Jira (PUP-7559) puppet doesn't specify file type to get default selinux context

49 views
Skip to first unread message

Alfredo Moralejo (JIRA)

unread,
May 17, 2017, 1:03:15 PM5/17/17
to puppe...@googlegroups.com
Alfredo Moralejo created an issue
 
Puppet / Bug PUP-7559
puppet doesn't specify file type to get default selinux context
Issue Type: Bug Bug
Affects Versions: PUP 4.8.2
Assignee: Unassigned
Created: 2017/05/17 10:02 AM
Priority: Normal Normal
Reporter: Alfredo Moralejo

When creating a new file, puppet finds out the default selinux context with matchpathcon but it's not specifying the file type what can lead to use the incorrect context (selinux default context depends on file type) and breaks idempotency.

Reproducer:

[root@vmname ~]# cat test.pp
file

{ '/etc/systemd/system/redis.service.d': ensure => directory }
  1. puppet apply test.pp
    Notice: Compiled catalog for vmname.example.com in environment production in 0.15 seconds
    Notice: /Stage[main]/Main/File[/etc/systemd/system/redis.service.d]/ensure: created
    Notice: Applied catalog in 0.54 seconds
  2. ll -Zd /etc/systemd/system/redis.service.d
    drwxr-xr-x. root root system_u:object_r:redis_unit_file_t:s0 /etc/systemd/system/redis.service.d
  3. puppet apply test.pp
    Notice: Compiled catalog for vmname.example.com in environment production in 0.15 seconds
    Notice: /Stage[main]/Main/File[/etc/systemd/system/redis.service.d]/seltype: seltype changed 'redis_unit_file_t' to 'systemd_unit_file_t'
    Notice: Applied catalog in 0.51 seconds
    [root@vmname ~]# ll -Zd /etc/systemd/system/redis.service.d
    drwxr-xr-x. root root system_u:object_r:systemd_unit_file_t:s0 /etc/systemd/system/redis.service.d
    [root@vmname ~]#

Note that first run used wrong selinux type for the just created directory.
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)
Atlassian logo

Alfredo Moralejo (JIRA)

unread,
May 17, 2017, 1:05:03 PM5/17/17
to puppe...@googlegroups.com
Alfredo Moralejo updated an issue
Change By: Alfredo Moralejo
When creating a new file, puppet finds out the default selinux context with matchpathcon but it's not specifying the file type what can lead to use the incorrect context (selinux default context depends on file type) and breaks idempotency.

Reproducer:
{code}
[root@vmname ~]# cat test.pp 
file {
    '/etc/systemd/system/redis.service.d':
       ensure => directory
}

# puppet apply test.pp 

Notice: Compiled catalog for vmname.example.com in environment production in 0.15 seconds
Notice: /Stage[main]/Main/File[/etc/systemd/system/redis.service.d]/ensure: created
Notice: Applied catalog in 0.54 seconds
# ll -Zd /etc/systemd/system/redis.service.d
drwxr-xr-x. root root system_u:object_r:redis_unit_file_t:s0 /etc/systemd/system/redis.service.d
# puppet apply test.pp 

Notice: Compiled catalog for vmname.example.com in environment production in 0.15 seconds
Notice: /Stage[main]/Main/File[/etc/systemd/system/redis.service.d]/seltype: seltype changed 'redis_unit_file_t' to 'systemd_unit_file_t'
Notice: Applied catalog in 0.51 seconds
[root@vmname ~]# ll -Zd /etc/systemd/system/redis.service.d
drwxr-xr-x. root root system_u:object_r:systemd_unit_file_t:s0 /etc/systemd/system/redis.service.d
[root@vmname ~]# 

{code}

Note that first run used wrong selinux type for the just created directory.

Scott Garman (JIRA)

unread,
May 17, 2017, 1:20:03 PM5/17/17
to puppe...@googlegroups.com
Scott Garman updated an issue
Change By: Scott Garman
Labels: triaged

Scott Garman (JIRA)

unread,
May 17, 2017, 1:20:03 PM5/17/17
to puppe...@googlegroups.com
Scott Garman updated an issue
Change By: Scott Garman
Team: Agent

Branan Riley (JIRA)

unread,
May 14, 2018, 3:19:04 PM5/14/18
to puppe...@googlegroups.com
Branan Riley updated an issue
Change By: Branan Riley
Labels: file selinux triaged type_and_provider
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Atlassian logo

Branan Riley (JIRA)

unread,
May 14, 2018, 3:20:02 PM5/14/18
to puppe...@googlegroups.com
Branan Riley updated an issue
Change By: Branan Riley
Labels: file linux selinux triaged type_and_provider

SvenVD (Jira)

unread,
Jul 22, 2020, 4:29:09 PM7/22/20
to puppe...@googlegroups.com
SvenVD commented on Bug PUP-7559
 
Re: puppet doesn't specify file type to get default selinux context

Hi, We have exactly the same problem. Any ETA when this will be fixed?
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
Atlassian logo

Alfredo Moralejo (Jira)

unread,
Jan 8, 2021, 10:10:03 AM1/8/21
to puppe...@googlegroups.com
Alfredo Moralejo updated an issue
 
Change By: Alfredo Moralejo
Affects Version/s: PUP 6.19.1

Alfredo Moralejo (Jira)

unread,
Jan 8, 2021, 10:12:03 AM1/8/21
to puppe...@googlegroups.com
Alfredo Moralejo commented on Bug PUP-7559
 
Re: puppet doesn't specify file type to get default selinux context

We are still hitting this issue and note that with the next version of selinux-policy that changes default selinux context for symlinks under /etc/httpd, idempotency will be broken for any new file created by puppet-httpd under /etc/httpd/conf.d so i guess it will affect users.

 

 

Alfredo Moralejo (Jira)

unread,
Jan 8, 2021, 10:13:03 AM1/8/21
to puppe...@googlegroups.com
Alfredo Moralejo updated an issue
Change By: Alfredo Moralejo
Priority: Normal High

Alfredo Moralejo (Jira)

unread,
Jan 11, 2021, 9:20:04 AM1/11/21
to puppe...@googlegroups.com
Alfredo Moralejo updated an issue
Change By: Alfredo Moralejo
Priority: High Major

Tobias Urdin (Jira)

unread,
Mar 11, 2021, 4:45:01 AM3/11/21
to puppe...@googlegroups.com
Tobias Urdin commented on Bug PUP-7559
 
Re: puppet doesn't specify file type to get default selinux context

Attempting to fix this in https://github.com/puppetlabs/puppet/pull/8537 as this occurs in CentOS Stream 8 for the httpd SELinux file context change for symlinks in /etc/httpd/.* as changed in https://github.com/fedora-selinux/selinux-policy-contrib/commit/43318bf3e6415ea323952529afd4d3b49a8a040e

Tobias Urdin (Jira)

unread,
Mar 11, 2021, 10:26:02 AM3/11/21
to puppe...@googlegroups.com
Tobias Urdin assigned an issue to Tobias Urdin
 
Change By: Tobias Urdin
Assignee: Tobias Urdin

Tobias Urdin (Jira)

unread,
Apr 5, 2021, 9:05:03 AM4/5/21
to puppe...@googlegroups.com
Tobias Urdin commented on Bug PUP-7559
 
Re: puppet doesn't specify file type to get default selinux context

Ping Josh Cooper - don't want to be a burden but this is pretty serious blocker.
This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97)
Atlassian logo

Tobias Urdin (Jira)

unread,
Apr 11, 2021, 8:59:01 AM4/11/21
to puppe...@googlegroups.com
Tobias Urdin updated an issue
 
Change By: Tobias Urdin
Affects Version/s: PUP 5.5.22
Affects Version/s: PUP 7.4.1
Affects Version/s: PUP 6.21.1

Josh Cooper (Jira)

unread,
Apr 15, 2021, 11:47:02 AM4/15/21
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Team: Night's Watch Coremunity

Josh Cooper (Jira)

unread,
Apr 15, 2021, 11:47:04 AM4/15/21
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Sprint: Platform Core KANBAN

Josh Cooper (Jira)

unread,
Apr 15, 2021, 11:47:04 AM4/15/21
to puppe...@googlegroups.com
Josh Cooper assigned an issue to Josh Cooper
Change By: Josh Cooper
Assignee: Tobias Urdin Josh Cooper

Gabriel Nagy (Jira)

unread,
Apr 22, 2021, 4:12:02 PM4/22/21
to puppe...@googlegroups.com

Josh Cooper (Jira)

unread,
Apr 22, 2021, 7:01:02 PM4/22/21
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Fix Version/s: PUP 7.7.0
Fix Version/s: PUP 6.23.0

Josh Cooper (Jira)

unread,
Apr 23, 2021, 2:19:01 PM4/23/21
to puppe...@googlegroups.com

Josh Cooper (Jira)

unread,
Apr 23, 2021, 2:21:04 PM4/23/21
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Release Notes: Bug Fix
Release Notes Summary: Puppet now creates files with the correct default SELinux context for that type of file. Previously, puppet could create the file with the wrong context, which would not be corrected until the next agent run.

Claire Cadman (Jira)

unread,
May 18, 2021, 10:07:02 AM5/18/21
to puppe...@googlegroups.com
Claire Cadman updated an issue
Change By: Claire Cadman
Labels: doc-reviewed file linux platform-os selinux type_and_provider
Reply all
Reply to author
Forward
0 new messages