| Puppet Version: 7.16.0
Puppet Server Version:
OS Name/Version: Rocky Linux 8.6 Puppet believes that ZFS does not support SELinux labels, so ZFS mountpoints are not automatically relabeled. However since OpenZFS 0.6.3 this is not the case (Commit). This means that currently you have to do something like the following to not break anything that lives inside a ZFS mount on a SELinux enforcing system. Just having a `File` for the mountpoint is not enough.
zfs { 'tstpool/tstfs': |
ensure => present, |
mountpoint => '/var/log/forwarded', |
notify => Exec['/sbin/restorecon /var/log/forwarded'], |
} |
|
exec { '/sbin/restorecon -Rv /var/log/forwarded': |
refreshonly => true, |
} |
You can reproduce this with the following steps:
- Define a ZFS filesystem
zfs { 'zpool1/testing': |
ensure => present, |
mountpoint => '/var/log/test', |
} |
|
file { '/var/log/test': |
ensure => directory, |
require => Zfs['zpool1/testing'], |
}
|
- Run Puppet with the manifest you create. Below is the relevant section of the trace output. Note that the use of `require` here is to prevent subdirectories being created before the the mountpoint is set.
Info: Applying configuration version '1659697804' |
Debug: /Stage[main]/Main/File[/mnt/testing]/require: require to Zfs[zpool1/testing] |
Debug: Executing: '/sbin/zfs list zpool1/testing' |
Debug: Executing: '/sbin/zfs create -o mountpoint=/var/log/test zpool1/testing' |
Notice: /Stage[main]/Main/Zfs[zpool1/testing]/ensure: created |
Debug: /Stage[main]/Main/Zfs[zpool1/testing]: The container Class[Main] will propagate my refresh eventDebug: /File[/var/log/test]/seluser: SELinux not available for this filesystem. Ignoring parameter. |
Debug: /File[/var/log/test]/selrole: SELinux not available for this filesystem. Ignoring parameter. |
Debug: /File[/var/log/test]/seltype: SELinux not available for this filesystem. Ignoring parameter. |
Debug: /File[/var/log/test]/selrange: SELinux not available for this filesystem. Ignoring parameter. |
Debug: /File[/var/log/test/test.txt]/seluser: SELinux not available for this filesystem. Ignoring parameter. |
Debug: /File[/var/log/test/test.txt]/selrole: SELinux not available for this filesystem. Ignoring parameter. |
Debug: /File[/var/log/test/test.txt]/seltype: SELinux not available for this filesystem. Ignoring parameter. |
Debug: /File[/var/log/test/test.txt]/selrange: SELinux not available for this filesystem. Ignoring parameter.Debug: Class[Main]: The container Stage[main] will propagate my refresh event |
Debug: Finishing transaction 12520 |
Debug: Storing state |
Debug: Pruned old state cache entries in 0.00 seconds |
Debug: Stored state in 0.06 seconds |
Notice: Applied catalog in 0.28 seconds
|
- Check the SELinux label on the directory
$ ls -Zd /var/log/testsystem_u:object_r:unlabeled_t:s0 /var/log/test |
- Run `restorecon` to see what label should have been applied
$ restorecon -Rv /var/log/test |
Relabeled /var/log/test from system_u:object_r:mnt_t:s0 to system_u:object_r:var_log_t:s0 |
Relabeled /var/log/test/test.txt from unconfined_u:object_r:unlabeled_t:s0 to unconfined_u:object_r:var_log_t:s0 |
The same works if you define a file inside the mount.
file { '/var/log/test/test.txt': |
content => 'test', |
}
|
Desired Behavior: Puppet should use matchpathcon like it does with other filesystems to fix the label of both the mountpoint and files within. Actual Behavior: Puppet does not relabel the mountpoint or the files within because it believes it cannot. |
