You need to add a require to the service for the config files you are managing.
I find the best way to do that is put all the config files in a config
subclass and then require that in in the service.
On 10 October 2012 01:02, Tom <t...@t0mb.net> wrote:
> Hi list,
>
> I've got an issue at the moment, which isn't really a big problem, but an
> untidy annoyance really, and I'd just like to understand what the best
> practice might be when dealing with the issue.
>
> As a really quick summary, the issue is that Puppet is starting up the
> mysqld service for the first time as unconfined_u, and then when MySQL goes
> and creates a load of its initial files also as unconfined_u, Puppet goes
> and resets them all to system_u which is what they should be when checking
> matchpathcon:
>
> The thing is, because the service is started as unconfined_u, any
> databases/tables that are created are going to inherit that, and puppet is
> going to be resetting them.
>
> For some more detail, I've written something which will set the mysqld_db_t
> selinux file_context on my data directories which are in /home, and I have a
> notify which will go and check and re-set the selinux file_context if there
> are any changes in these directories. They're set to recurse, so to stop
> Puppet changing things from unconfined_u to system_u on a regular basis, and
> sending refresh notices to my Exec resources, I've set
> selinux_ignore_defaults to true in my File resources.
>
> This strikes me as a bit of a dirty way of doing things, and I was wondering
> if anyone had any better ideas of how to manage this.
>
> Please find below a sample of the relevant code - because I'm sure my
> verbose description is probably leaving some people scratching their heads!
> :) I was going to make the file_context stuff much more re-usable, but want
> to get my head around the best practices first - as I'm not that experiened
> with all of this stuff to be honest!
>
> Many thanks. Tom.
>
>
> # List of directories we're going to use with MySQL
> $mysqldirs = [ "/home/data", "/home/logs", "/home/mysqltmp", ]
>
> # Set SELinux contexts
> define add_selinux_context ($context = "mysqld_db_t") {
> file { $name:
> ensure => "directory",
> owner => "mysql",
> group => "mysql",
> seltype => "mysqld_db_t",
> selinux_ignore_defaults => "true",
> recurse => "true",
> require => Package["mysql-server"],
> notify => [ Exec["add_file_context_${context}_${name}"],
> Exec["set_file_context_${context}_${name}"], ],
> }
>
> # Set the default file_context regex for the path
> exec { "add_file_context_${context}_${name}":
> command => "semanage fcontext -a -t ${context} \"${name}(/.*)?\"",
> unless => "semanage fcontext -l | grep '^${name}(/.*)?:${context}:'",
> require => [ Package["policycoreutils-python"], File[$name], ],
> refreshonly => "true",
> }
>
> # Reset the file_context using restorecon
> exec { "set_file_context_${context}_${name}":
> command => "restorecon -R ${name}",
> unless => "ls -d --scontext ${name} | awk -F: '{print \$3}' | grep
> \"${context}\"",
> require => File["$name"],
> refreshonly => "true",
> }
> }
>
> add_selinux_context { $mysqldirs:
> context => "mysqld_db_t",
> }
>
> # Keep it running
> service { "mysqld":
> ensure => "running",
> hasstatus => true,
> require => [ Package["mysql-server"], File[$mysqldirs], ]
> }
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
