| Puppet Version: 7.17.0
Puppet Server Version: 7.17.0
OS Name/Version: CentOS 7 and CentOS 9 at least. When the file type encounters an selinux context with an MLS component. e.g. note the extra unusual c110,c289 below.
ls -lZ /etc/httpd/conf/http.conf |
-rw-r--r--. 1 root root system_u:object_r:httpd_config_t:s0:c110,c289 6 Jul 11 16:12 /etc/httpd/conf/http.conf
|
the selrange is incorrectly parsed as 's0:c110,c289' and not 's0' as it should be. The result is this considered a mismatch with desired configuration and
puppet attempts to set the selrange to s0 which it does. However the mis parse remains and so puppet will forever try and change the
selrange from ' 's0:c110,c289' to 's0' Steps to reproduce. Install CentOS 7 or 9 (probably 8 is okay as well just not tested. dnf install -y podman httpd The context of /etc/httpd/conf/httpd.conf is now a perfectly normal:
ls -lZ /etc/httpd/conf/httpd.conf |
-rw-r--r--. 1 root root system_u:object_r:httpd_config_t:s0 12005 Jun 16 18:44 /etc/httpd/conf/httpd.conf |
|
and puppet parses this perfectly as
# puppet resource file /etc/httpd/conf/httpd.conf |
file { '/etc/httpd/conf/httpd.conf': |
ensure => 'file', |
content => '{sha256}55b3dd635b5a56ebee1fe890d7372ec25c215cef0c0f3dd8f2bc5ae6e323da12', |
ctime => '2022-07-11 15:37:15 +0200', |
group => 0, |
mode => '0644', |
mtime => '2022-06-16 18:44:10 +0200', |
owner => 0, |
provider => 'posix', |
selrange => 's0', |
selrole => 'object_r', |
seltype => 'httpd_config_t', |
seluser => 'system_u', |
type => 'file', |
} |
|
Now introduce MLS to equation.
podman run -it -v /etc/httpd:/etc/httpd:Z fedora /bin/bash
|
and now outside the container:
ls -lZ /etc/httpd/conf/http.conf |
-rw-r--r--. 1 root root system_u:object_r:httpd_config_t:s0:c110,c289 6 Jul 11 16:12 /etc/httpd/conf/http.conf
|
Note that the c110,c289 has quite correctly appeared. However the resource parse of this is:
file { '/etc/httpd/conf/http.conf': |
ensure => 'file', |
content => '{sha256}c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2', |
provider => 'posix', |
selrange => 's0:c110,c289', |
selrole => 'object_r', |
seltype => 'httpd_config_t', |
seluser => 'system_u', |
}
|
The selrange is wrong and it should be still 's0' This is mismatch as compared to
# matchpathcon /etc/httpd/conf/http.conf |
/etc/httpd/conf/http.conf system_u:object_r:httpd_config_t:s0
|
and so puppet pointless trys to set the selrange back to s0 which it does
but this is then a loop.
# puppet resource file /etc/httpd/conf/http.conf 'content=foobar' |
Notice: /File[/etc/httpd/conf/http.conf]/selrange: selrange changed 's0:c110,c289' to 's0' |
file { '/etc/httpd/conf/http.conf': |
ensure => 'file', |
content => '{sha256}c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2', |
provider => 'posix', |
selrange => 's0:c110,c289', |
selrole => 'object_r', |
seltype => 'httpd_config_t', |
seluser => 'system_u', |
} |
|
Desired Behavior: selrange , selrold, seltype should be parsed correctly for the case when
an MLS is present in the file context. Actual Behavior: Puppet try to set the wrongly parsed state of the system for ever. More information: MLS https://www.redhat.com/en/blog/how-selinux-separates-containers-using-multi-level-security This regex needs to be a little smarter basically. https://github.com/puppetlabs/puppet/blob/main/lib/puppet/util/selinux.rb#L79 to parse the first token as s0 and not s0:c110,c289 |
