Jira (PUP-7375) Puppet does not change file to directory when selinux is enabled

[Josh Cooper (JIRA)]

Josh Cooper updated an issue

Puppet / PUP-7375 Puppet does not change file to directory when selinux is enabled Change By: Josh Cooper Summary: Puppet does not change file to directory  when selinux is enabled Add Comment

This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)

[Martin Alfke (JIRA)]

Martin Alfke commented on PUP-7375

Re: Puppet does not change file to directory when selinux is enabled trace output: Notice: Compiled catalog for puppet.pe.psick.io in environment production in 0.26 seconds Error: Not a directory @ rb_file_s_lstat - /tmp/foo/bar /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/file_system/file_impl.rb:144:in `lstat' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/file_system/file_impl.rb:144:in `lstat' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/file_system.rb:317:in `lstat' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/selinux.rb:219:in `file_lstat' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/selinux.rb:45:in `get_selinux_default_context' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type/file/selcontext.rb:40:in `retrieve_default_context' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type/file/selcontext.rb:86:in `block (2 levels) in <module:Puppet>' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type.rb:834:in `set_default' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type.rb:2493:in `block in set_parameters' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type.rb:2492:in `each' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type.rb:2492:in `set_parameters' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type.rb:2389:in `initialize' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type/file.rb:491:in `initialize' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource.rb:488:in `new' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource.rb:488:in `to_ral' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:640:in `block in to_catalog' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:632:in `each' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:632:in `to_catalog' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:513:in `to_ral' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/apply.rb:263:in `block in main' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/context.rb:65:in `override' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet.rb:293:in `override' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/apply.rb:225:in `main' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/apply.rb:170:in `run_command' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:344:in `block in run' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:541:in `exit_on_fail' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:344:in `run' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:132:in `run' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:72:in `execute' /opt/puppetlabs/puppet/bin/puppet:5:in `<main>' Note: disabling selinux gives the expected result!

Add Comment

[Josh Cooper (JIRA)]

Josh Cooper commented on PUP-7375

Re: Puppet does not change file to directory when selinux is enabled

I am not able to reproduce when using ruby 2.1.9 installed via rbenv: # yum install -y git-core zlib zlib-devel gcc-c++ patch readline readline-devel libyaml-devel libffi-devel openssl-devel make bzip2 autoconf automake libtool bison curl sqlite-devel # cd # git clone git://github.com/sstephenson/rbenv.git .rbenv # echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bash_profile # echo 'eval "$(rbenv init -)"' >> ~/.bash_profile # source ~/.bash_profile # git clone git://github.com/sstephenson/ruby-build.git ~/.rbenv/plugins/ruby-build # echo 'export PATH="$HOME/.rbenv/plugins/ruby-build/bin:$PATH"' >> ~/.bash_profile # source ~/.bash_profile # rbenv install -v 2.1.9 ... # rbenv local 2.1.9 # ruby --version ruby 2.1.9p490 (2016-03-30 revision 54437) [x86_64-linux] # gem install --no-ri --no-rdoc bundler # git clone git://github.com/puppetlabs/puppet # cd puppet # git checkout 4.9.4 # bundle install --path .bundle --without development extra # rm -rf /tmp/foo/ # touch /tmp/foo # bundle exec puppet apply ../manifest.pp Notice: Compiled catalog for XXX.puppetlabs.net in environment production in 0.09 seconds Notice: /Stage[main]/Main/File[/tmp/foo]/ensure: ensure changed 'file' to 'directory' Notice: /Stage[main]/Main/File[/tmp/foo/bar]/ensure: created Notice: Applied catalog in 0.05 seconds But # rm -rf /tmp/foo/ # touch /tmp/foo # /opt/puppetlabs/puppet/bin/puppet apply ../manifest.pp Notice: Compiled catalog for kj2yriin8cxx02i.delivery.puppetlabs.net in environment production in 0.08 seconds

Error: Not a directory @ rb_file_s_lstat - /tmp/foo/bar

Add Comment

[Josh Cooper (JIRA)]

Josh Cooper commented on PUP-7375

Re: Puppet does not change file to directory when selinux is enabled

This is a regression from puppet-agent 1.8.3: # which puppet /opt/puppetlabs/bin/puppet # puppet --version 4.8.2 # /opt/puppetlabs/puppet/bin/ruby --version

ruby 2.1.9p490 (2016-03-30 revision 54437) [x86_64-linux]

# rm -rf /tmp/foo/ # touch /tmp/foo # cat manifest.pp File { owner => 'root', group => 'root', mode => '0644', } file { '/tmp/foo': ensure => directory, } file { '/tmp/foo/bar': ensure => file, } # puppet apply manifest.pp Notice: Compiled catalog for XXX.puppetlabs.net in environment production in 0.08 seconds

Notice: /Stage[main]/Main/File[/tmp/foo]/ensure: ensure changed 'file' to 'directory' Notice: /Stage[main]/Main/File[/tmp/foo/bar]/ensure: created Notice: Applied catalog in 0.05 seconds

Add Comment

[Eric Delaney (JIRA)]

Eric Delaney updated an issue

Puppet / PUP-7375

Puppet does not change file to directory when selinux is enabled

Change By: Eric Delaney Sprint: Agent Triage

Add Comment

[Eric Delaney (JIRA)]

Eric Delaney updated an issue

Puppet / PUP-7375 Puppet does not change file to directory when selinux is enabled

Change By: Eric Delaney Team: Agent

Add Comment

[Sean McDonald (JIRA)]

Sean McDonald commented on PUP-7375

Re: Puppet does not change file to directory when selinux is enabled After investigating further, it turns out this functionality is actually broken for every agent back to 1.0.1

Add Comment

[Geoff Nichols (JIRA)]

Geoff Nichols updated an issue

Puppet / PUP-7375

Puppet does not change file to directory when selinux is enabled

Change By: Geoff Nichols Sprint: Agent Triage

Add Comment

[Geoff Nichols (JIRA)]

Geoff Nichols updated an issue

Puppet / PUP-7375 Puppet does not change file to directory when selinux is enabled

Change By: Geoff Nichols Team: Agent

Add Comment

[Geoff Nichols (JIRA)]

Geoff Nichols updated an issue

Puppet / PUP-7375 Puppet does not change file to directory when selinux is enabled

Change By: Geoff Nichols Fix Version/s: PUP 5.y

Add Comment

[Moses Mendoza (JIRA)]

Moses Mendoza updated an issue

Puppet / PUP-7375 Puppet does not change file to directory when selinux is enabled

Change By: Moses Mendoza Sprint: Agent Grooming

Add Comment

[Geoff Nichols (JIRA)]

Geoff Nichols updated an issue

Puppet / PUP-7375 Puppet does not change file to directory when selinux is enabled

Change By: Geoff Nichols Sprint: Agent Grooming  On-Deck

Add Comment

[Geoff Nichols (JIRA)]

[Geoff Nichols (JIRA)]

Geoff Nichols updated an issue

Puppet / PUP-7375 Puppet does not change file to directory when selinux is enabled

Change By: Geoff Nichols Sprint: Agent Triage

Add Comment

[Scott Garman (JIRA)]

Scott Garman updated an issue

Puppet / PUP-7375 Puppet does not change file to directory when selinux is enabled

Change By: Scott Garman Team: Agent

Add Comment

[Scott Garman (JIRA)]

Scott Garman updated an issue

Puppet / PUP-7375 Puppet does not change file to directory when selinux is enabled

Change By: Scott Garman Labels: triaged

Add Comment

[Branan Riley (JIRA)]

Branan Riley updated an issue

Puppet / PUP-7375 Puppet does not change file to directory when selinux is enabled

Change By: Branan Riley Sprint: Agent  Triage  Grooming

Add Comment

[Geoff Nichols (JIRA)]

Geoff Nichols updated an issue

Puppet / PUP-7375 Puppet does not change file to directory when selinux is enabled

Change By: Geoff Nichols Sprint: Agent Grooming

Add Comment

[Branan Riley (JIRA)]

Branan Riley updated an issue

Puppet / PUP-7375 Puppet does not change file to directory when selinux is enabled

Change By: Branan Riley Labels: file selinux triaged type_and_provider

Add Comment

This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)

[Melissa Stone (JIRA)]

Melissa Stone commented on PUP-7375

Re: Puppet does not change file to directory when selinux is enabled I was able to reproduce this with puppet-agent 5.5.3.260.ge0ad970 and the included ruby 2.4.4 [root@bi040qter7lkjw5 ~]# selinuxenabled ; echo $? 0 [root@bi040qter7lkjw5 ~]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 31 [root@bi040qter7lkjw5 ~]# cat /etc/sysconfig/selinux   # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted     [root@bi040qter7lkjw5 ~]# puppet --version 6.0.0 [root@bi040qter7lkjw5 ~]# /opt/puppetlabs/puppet/bin/ruby --version ruby 2.4.4p296 (2018-03-28 revision 63013) [x86_64-linux] [root@bi040qter7lkjw5 ~]# stat /tmp/foo File: ‘/tmp/foo’ Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: fd00h/64768d Inode: 101596055 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Context: unconfined_u:object_r:user_tmp_t:s0 Access: 2018-06-20 16:49:24.252725530 +0000 Modify: 2018-06-20 16:49:24.252725530 +0000 Change: 2018-06-20 16:49:24.252725530 +0000 Birth: - [root@bi040qter7lkjw5 ~]# cat manifest.pp

File { owner => 'root', group => 'root', mode => '0644', } file { '/tmp/foo': ensure => directory, } file { '/tmp/foo/bar': ensure => file, }

[root@bi040qter7lkjw5 ~]# puppet apply manifest.pp --trace Notice: Compiled catalog for bi040qter7lkjw5.delivery.puppetlabs.net in environment production in 0.02 seconds

Error: Not a directory @ rb_file_s_lstat - /tmp/foo/bar

/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/file_system/file_impl.rb:144:in `lstat'

/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/file_system/file_impl.rb:144:in `lstat' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/file_system.rb:317:in `lstat'

/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/selinux.rb:261:in `file_lstat' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/selinux.rb:45:in `get_selinux_default_context' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type/file/selcontext.rb:45:in `retrieve_default_context' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type/file/selcontext.rb:103:in `block (2 levels) in <module:Puppet>' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type.rb:835:in `set_default' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type.rb:2508:in `block in set_parameters' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type.rb:2507:in `each' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type.rb:2507:in `set_parameters' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type.rb:2396:in `initialize' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type/file.rb:490:in `initialize' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource.rb:461:in `new' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource.rb:461:in `to_ral' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:643:in `block in to_catalog' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:635:in `each' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:635:in `to_catalog' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:516:in `to_ral' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/apply.rb:269:in `block in main' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/context.rb:65:in `override' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet.rb:251:in `override' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/apply.rb:233:in `main' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/apply.rb:174:in `run_command' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:382:in `block in run' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:666:in `exit_on_fail' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:382:in `run' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:137:in `run' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:73:in `execute' /opt/puppetlabs/puppet/bin/puppet:5:in `<main>'

Add Comment

[Branan Riley (JIRA)]

Branan Riley updated an issue

Puppet / PUP-7375

Puppet does not change file to directory when selinux is enabled

Change By: Branan Riley Labels: file linux selinux type_and_provider

Add Comment

[Bogdan Irimie (Jira)]

Bogdan Irimie updated an issue

Puppet / PUP-7375 Puppet does not change file to directory when selinux is enabled

Change By: Bogdan Irimie Sprint:

Add Comment

This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)

[Bogdan Irimie (Jira)]

Bogdan Irimie updated an issue

Puppet / PUP-7375 Puppet does not change file to directory when selinux is enabled

Change By: Bogdan Irimie Sprint: ready for triage

Add Comment

[Ciprian Badescu (Jira)]

Ciprian Badescu updated an issue

Puppet / PUP-7375 Puppet does not change file to directory when selinux is enabled

Change By: Ciprian Badescu Sprint: ready for triage

Add Comment

This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97)

[Ciprian Badescu (Jira)]

Ciprian Badescu updated an issue

Puppet / PUP-7375 Puppet does not change file to directory when selinux is enabled

Change By: Ciprian Badescu Epic Link: PUP-11132

Add Comment