Jira (PUP-2169) Not possible to manage SELinux file contexts via puppet in a sane way

7 views
Skip to first unread message

Thomas Mueller (JIRA)

unread,
Jan 22, 2017, 10:21:03 AM1/22/17
to puppe...@googlegroups.com
Thomas Mueller commented on Bug PUP-2169
 
Re: Not possible to manage SELinux file contexts via puppet in a sane way

this is still an issue in Puppet 4.8.1

When running as daemon the daemon requires a restart until Puppet will apply the correct file-context without explicitly defining it.

This is for example a problem when using the puppetlabs-mysql module and having the log folder on a non-default folder (or data folder too). If doing it with puppet with adding a semanage fcontext with mysqld_log_t before creating the folders it will create it with wrong types and mysql will fail. The next puppet agent run will happly reset a manually fixed file-context. Puppet only starts to use a correct context after a daemon restart.

The same is true for file-contexts loaded by the selmodule type.
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)
Atlassian logo

Thomas Mueller (JIRA)

unread,
Jan 22, 2017, 10:26:02 AM1/22/17
to puppe...@googlegroups.com

this issue popped up in the new acceptance test for the puppet-selinux (voxpupuli) module in PR #177 https://github.com/voxpupuli/puppet-selinux/pull/177 where it needs 2 puppet apply runs to get a correct file context on the puppet manage file resource.

Thomas Mueller (JIRA)

unread,
Jan 22, 2017, 10:27:02 AM1/22/17
to puppe...@googlegroups.com
Thomas Mueller updated an issue
 
Puppet / Bug PUP-2169
Change By: Thomas Mueller
Affects Version/s: PUP 4.8.1

Thomas Mueller (JIRA)

unread,
Jan 22, 2017, 10:35:02 AM1/22/17
to puppe...@googlegroups.com
 
Re: Not possible to manage SELinux file contexts via puppet in a sane way 

$ sudo /opt/puppetlabs/bin/puppet apply /tmp/file_selinux_fcontext_issue.pp
 
Notice: Compiled catalog for notebook.local in environment production in 0.11 seconds
 
Notice: /Stage[main]/Main/Exec[/usr/sbin/semanage fcontext --add --type alsa_tmp_t /tmp/testfile]/returns: executed successfully
 
Notice: /Stage[main]/Main/Exec[/bin/ls -lZ /tmp/testfile]/returns: -rw-r--r--. 1 root root unconfined_u:object_r:user_tmp_t:s0 12 22. Jan 16:10 /tmp/testfile
 
Notice: /Stage[main]/Main/Exec[/bin/ls -lZ /tmp/testfile]/returns: executed successfully
 
Notice: /Stage[main]/Main/Exec[/usr/sbin/matchpathcon /tmp/testfile]/returns: /tmp/testfile	system_u:object_r:alsa_tmp_t:s0
 
Notice: /Stage[main]/Main/Exec[/usr/sbin/matchpathcon /tmp/testfile]/returns: executed successfully
 
Notice: Applied catalog in 1.56 seconds
 
{ńoformat}
 
 
 
for manifest:

exec

{ '/usr/sbin/semanage fcontext --add --type alsa_tmp_t /tmp/testfile': logoutput => true, }

->
file

{ '/tmp/testfile': content => 'test seltype', }

->
exec

{ '/bin/ls -lZ /tmp/testfile': logoutput => true }

->
exec

{ '/usr/sbin/matchpathcon /tmp/testfile': logoutput => true, } 

 

Thomas Mueller (JIRA)

unread,
Jan 22, 2017, 10:36:03 AM1/22/17
to puppe...@googlegroups.com
Thomas Mueller updated an issue
Change By: Thomas Mueller
Affects Version/s: PUP 4.8.2

Thomas Mueller (JIRA)

unread,
Jan 22, 2017, 10:37:02 AM1/22/17
to puppe...@googlegroups.com
 
Re: Not possible to manage SELinux file contexts via puppet in a sane way

verified the problem still exists with puppet 4.8.1 and 4.8.2.

Thomas Mueller (JIRA)

unread,
Jan 22, 2017, 10:38:02 AM1/22/17
to puppe...@googlegroups.com
Thomas Mueller updated an issue
Change By: Thomas Mueller
Environment: CentOS  7 with Puppet 4.8.2 (puppet-agent 1.8.3)
Fedora 25 with Puppet 4.8.2 (puppet-agent 1.8.3)
CentOS  6.5 x86_64
Puppet 3.4.3 from Puppetlabs repository
CentOS 6 with Puppet 3.8.7 from Pupptlabs Repo

Thomas Mueller (JIRA)

unread,
Jan 22, 2017, 11:42:02 AM1/22/17
to puppe...@googlegroups.com
 
Re: Not possible to manage SELinux file contexts via puppet in a sane way

actually this is a Selinux.matchpathcon thing. It looks like the first time it is called, it initializes some things. A call to Selinux.matchpathcon_fini seems to free the cache.

and reading man 3 matchpathcon:

This family of functions is deprecated. For new code, please use selabel_open(3) with the SELABEL_CTX_FILE backend in place of matchpath‐con_init(), use selabel_close(3) in place of matchpathcon_fini(), and use selabel_lookup(3) in place of matchpathcon().

Cedric Defortis (JIRA)

unread,
May 16, 2017, 4:47:02 AM5/16/17
to puppe...@googlegroups.com
Cedric Defortis updated an issue
 
Change By: Cedric Defortis
There's currently no sane way to manage SELinux file contexts using puppet. The only way is to call 'semanage' via a 'exec' resource. But then the next issue comes up: Puppet seems to keep some file context rule cache, built once at startup. I wasn't able to find a way to invalidate this cache without restarting the whole puppet agent. Even when calling 'restorecon' from puppet, the next puppet run will reset file contexts for 'file' resources found in the catalog because of the cached file context rules. 

*How to reproduce:*
{code:title=setest.pp|borderStyle=solid}
file { '/srv/setest-before':
ensure => directory,
}
-> exec { 'semanage':
command =>  '/usr/sbin/semanage fcontext -a -t home_root_t /srv/setest[^/]*',
creates => '/srv/setest-after',
}
-> file { '/srv/setest-after':
ensure => directory,
}
{code}

{code}
# semanage fcontext -l | grep -c '^/srv/setest'
0
# puppet apply setest.pp
{code}


*Expected behavior:*
/srv/setest-before created with default file context
/srv/setest-after created according to new file context rule. 

*Seen behavior:*
Both directories are created with default file context. tUP21

Nicholas Fagerlund (JIRA)

unread,
May 16, 2017, 1:58:02 PM5/16/17
to puppe...@googlegroups.com
Nicholas Fagerlund updated an issue
Change By: Nicholas Fagerlund
Labels: triaged

Nicholas Fagerlund (JIRA)

unread,
May 16, 2017, 1:58:03 PM5/16/17
to puppe...@googlegroups.com
Nicholas Fagerlund updated an issue
Change By: Nicholas Fagerlund
Team: Agent

Moses Mendoza (JIRA)

unread,
May 18, 2017, 1:54:26 PM5/18/17
to puppe...@googlegroups.com
Moses Mendoza updated an issue
Change By: Moses Mendoza
Labels: triaged

Martin Ewings (JIRA)

unread,
Sep 28, 2017, 8:22:02 AM9/28/17
to puppe...@googlegroups.com
Martin Ewings updated an issue
Change By: Martin Ewings
Method Found: Customer Feedback

Martin Ewings (JIRA)

unread,
Sep 28, 2017, 8:23:02 AM9/28/17
to puppe...@googlegroups.com
Martin Ewings updated an issue
Change By: Martin Ewings
Environment:
CentOS 7 with Puppet 4.8.2 (puppet-agent 1.8.3)
Fedora 25 with Puppet 4.8.2 (puppet-agent 1.8.3)
CentOS 6.5 x86_64 Puppet 3.4.3 from Puppetlabs repository
CentOS 6 with Puppet 3.8.7 from Pupptlabs Repo

Rhel 7.3 PE 2016.4.7

Martin Ewings (JIRA)

unread,
Sep 28, 2017, 8:26:02 AM9/28/17
to puppe...@googlegroups.com
Martin Ewings updated an issue
Change By: Martin Ewings
Affects Version/s: PUP 4.10.5

Martin Ewings (JIRA)

unread,
Sep 28, 2017, 11:58:02 AM9/28/17
to puppe...@googlegroups.com
Martin Ewings updated an issue
Change By: Martin Ewings
CS Priority: Normal
CS Severity: 2 - Annoyance
CS Business Value: 1 - ?
CS Frequency: 1 - 1-5% of Customers

Martin Ewings (JIRA)

unread,
Sep 28, 2017, 11:59:02 AM9/28/17
to puppe...@googlegroups.com
Martin Ewings updated an issue

customer notes that is an annoyance if you have e.g. a forge module and files on some non-default paths for which you need to add fcontext rules.
Forge modules normally don't explicitly set selcontext on file resources (or allow to pass the value to use). Either you fixup the module code locally or restart the agent-daemon to complete the "automated" installation.

Having setting selinux_ignore_defaults results in getting the selinux fcontext from the parent directory which is also not the correct behaviour.

Owen Rodabaugh (JIRA)

unread,
Sep 28, 2017, 1:07:02 PM9/28/17
to puppe...@googlegroups.com
Owen Rodabaugh updated an issue
Change By: Owen Rodabaugh
CS Priority: Normal Needs Priority

Owen Rodabaugh (JIRA)

unread,
Oct 3, 2017, 11:33:03 AM10/3/17
to puppe...@googlegroups.com
Owen Rodabaugh updated an issue
Change By: Owen Rodabaugh
CS Priority: Needs Priority Reviewed

Alexander Fisher (JIRA)

unread,
Oct 11, 2017, 7:24:03 AM10/11/17
to puppe...@googlegroups.com
Alexander Fisher commented on Bug PUP-2169
 
Re: Not possible to manage SELinux file contexts via puppet in a sane way

Thomas Mueller Calling Selinux.matchpathcon_fini works as expected and doesn't seem to adversely affect performance.
PR opened.
https://github.com/puppetlabs/puppet/pull/6278

The functions might be deprecated, but a one-liner seemed a less risky option that rewriting the code to use them.
I'm also not convinced the selabel_lookup function is actually available in EL5, and Puppet Inc. still produce RPMs for that release.

Moses Mendoza (JIRA)

unread,
Oct 19, 2017, 12:40:04 PM10/19/17
to puppe...@googlegroups.com
Moses Mendoza commented on Bug PUP-2169

Moses Mendoza (JIRA)

unread,
Oct 19, 2017, 12:41:03 PM10/19/17
to puppe...@googlegroups.com
Moses Mendoza updated an issue
 
Change By: Moses Mendoza
Fix Version/s: PUP 5.4.0
Fix Version/s: PUP 5.3.3

Moses Mendoza (JIRA)

unread,
Oct 19, 2017, 12:41:04 PM10/19/17
to puppe...@googlegroups.com
Moses Mendoza updated an issue
Change By: Moses Mendoza
Fix Version/s: PUP 4.10.9

Moses Mendoza (JIRA)

unread,
Oct 19, 2017, 12:42:03 PM10/19/17
to puppe...@googlegroups.com
Moses Mendoza updated an issue
Change By: Moses Mendoza
Team: Platform  OS  Core

Moses Mendoza (JIRA)

unread,
Oct 19, 2017, 1:57:03 PM10/19/17
to puppe...@googlegroups.com
Moses Mendoza updated an issue
Change By: Moses Mendoza
Release Notes: Bug Fix

Moses Mendoza (JIRA)

unread,
Oct 19, 2017, 2:07:03 PM10/19/17
to puppe...@googlegroups.com
Moses Mendoza updated an issue
Change By: Moses Mendoza
Release Notes Summary: Previously, puppet was unable to effectively manage the SELinux file context without restarting the puppet service due to an infinitely cached default context for each file. Now puppet will clear this cache after obtaining it. This does come with a performance cost for managed files on an selinux-enabled host. If users discover that the performance cost is too great for their individual environment, setting selinux_ignore_defaults => true in the file resource or as a default for file resources will disable the behavior that incurs the performance cost - namely, whether puppet will try to manage SELinux labels automatically.

Moses Mendoza (JIRA)

unread,
Oct 19, 2017, 7:10:04 PM10/19/17
to puppe...@googlegroups.com
Moses Mendoza updated an issue
Change By: Moses Mendoza
Sprint: Platform Core KANBAN

Eric Delaney (JIRA)

unread,
Oct 20, 2017, 11:58:04 AM10/20/17
to puppe...@googlegroups.com
Eric Delaney updated an issue
Change By: Eric Delaney
QA Risk Assessment: No Action

Michael Smith (JIRA)

unread,
Oct 25, 2017, 3:57:03 PM10/25/17
to puppe...@googlegroups.com
Michael Smith commented on Bug PUP-2169
 
Re: Not possible to manage SELinux file contexts via puppet in a sane way

This seems to have introduced a serious performance regression in our test environments on Redhat 5 and 6 (but not 7).

Michael Smith (JIRA)

unread,
Oct 25, 2017, 5:45:04 PM10/25/17
to puppe...@googlegroups.com
Michael Smith commented on Bug PUP-2169

Due to the performance regression, we've decided to revert this change for now and not include it in the pending release. Fixes that resolve the issue on RedHat 5 and 6 would be very welcome.

Michael Smith (JIRA)

unread,
Oct 25, 2017, 5:45:05 PM10/25/17
to puppe...@googlegroups.com
Michael Smith updated an issue
 
Change By: Michael Smith
Fix Version/s: PUP 4.10.9
Fix Version/s: PUP 5.4.0
Fix Version/s: PUP 5.3.3

Maggie Dreyer (JIRA)

unread,
Nov 21, 2017, 2:29:03 PM11/21/17
to puppe...@googlegroups.com
Maggie Dreyer updated an issue
Change By: Maggie Dreyer
Sprint: Platform Core  KANBAN  Hopper
This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db)
Atlassian logo

Josh Cooper (JIRA)

unread,
Feb 12, 2018, 7:35:05 PM2/12/18
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Team: Platform Core OS
This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574)
Atlassian logo

Josh Cooper (JIRA)

unread,
Feb 12, 2018, 7:35:06 PM2/12/18
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Sprint: Platform Core Hopper OS Grooming/Triage

Branan Riley (JIRA)

unread,
Apr 17, 2018, 5:55:05 PM4/17/18
to puppe...@googlegroups.com
Branan Riley updated an issue
Change By: Branan Riley
Labels: linux selinux triaged
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Atlassian logo

Geoff Nichols (JIRA)

unread,
May 1, 2018, 5:49:05 PM5/1/18
to puppe...@googlegroups.com
Geoff Nichols updated an issue
Change By: Geoff Nichols
Fix Version/s: PUP 6.y

Geoff Nichols (JIRA)

unread,
May 1, 2018, 5:49:05 PM5/1/18
to puppe...@googlegroups.com
Geoff Nichols updated an issue
Change By: Geoff Nichols
Sprint: Platform OS Grooming/Triage

Adam Bottchen (JIRA)

unread,
Dec 6, 2018, 7:47:03 PM12/6/18
to puppe...@googlegroups.com
Adam Bottchen updated an issue
Change By: Adam Bottchen
CS Severity: 2 - Annoyance
CS Business Value: 1 - ?
CS Frequency: 1 - 1-5% of Customers

Mihai Buzgau (JIRA)

unread,
Jun 20, 2019, 7:17:05 AM6/20/19
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: PR - 2019-07-10

Mihai Buzgau (JIRA)

unread,
Jun 20, 2019, 7:17:05 AM6/20/19
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Team: Platform OS Puppet Romania

Sebastian Miclea (JIRA)

unread,
Jun 26, 2019, 4:29:04 AM6/26/19
to puppe...@googlegroups.com
Sebastian Miclea updated an issue
Change By: Sebastian Miclea
Story Points: 5

Ciprian Badescu (JIRA)

unread,
Jun 27, 2019, 9:05:05 AM6/27/19
to puppe...@googlegroups.com
Ciprian Badescu assigned an issue to Ciprian Badescu
Change By: Ciprian Badescu
Assignee: Ciprian Badescu

Ciprian Badescu (JIRA)

unread,
Jun 27, 2019, 9:06:08 AM6/27/19
to puppe...@googlegroups.com
Ciprian Badescu commented on Bug PUP-2169
 
Re: Not possible to manage SELinux file contexts via puppet in a sane way

I think the performance issue of the fix was caused by calling Selinux.matchpathcon_fini after each file resource change.

Instead we could call Selinux.matchpathcon_fini in transaction teardown by defining post_resource_eval on posix file provider.

diff --git a/lib/puppet/provider/file/posix.rb b/lib/puppet/provider/file/posix.rb
 
index 3bbe769baf..1754a2cab2 100644
 
--- a/lib/puppet/provider/file/posix.rb
 
+++ b/lib/puppet/provider/file/posix.rb
 
@@ -1,3 +1,5 @@
 
+require 'puppet/util/selinux'
 
+
 
 Puppet::Type.type(:file).provide :posix do
 
   desc "Uses POSIX functionality to manage file ownership and permissions."@@ -133,4 +135,9 @@ Puppet::Type.type(:file).provide :posix do
 
       raise error
 
     end
 
   end
 
+
 
+  def self.post_resource_eval
 
+    Selinux.matchpathcon_fini if selinux_support?
 
+  end
 
+
 
 end

I should prepare PR/test case for tomorrow.

Ciprian Badescu (JIRA)

unread,
Jul 2, 2019, 9:43:03 AM7/2/19
to puppe...@googlegroups.com

After manual tests I can confirm that above solution partially? solves the problem: if a catalog run changes selinux file context, the changes will be applied to files/directories second catalog run.

Another solution would be to revive puppet-selinux_types so we execute `semanage fcontext` in a wrapper from where we can flush selinux file context right after context change. Still, if not all dependency are right, we may end in the above case.

Ciprian Badescu (JIRA)

unread,
Jul 4, 2019, 10:38:05 AM7/4/19
to puppe...@googlegroups.com

After more digging I found that file properties including selinux context are prefetched at transaction start, hence selinux context flush during apply is not really used in the current transaction.

I suppose that the above fix should have same result like the initial one, but without performance hit. 

Mihai Buzgau (JIRA)

unread,
Jul 10, 2019, 4:11:08 AM7/10/19
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: PR - 2019-07-10 , PR - 2019-07-23

Alexandru Popa (JIRA)

unread,
Aug 14, 2019, 4:10:05 AM8/14/19
to puppe...@googlegroups.com
Alexandru Popa updated an issue
Change By: Alexandru Popa
Fix Version/s: PUP 6.y
Fix Version/s: PUP 6.8.0

Jean Bond (JIRA)

unread,
Aug 20, 2019, 8:18:03 PM8/20/19
to puppe...@googlegroups.com
Jean Bond updated an issue
Change By: Jean Bond
Labels: linux resolved-issue-added selinux

Ewoud Kohl van Wijngaarden (Jira)

unread,
Mar 6, 2020, 5:16:03 AM3/6/20
to puppe...@googlegroups.com
Ewoud Kohl van Wijngaarden commented on Bug PUP-2169
 
Re: Not possible to manage SELinux file contexts via puppet in a sane way

Since it's reverted, should this be opened again? This is really annoying and I'm starting to implement workarounds to get idempotency.
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
Atlassian logo

Ciprian Badescu (Jira)

unread,
Mar 6, 2020, 5:33:03 AM3/6/20
to puppe...@googlegroups.com

Ewoud Kohl van Wijngaarden, please describe the problem you are seeing.

Ewoud Kohl van Wijngaarden (Jira)

unread,
Mar 6, 2020, 5:43:04 AM3/6/20
to puppe...@googlegroups.com

Let's say I have a package foo-selinux that contains file contexts for the foo package, then the following code will not be idempotent because the cache is not refreshed:

package { 'foo-selinux':
 
  ensure => installed,
 
}
 
-> file { '/etc/foo.conf':
 
  ensure  => file,
 
  content => 'The file contexts for this are in foo-selinux, but those can't be used in the same transaction',
 
}

This can be seen with the Red Hat SCL packages (rh-redis5, rh-postgresql12) which are not in the base policy but also with our custom software (pulpcore-selinux, candlepin-selinux, foreman-selinux, katello-selinux). Our installer now has to pre-install those packages. It's made worse by the fact that puppetlabs-postgresql doesn't manage the file resource so on the first run it gets the incorrect file contexts and it's never corrected, not even on the second run.

Ciprian Badescu (Jira)

unread,
Mar 6, 2020, 6:14:04 AM3/6/20
to puppe...@googlegroups.com

I understand you mean the revert from 2017.
In the meantime a partial fix to refresh selinux context while running puppet as a daemon was delivered, but this probably does not apply to your case.

Ewoud Kohl van Wijngaarden (Jira)

unread,
Mar 7, 2020, 4:55:03 PM3/7/20
to puppe...@googlegroups.com

Correct. I can still reproduce this on the latest Puppet 6 RPMs (6.13.0 at the time of writing) in my acceptance tests. Those are based on beaker so using puppet apply. On the first run it applies the resources, then on the second run it runs with detailed exit codes and checks if the error code is 0. It is 2 meaning changes are applied.

centos7-64.example.com 20:28:34$ puppet apply --verbose --detailed-exitcodes /tmp/apply_manifest.pp.VmGuLW
 
  Info: Loading facts
 
  Info: Loading facts
 
  Info: Loading facts
 
  Info: Loading facts
 
  Info: Loading facts
 
  Info: Loading facts
 
  Info: Loading facts
 
  Notice: Compiled catalog for centos7-64.example.com in environment production in 1.40 seconds
 
  Info: Applying configuration version '1583522917'
 
  Notice: /Stage[main]/Pulpcore::Install/Package[python3-pulpcore]/ensure: created
 
  Notice: /Stage[main]/Pulpcore::Install/Package[pulpcore-selinux]/ensure: created
 
  # ... LOTS OF OUTPUT HERE ...
 
  Notice: /Stage[main]/Pulpcore::Config/File[/var/lib/pulp/tmp]/ensure: created
 
  # ... LOTS OF OUTPUT HERE ...
 
  Notice: Applied catalog in 120.59 seconds
 
 
 
centos7-64.example.com executed in 126.52 seconds
 
Exited: 2
 
    applies with no errors
 
 
 
centos7-64.example.com 20:30:41$ mktemp -t apply_manifest.pp.XXXXXX
 
  /tmp/apply_manifest.pp.zhQ0Qm
 
 
 
centos7-64.example.com executed in 0.04 seconds
 
localhost $ scp /tmp/beaker20200306-535126-eof8hc centos7-64.example.com:/tmp/apply_manifest.pp.zhQ0Qm {:ignore => }
 
 
 
centos7-64.example.com 20:30:41$ puppet apply --verbose --detailed-exitcodes /tmp/apply_manifest.pp.zhQ0Qm
 
  Info: Loading facts
 
  Info: Loading facts
 
  Info: Loading facts
 
  Info: Loading facts
 
  Info: Loading facts
 
  Info: Loading facts
 
  Info: Loading facts
 
  Notice: Compiled catalog for centos7-64.example.com in environment production in 1.48 seconds
 
  Info: Applying configuration version '1583523044'
 
  Notice: /Stage[main]/Pulpcore::Config/File[/var/lib/pulp/tmp]/seltype: seltype changed 'var_lib_t' to 'pulpcore_var_lib_t'
 
  # ... LOTS MORE OUTPUT with refreshes ...

Ciprian Badescu (Jira)

unread,
Mar 9, 2020, 2:39:03 PM3/9/20
to puppe...@googlegroups.com

Ewoud Kohl van Wijngaarden, as your use case is a bit different, please create a new ticket and provide a manifest to reproduce the issue.
We will then plan the ticket and the work to find a solution
Thank you,
C

Nathan Ward (Jira)

unread,
Jun 2, 2020, 12:56:03 AM6/2/20
to puppe...@googlegroups.com
Nathan Ward commented on Bug PUP-2169

Ewoud Kohl van Wijngaarden did you create a new ticket for this? I am hitting this issue as well - though am on an older version so want to see if a newer version fixes it..

Adam Tkac (Jira)

unread,
Jun 24, 2020, 1:39:03 PM6/24/20
to puppe...@googlegroups.com
Adam Tkac commented on Bug PUP-2169

I created new ticket PUP-10548 to track issue mentioned by Ewoud Kohl van Wijngaarden and Nathan Ward (selinux policy RPM updated via puppet and subsequent wrong file contexts)

Ewoud Kohl van Wijngaarden (Jira)

unread,
Jun 24, 2020, 2:05:03 PM6/24/20
to puppe...@googlegroups.com

Thanks Adam Tkac! That was on my TODO list for a long time and it perfectly describes what I see with a nice minimal reproducer.
Reply all
Reply to author
Forward
0 new messages