Hi list,
I've got an issue at the moment, which isn't really a big problem, but
an untidy annoyance really, and I'd just like to understand what the
best practice might be when dealing with the issue.
As a really quick summary, the issue is that Puppet is starting up the
mysqld service for the first time as unconfined_u, and then when MySQL
goes and creates a load of its initial files also as unconfined_u,
Puppet goes and resets them all to system_u which is what they should be
when checking matchpathcon:
The thing is, because the service is started as unconfined_u, any
databases/tables that are created are going to inherit that, and puppet
is going to be resetting them.
For some more detail, I've written something which will set the
mysqld_db_t selinux file_context on my data directories which are in
/home, and I have a notify which will go and check and re-set the
selinux file_context if there are any changes in these directories.
They're set to recurse, so to stop Puppet changing things from
unconfined_u to system_u on a regular basis, and sending refresh notices
to my Exec resources, I've set selinux_ignore_defaults to true in my
File resources.
This strikes me as a bit of a dirty way of doing things, and I was
wondering if anyone had any better ideas of how to manage this.
Please find below a sample of the relevant code - because I'm sure my
verbose description is probably leaving some people scratching their
heads! :) I was going to make the file_context stuff much more
re-usable, but want to get my head around the best practices first - as
I'm not that experiened with all of this stuff to be honest!
Many thanks. Tom.
# List of directories we're going to use with MySQL
$mysqldirs = [ "/home/data", "/home/logs", "/home/mysqltmp", ]
# Set SELinux contexts
define add_selinux_context ($context = "mysqld_db_t") {
file { $name:
ensure => "directory",
owner => "mysql",
group => "mysql",
seltype => "mysqld_db_t",
selinux_ignore_defaults => "true",
recurse => "true",
require => Package["mysql-server"],
notify => [ Exec["add_file_context_${context}_${name}"],
Exec["set_file_context_${context}_${name}"], ],
}
# Set the default file_context regex for the path
exec { "add_file_context_${context}_${name}":
command => "semanage fcontext -a -t ${context} \"${name}(/.*)?\"",
unless => "semanage fcontext -l | grep
'^${name}(/.*)?:${context}:'",
require => [ Package["policycoreutils-python"], File[$name], ],
refreshonly => "true",
}
# Reset the file_context using restorecon
exec { "set_file_context_${context}_${name}":
command => "restorecon -R ${name}",
unless => "ls -d --scontext ${name} | awk -F: '{print \$3}' |
grep \"${context}\"",
require => File["$name"],
refreshonly => "true",
}
}
add_selinux_context { $mysqldirs:
context => "mysqld_db_t",
}
# Keep it running
service { "mysqld":
ensure => "running",
hasstatus => true,
require => [ Package["mysql-server"], File[$mysqldirs], ]
}
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
