Jira (PUP-8477) selinux types are being set on every run

3 views
Skip to first unread message

Tim Skirvin (JIRA)

unread,
Feb 20, 2018, 4:34:08 PM2/20/18
to puppe...@googlegroups.com
Tim Skirvin updated an issue
 
Puppet / Bug PUP-8477
selinux types are being set on every run
Change By: Tim Skirvin
Summary: selinux types are not getting being set on every run
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574)
Atlassian logo

Tim Skirvin (JIRA)

unread,
Feb 20, 2018, 4:40:02 PM2/20/18
to puppe...@googlegroups.com
Tim Skirvin updated an issue
Change By: Tim Skirvin
Attachment: debug.txt

Tim Skirvin (JIRA)

unread,
Feb 20, 2018, 4:42:02 PM2/20/18
to puppe...@googlegroups.com

Tim Skirvin (JIRA)

unread,
Feb 20, 2018, 4:42:03 PM2/20/18
to puppe...@googlegroups.com
Tim Skirvin commented on Bug PUP-8477
 
Re: selinux types are being set on every run

I have a debug log, but I'm not sure that I should be uploading it publicly.

Josh Cooper (JIRA)

unread,
Feb 21, 2018, 12:25:02 AM2/21/18
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-8477

Josh Cooper (JIRA)

unread,
Feb 21, 2018, 12:25:02 AM2/21/18
to puppe...@googlegroups.com
Josh Cooper updated an issue
 
Change By: Josh Cooper
*Puppet Version: 5.4.0*
*Puppet Server Version:*
*OS Name/Version: RHEL 7.4*

The handling of selinux file parameters seems to have changed between 5.3.5 and 5.4.0.  Specifically, we are managing some .k5login files as type 'krb5_home_t':

 {code:puppet}
   file \ { "$ \ {basedir}/$ \ {name}/.k5login": seltype => 'krb5_home_t' }
 {code}

As of when we upgraded to v5.4.0, puppet has been trying to reset the parameters every run, e.g.:

 {noformat}
 Feb 20 15:16:50 XXXX04 puppet-agent[99767]: (/Stage[main]/P_puppet_server::
Automation::User/K5login[/var/lib/foo/.k5login]/seluser) seluser changed  to
'user_u'
Feb 20 15:16:50 XXXX04 puppet-agent[99767]: (/Stage[main]/P_puppet_server::
Automation::User/K5login[/var/lib/foo/.k5login]/selrole) selrole changed  to
'object_r'
Feb 20 15:16:50 XXXX04 puppet-agent[99767]: (/Stage[main]/P_puppet_server::
Automation::User/K5login[/var/lib/foo/.k5login]/seltype) seltype changed  to
'krb5_home_t'
Feb 20 15:16:50 XXXX04 puppet-agent[99767]: (/Stage[main]/P_puppet_server::
Automation::User/K5login[/var/lib/foo/.k5login]/selrange) selrange changed  t
o to 's0'
 {noformat}

Downgrading to 5.3.5 reverts the behavior - e.g. the values are no longer updated every run.

Note that selinux is off on these hosts anyway.

*Desired Behavior:  don't change every run*

*Actual Behavior:  tries to change every run*

Josh Cooper (JIRA)

unread,
Feb 21, 2018, 12:26:03 AM2/21/18
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Sub-team: Coremunity

Josh Cooper (JIRA)

unread,
Feb 21, 2018, 12:26:03 AM2/21/18
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Team: Platform Core

Josh Cooper (JIRA)

unread,
Feb 21, 2018, 12:38:02 AM2/21/18
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-8477
 
Re: selinux types are being set on every run

Tim Skirvin Do your manifests also include k5login resources types? I'm wondering if the file and k5login types are conflicting as both are trying to manage seltype?

Tim Skirvin (JIRA)

unread,
Feb 21, 2018, 9:59:03 AM2/21/18
to puppe...@googlegroups.com
Tim Skirvin commented on Bug PUP-8477

Yes, that's probably it.  We've been using this idiom for years now:

  k5login { "${basedir}/${name}/.k5login":
    principals => unique(sort($principals)),
  } ->
{{  file { "${basedir}/${name}/.k5login": seltype => 'krb5_home_t' }}}

 

Andreas Ntaflos (JIRA)

unread,
Feb 25, 2018, 4:58:04 PM2/25/18
to puppe...@googlegroups.com

We observe similar problems on Ubuntu 14.04 and 16.04 using Puppet 5.4.0. SELinux properties are set on every Puppet agent run for the .k5login files we manage. The output of a typical Puppet agent run looks like this:

Notice: /Stage[main]/Profile::K5login/K5login[/root/.k5login]/seluser: seluser changed  to 'user_u'
 
Notice: /Stage[main]/Profile::K5login/K5login[/root/.k5login]/selrole: selrole changed  to 'object_r'
 
Notice: /Stage[main]/Profile::K5login/K5login[/root/.k5login]/seltype: seltype changed  to 'krb5_home_t'
 
Notice: /Stage[main]/Profile::K5login/K5login[/root/.k5login]/selrange: selrange changed  to 's0'
 
Notice: Applied catalog in 22.20 seconds

We manage the .k5login files using a profile that looks like this:

class profile::k5login {
 
  $k5login_defaults = lookup('profile::k5login::k5login_defaults', Hash, 'deep', {})
 
  $k5logins         = lookup('profile::k5login::k5logins', Hash, 'deep', {})
 
  create_resources('k5login', $k5logins, $k5login_defaults)
 
}

We never set any SELinux-specific properties; in fact SELinux is not even active on our Ubuntu nodes. The output of ls -laZ /root/.k5login looks like this:

-rw-r--r-- 1 root root ? 21 Sep  4 19:10 /root/.k5login

Note the ? which means there are not security contexts active for the file.

Josh Cooper (JIRA)

unread,
Feb 26, 2018, 1:07:03 PM2/26/18
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Fix Version/s: PUP 5.5.0

Josh Cooper (JIRA)

unread,
Feb 26, 2018, 1:07:04 PM2/26/18
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Sprint: Platform Core Hopper

Josh Cooper (JIRA)

unread,
Feb 26, 2018, 1:08:03 PM2/26/18
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Labels: regression

Melissa Stone (JIRA)

unread,
Feb 26, 2018, 2:42:05 PM2/26/18
to puppe...@googlegroups.com
Melissa Stone assigned an issue to Melissa Stone
Change By: Melissa Stone
Assignee: Melissa Stone

Melissa Stone (JIRA)

unread,
Feb 26, 2018, 2:43:03 PM2/26/18
to puppe...@googlegroups.com
Melissa Stone updated an issue
Change By: Melissa Stone
Sprint: Platform Core Hopper KANBAN

Michael Smith (JIRA)

unread,
Feb 28, 2018, 4:39:03 PM2/28/18
to puppe...@googlegroups.com
Michael Smith commented on Bug PUP-8477
 
Re: selinux types are being set on every run

This seems somewhat related to PUP-2169.

Josh Cooper (JIRA)

unread,
Mar 5, 2018, 12:47:04 PM3/5/18
to puppe...@googlegroups.com
Josh Cooper assigned an issue to Kris Bosland
 
Change By: Josh Cooper
Assignee: Melissa Stone Kris Bosland
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Atlassian logo

Eric Delaney (JIRA)

unread,
Mar 9, 2018, 6:13:03 PM3/9/18
to puppe...@googlegroups.com

Eric Delaney (JIRA)

unread,
Mar 9, 2018, 6:39:03 PM3/9/18
to puppe...@googlegroups.com
Eric Delaney commented on Bug PUP-8477

Melissa Stone can you add release notes please?

Melissa Stone (JIRA)

unread,
Mar 9, 2018, 6:48:03 PM3/9/18
to puppe...@googlegroups.com
Melissa Stone updated an issue
Change By: Melissa Stone
Release Notes Summary: If selinux bindings are not available in puppet, we would try to manage a setting but not be able to read in what it was currently set as. This change makes it so that if we do not have selinux bindings, we don't try to check the current setting as we do not have access to it.
Release Notes: Bug Fix

Eric Delaney (JIRA)

unread,
Mar 12, 2018, 5:11:03 PM3/12/18
to puppe...@googlegroups.com
Eric Delaney assigned an issue to Unassigned
Change By: Eric Delaney
Assignee: Kris Bosland

Kris Bosland (JIRA)

unread,
Mar 12, 2018, 7:44:02 PM3/12/18
to puppe...@googlegroups.com
Kris Bosland assigned an issue to Kris Bosland
Change By: Kris Bosland
Assignee: Kris Bosland

Kris Bosland (JIRA)

unread,
Mar 13, 2018, 2:26:04 AM3/13/18
to puppe...@googlegroups.com
Kris Bosland commented on Bug PUP-8477
 
Re: selinux types are being set on every run

Tested:

On the new code, no extra notices are given:

# bundle exec puppet apply ../test.pp
 
Notice: Compiled catalog for uc4gb43ewmda9cm.delivery.puppetlabs.net in environment production in 0.03 seconds
 
Notice: Applied catalog in 0.02 seconds

On the old code (SHA 3b048b23e, no existing branch has the buggy code), extra notices are given:

# bundle exec puppet apply ../test.pp
 
Notice: Compiled catalog for uc4gb43ewmda9cm.delivery.puppetlabs.net in environment production in 0.03 seconds
 
Notice: /Stage[main]/Main/K5login[/root/.k5login]/seluser: seluser changed  to 'user_u'
 
Notice: /Stage[main]/Main/K5login[/root/.k5login]/selrole: selrole changed  to 'object_r'
 
Notice: /Stage[main]/Main/K5login[/root/.k5login]/seltype: seltype changed  to 'krb5_home_t'
 
Notice: /Stage[main]/Main/K5login[/root/.k5login]/selrange: selrange changed  to 's0'
 
Notice: Applied catalog in 0.02 seconds

Tim Skirvin (JIRA)

unread,
Mar 27, 2018, 11:37:03 AM3/27/18
to puppe...@googlegroups.com
Tim Skirvin commented on Bug PUP-8477

Hmm. This didn't solve all of my problems, I'm still seeing on my host testing 5.5.0:

  k5login { '/root/.k5login': principals => unique(sort($princs)), mode => '600' }
 
  -> file { '/root/.k5login': seltype => 'krb5_home_t' }


 

Notice: /Stage[main]/P_krb5::K5login::Root/K5login[root .k5login]/seluser: seluser changed 'system_u' to 'user_u'
Notice: /Stage[main]/P_krb5::K5login::Root/File[/root/.k5login]/seluser: seluser changed 'user_u' to 'system_u'

{/code}

Note that I'm not setting `user_u` or `system_u` anywhere in my code base; selinux is disabled on the host; and

John Duarte (JIRA)

unread,
Oct 21, 2019, 10:55:05 AM10/21/19
to puppe...@googlegroups.com
John Duarte updated an issue
 
Change By: John Duarte
QA Risk Assessment: Needs Assessment No Action
Reply all
Reply to author
Forward
0 new messages