Issue #1648 has been updated by jenza.
seanmil wrote: > I would classify this as expected and desired behavior when running in either > SELinux permissive or enforcing mode. Puppet is now asking the system what > the proper SELinux file context should be (via matchpathcon) and using that > as defaults for the new SELinux attributes - adjusting them on-disk as > appropriate. > > Can you please clarify the problem? After doing a bit more digging, it appears that when puppet is setting seluser stuff on a symlink it is calling chcon incorrectly. <pre>[EMAIL PROTECTED]: /etc/munin/plugins# ls -la /etc/munin/plugins/swap lrwxrwxrwx 1 root root 32 Oct 14 10:34 /etc/munin/plugins/netstat -> /usr/share/munin/plugins/swap </pre> >From what I can see from a debug output, puppet is claiming seluser is setting >the roles yet it's not actually doing anything. <pre>debug: /File[/etc/munin/plugins/swap]/seluser: Executing 'stat -c %C /etc/munin/plugins/swap' debug: /File[/etc/munin/plugins/swap]/selrole: Executing 'stat -c %C /etc/munin/plugins/swap' debug: /File[/etc/munin/plugins/swap]/seltype: Executing 'stat -c %C /etc/munin/plugins/swap' debug: /File[/etc/munin/plugins/swap]: Changing seluser debug: /File[/etc/munin/plugins/swap]: 1 change(s) debug: Running chcon -u system_u /etc/munin/plugins/swap notice: /File[/etc/munin/plugins/swap]/seluser: seluser changed 'user_u' to 'system_u' info: /File[/etc/munin/plugins/swap]: Scheduling refresh of Service[munin-node] </pre> Now it should be set to system_u however <pre> [EMAIL PROTECTED]: /etc/munin/plugins# stat -c %C /etc/munin/plugins/swap user_u:object_r:etc_t </pre> It's still set to user. If you call chcon with the -h flag <pre> [EMAIL PROTECTED]: /etc/munin/plugins# chcon -h -u system_u /etc/munin/plugins/swap [EMAIL PROTECTED]: /etc/munin/plugins# stat -c %C /etc/munin/plugins/swap system_u:object_r:etc_t </pre> It sets it correctly and puppet runs cleanly with no changes next run. ---------------------------------------- Bug #1648: 0.24.6RC1 setting selinux permissions even when disabled http://projects.reductivelabs.com/issues/show/1648 Author: jenza Status: Accepted Priority: Normal Assigned to: seanmil Category: Red Hat Target version: 0.24.6 Complexity: Unknown Affected version: Keywords: Centos 5.1 2.6.18-92.el5 #1 SMP Tue Jun 10 18:51:06 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux. Selinux running in permissive mode on both client/server Upgraded client and server from 0.24.5 to 0.24.6RC1 and the following behavior started. <pre>[EMAIL PROTECTED] plugins]# puppetd --test --no-noop notice: Ignoring --listen on onetime run info: Caching catalog at /var/lib/puppet/state/localconfig.yaml notice: Starting catalog run notice: //Node[obu-repos]/munin::client/munin::client::base/munin::plugins::base/munin::plugins::linux/munin::plugins::interfaces/Munin::Plugin[if_eth0]/File[/etc/munin/plugins/if_eth0]/seluser: seluser changed 'user_u' to 'system_u' info: //Node[obu-repos]/munin::client/munin::client::base/munin::plugins::base/munin::plugins::linux/munin::plugins::interfaces/Munin::Plugin[if_eth0]/File[/etc/munin/plugins/if_eth0]: Scheduling refresh of Service[munin-node] notice: //Node[obu-repos]/munin::client/munin::client::base/munin::plugins::base/munin::plugins::linux/Munin::Plugin[interrupts]/File[/etc/munin/plugins/interrupts]/seluser: seluser changed 'user_u' to 'system_u' info: //Node[obu-repos]/munin::client/munin::client::base/munin::plugins::base/munin::plugins::linux/Munin::Plugin[interrupts]/File[/etc/munin/plugins/interrupts]: Scheduling refresh of Service[munin-node] notice: //Node[obu-repos]/munin::client/munin::client::base/munin::plugins::base/munin::plugins::linux/Munin::Plugin[netstat]/File[/etc/munin/plugins/netstat]/seluser: seluser changed 'user_u' to 'system_u' info: //Node[obu-repos]/munin::client/munin::client::base/munin::plugins::base/munin::plugins::linux/Munin::Plugin[netstat]/File[/etc/munin/plugins/netstat]: Scheduling refresh of Service[munin-node] notice: //Node[obu-repos]/munin::client/munin::client::base/munin::plugins::base/munin::plugins::linux/Munin::Plugin[acpi]/File[/etc/munin/plugins/acpi]/seluser: seluser changed 'user_u' to 'system_u' info: //Node[obu-repos]/munin::client/munin::client::base/munin::plugins::base/munin::plugins::linux/Munin::Plugin[acpi]/File[/etc/munin/plugins/acpi]: Scheduling refresh of Service[munin-node] notice: //Node[obu-repos]/munin::client/munin::client::base/munin::plugins::base/munin::plugins::linux/Munin::Plugin[df_abs]/File[/etc/munin/plugins/df_abs]/seluser: seluser changed 'user_u' to 'system_u' info: //Node[obu-repos]/munin::client/munin::client::base/munin::plugins::base/munin::plugins::linux/Munin::Plugin[df_abs]/File[/etc/munin/plugins/df_abs]: Scheduling refresh of Service[munin-node] </pre> If I downgrade to puppet-0.24.5-1.el5 puppet runs fine with no changes while still using the 0.24.6RC1 server. <pre> [EMAIL PROTECTED] plugins]# puppetd --test --no-noop notice: Ignoring --listen on onetime run info: Caching catalog at /var/lib/puppet/state/localconfig.yaml notice: Starting catalog run info: Sent transaction report in 1.35 seconds notice: Finished catalog run in 5.54 seconds </pre> /etc/munin/plugins 0.26RC1 Client <pre> lrwxrwxrwx 1 user_u:object_r:etc_t root root 25 Oct 7 14:59 acpi -> /usr/share/munin/plugins/ lrwxrwxrwx 1 user_u:object_r:etc_t root root 28 Oct 7 14:58 cpu -> /usr/share/munin/plugins/cpu lrwxrwxrwx 1 user_u:object_r:etc_t root root 27 Oct 7 14:58 df -> /usr/share/munin/plugins/df lrwxrwxrwx 1 user_u:object_r:etc_t root root 31 Oct 7 14:59 df_abs -> /usr/share/munin/plugins/df_abs lrwxrwxrwx 1 user_u:object_r:etc_t root root 33 Oct 7 14:58 df_inode -> /usr/share/munin/plugins/df_inode </pre> 0.25 Client <pre>lrwxrwxrwx 1 root:object_r:etc_t root root 25 Sep 29 13:37 acpi -> /usr/share/munin/plugins/ lrwxrwxrwx 1 root:object_r:etc_t root root 28 Sep 29 13:37 cpu -> /usr/share/munin/plugins/cpu lrwxrwxrwx 1 root:object_r:etc_t root root 27 Sep 29 13:37 df -> /usr/share/munin/plugins/df lrwxrwxrwx 1 root:object_r:etc_t root root 31 Sep 29 13:37 df_abs -> /usr/share/munin/plugins/df_abs lrwxrwxrwx 1 root:object_r:etc_t root root 33 Sep 29 13:37 df_inode -> /usr/share/munin/plugins/df_inode </pre> ---------------------------------------- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://reductivelabs.com/redmine/my/account --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en -~----------~----~----~----~------~----~------~--~---
