SELinux context warnings, how-to fix ?
136 views
Skip to first unread message
Remy
Nov 30, 2015, 12:15:59 PM11/30/15
to Puppet Users
Hi,
We moved from 3.1 to 3.8 and we faced some warnings regarding SELinux all of the sudden:
Nov 30 14:48:22 nodename puppet-agent[9865]: Failed to set SELinux context system_u:object_r:usr_t:s0 on /usr/sap/home/username
Nov 30 14:48:22 nodename puppet-agent[9865]: (/File[/usr/sap/home/username]/seltype) seltype changed 'nfs_t' to 'usr_t'
Nov 30 14:48:22 nodename puppet-agent[9865]: (/File[/usr/sap/home/username]/seltype) seltype changed 'nfs_t' to 'usr_t'
[root@nodename ~]# facter -p | grep selinux
selinux => true
selinux_config_mode => permissive
selinux_config_policy => targeted
selinux_current_mode => permissive
selinux_enforced => false
selinux_policyversion => 28
Any ideas how-to fix ?
We haven't had this issues in 3.1...
Regards
Thomas Müller
Dec 1, 2015, 3:23:44 AM12/1/15
to Puppet Users
Am Montag, 30. November 2015 18:15:59 UTC+1 schrieb Remy:
Hi,We moved from 3.1 to 3.8 and we faced some warnings regarding SELinux all of the sudden:Nov 30 14:48:22 nodename puppet-agent[9865]: Failed to set SELinux context system_u:object_r:usr_t:s0 on /usr/sap/home/username
Nov 30 14:48:22 nodename puppet-agent[9865]: (/File[/usr/sap/home/username]/seltype) seltype changed 'nfs_t' to 'usr_t'
what's the ouptput of:
matchpathcony=a+bsin(c+dx)
matchpathcon /usr/sap/home/username
y=a+bsin(c+dx)
if selinux is enabled (permissive or enforcing) puppet tries to set the default selinux context on a managed file resource. https://docs.puppetlabs.com/references/latest/type.html#file-attribute-seltype
for a local additon of the file context you could run:
semanage fcontext --add --type nfs_t /usr/sap/home(/.*)?(I suspect /usr/sap/home is nfs mounted?)
afterwards the matchpathcon should then return system_u:object_r:nfs_t:s0
sometimes I can see that a running already puppet service does not know about updated selinux file contexts - and tries to set the old context. restarting puppet service helps here.
- Thomas
PS: if you wanted to have the same permissions for /usr/sap/home as for /home selinux-wise you could run
semanage fcontext -a -e /home /usr/sap/home
but I don't know if this applies to you. This equivalence feature is not very well known altough introduced in 2009 (http://danwalsh.livejournal.com/27571.html) and is very usefull.
Thomas Müller
Dec 1, 2015, 3:25:14 AM12/1/15
to Puppet Users
sorry for the maths inbetween. this did not show up in the google editor. :)
Am Dienstag, 1. Dezember 2015 09:23:44 UTC+1 schrieb Thomas Müller:
Am Dienstag, 1. Dezember 2015 09:23:44 UTC+1 schrieb Thomas Müller:
matchpathcony=a+bsin(c+dxy=a+bsin(c+dx)
Reply all
Reply to author
Forward
0 new messages