-context
  • puppet agent daemon: restart daemon is required

references

  • Upstream ticket PUP-2169
  • man 3 matchpathcon (from libselinux-devel or libselinux-dev package)
  • ruby-selinux https://github.com/rmillner/ruby-selinux

vinzent avatar Jan 22 '17 17:01 vinzent

add selinux_ignore_defaults => true to File resource

vchepkov avatar Mar 05 '17 17:03 vchepkov

@vchepkov but then puppet will also never correct wrong selinux labels on files.

vinzent avatar Mar 11 '17 11:03 vinzent

You are managing selinux context by two resources, file and selinux::fcontext You either use only one (my preference) or make them both to match, by adding seltype, selrange, seluser, selrole to file resource.

vchepkov avatar Mar 11 '17 13:03 vchepkov

And I understand your concern - puppet won't be enforcing defined policy for this particular directory. But what about all objects inside the directory? Having puppet to enforce every single selinux context each run would be very resource consuming. If there is a concern that something will modify context after it was set, I would be more concerned not about 'user' files, but context of system binaries libraries. You can run fixfiles or restorecon from cron to ease your mind, but I don't think this is something Puppet can be responsible for, IMHO.

vchepkov avatar Mar 11 '17 13:03 vchepkov

Is there any sane solution to this? I've been struggling for two days with this exact problem. Puppet sees the context of default_t for my file resources the Selinux:Fcontext has been applied first. The new files are created with default_t (which is incorrect) but on the next run Puppet corrects the files.

I thought that it should work:

selinux::fcontext {'

Unfortunately, that's not what's happening. Only if one applies selinux::exec_restorecon does the context get applied properly.

bschonec avatar Mar 21 '24 19:03 bschonec