Puppet file type - wrong selinux fcontext detected
158 views
Skip to first unread message
kara...@gmail.com
Feb 1, 2016, 11:27:58 AM2/1/16
to Puppet Users
Hello,
recently we had trouble with default value for file type 'seltype' attribut. Situation:
We have path:
/srv/e/p/a/xxx
For /srv/ selinux context:
/srv/.* all files system_u:object_r:var_t:s0
For /srv/e/p/a/xx selinux context:
/srv/e/p/a/xxx(/.*)? all files system_u:object_r:prod_secmon_ceres_config_t:s0
We are managing file.txt under the /srv/e/p/a/xxx directory, We are not setting the value for seltype attribure - therefore default is used.
file { ''/srv/e/p/a/xxx/file.txt":
ensure =>file,
content => ...,
...
}
According to the doc, matchpathcon is used, when the seltype attribute is not specified.
matchpathcon /srv/e/p/a/xxx//test.txt
/srv/e/p/a/xxx/test.txt system_u:object_r:prod_secmon_ceres_config_t:s0
Problem is that puppet keep setting the seltype attribute for the file.txt to var_t instead of prod_secmon_ceres_config_t.
I checked the puppet code, there is no seltype attribut for the whole environment at all.
I checked the catalog JSON file - no seltype is set.
When I run locally puppet apply just with single file resource - the selinux context is ok.
Also, when I run exec with matchpathcon /srv/e/p/a/xxx//test.txt > /tmp/match.log within the same puppet run, I have correct fcontext in match.log, but the fcontext of test.txt is still set to var_t.
Also, when I manually change the fcontext of test.txt to something else, puppet sets it back to var_t.
And finally restorecon set the right context prod_secmon_ceres_config_t for that file.
The only help in this situation was the restart of puppet agent on the servers - and not all serveres in the env were affected.
Anybody else have experienced this kind of behavior ? Is there any kind of cache mechanism involved ?
We are running version 3.8.1 of puppet enterprise agent (and 3.6.x server, but i think, this is problem on the agent side).
Thank,
H.Karasek
recently we had trouble with default value for file type 'seltype' attribut. Situation:
We have path:
/srv/e/p/a/xxx
For /srv/ selinux context:
/srv/.* all files system_u:object_r:var_t:s0
For /srv/e/p/a/xx selinux context:
/srv/e/p/a/xxx(/.*)? all files system_u:object_r:prod_secmon_ceres_config_t:s0
We are managing file.txt under the /srv/e/p/a/xxx directory, We are not setting the value for seltype attribure - therefore default is used.
file { ''/srv/e/p/a/xxx/file.txt":
ensure =>file,
content => ...,
...
}
According to the doc, matchpathcon is used, when the seltype attribute is not specified.
matchpathcon /srv/e/p/a/xxx//test.txt
/srv/e/p/a/xxx/test.txt system_u:object_r:prod_secmon_ceres_config_t:s0
Problem is that puppet keep setting the seltype attribute for the file.txt to var_t instead of prod_secmon_ceres_config_t.
I checked the puppet code, there is no seltype attribut for the whole environment at all.
I checked the catalog JSON file - no seltype is set.
When I run locally puppet apply just with single file resource - the selinux context is ok.
Also, when I run exec with matchpathcon /srv/e/p/a/xxx//test.txt > /tmp/match.log within the same puppet run, I have correct fcontext in match.log, but the fcontext of test.txt is still set to var_t.
Also, when I manually change the fcontext of test.txt to something else, puppet sets it back to var_t.
And finally restorecon set the right context prod_secmon_ceres_config_t for that file.
The only help in this situation was the restart of puppet agent on the servers - and not all serveres in the env were affected.
Anybody else have experienced this kind of behavior ? Is there any kind of cache mechanism involved ?
We are running version 3.8.1 of puppet enterprise agent (and 3.6.x server, but i think, this is problem on the agent side).
Thank,
H.Karasek
Thomas Müller
Feb 1, 2016, 3:31:13 PM2/1/16
to Puppet Users
I've seen this if puppet agent service was already running when the fcontext got added with semanage. Afterwards file resources applied the old contexts.
This behaviour could be reproduced for all puppet runs started from the deamon. Puppet runs started from the shell with --test did apply the correct context.
Restarting the puppet daemon did fix the problem.
- Thomas
kara...@gmail.com
Feb 2, 2016, 3:02:52 AM2/2/16
to Puppet Users
Ok thank you. It looks like bug to me. Will try to reproduce it in the lab with latest agent.
H.Karasek
Dne pondělí 1. února 2016 21:31:13 UTC+1 Thomas Müller napsal(a):
Reply all
Reply to author
Forward
0 new messages