| Puppet Version: 6.15.0
Puppet Server Version: not applicable, we don't use it in our environment (we use "git pull && puppet apply -e <classname>" on every node)
OS Name/Version: CentOS 7.8 In our company, we have custom SELinux policy shipped in rpm. When we deploy new instance, our puppet recipes installs SELinux policy rpm and then create various file resources. However those resources are created with wrong SELinux labels because puppet doesn't refresh selinux contexts on file resources after new package is installed. To get proper file contexts, we must run puppet twice (first run install SELinux policy and the second run fixes file contexts) In our environment, we use something like this:
package { 'gdc-selinux': |
ensure => latest; |
} |
-> file { '/etc/gdc/gcf': |
ensure => directory; |
} |
-> file { '/etc/gdc/gcf/gcfw.json': |
ensure => present; |
}
|
The first puppet run outputs following - pkg is installed and files created, however with wrong SELinux context:
Notice: /Stage[main]/Type::Type_fake/Package[gdc-selinux]/ensure: created |
Notice: /Stage[main]/Type::Type_fake/File[/etc/gdc/gcf]/ensure: created |
Notice: /Stage[main]/Type::Type_fake/File[/etc/gdc/gcf/gcfw.json]/ensure: created
|
The second puppet run fixes the issue:
Notice: /Stage[main]/Type::Type_fake/File[/etc/gdc/gcf]/seltype: seltype changed 'etc_t' to 'gdc_etc_t' |
Notice: /Stage[main]/Type::Type_fake/File[/etc/gdc/gcf/gcfw.json]/seltype: seltype changed 'etc_t' to 'gdc_gcfw_conf_t'
|
For your conveniency, this is also reproducer (although not with "package" resource but with custom "exec" but logic behind it is pretty similar - update SELinux policy and then deliver files)
exec { '/usr/sbin/semanage fcontext --add --type bin_t /tmp/barani': |
logoutput => true; |
} |
-> file { '/tmp/barani': |
ensure => present; |
}
|
# puppet apply |
... |
Notice: /Stage[main]/Type::Type_fake/Exec[/usr/sbin/semanage fcontext --add --type bin_t /tmp/barani]/returns: executed successfully |
Notice: /Stage[main]/Type::Type_fake/File[/tmp/barani]/ensure: created
|
# ls -Z /tmp/barani |
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/barani
|
# second puppet apply |
... |
Notice: /Stage[main]/Type::Type_fake/File[/tmp/barani]/seltype: seltype changed 'user_tmp_t' to 'bin_t'
|
Desired Behavior:
Files are created with proper SELinux contexts during one puppet run, instead of two runs needed Actual Behavior:
Check original description for reproducer or feel free to contact me if you need more info. |
