You need to add a require to the service for the config files you are managing. I find the best way to do that is put all the config files in a config subclass and then require that in in the service.
On 10 October 2012 01:02, Tom <t...@t0mb.net> wrote: > Hi list, > > I've got an issue at the moment, which isn't really a big problem, but an > untidy annoyance really, and I'd just like to understand what the best > practice might be when dealing with the issue. > > As a really quick summary, the issue is that Puppet is starting up the > mysqld service for the first time as unconfined_u, and then when MySQL goes > and creates a load of its initial files also as unconfined_u, Puppet goes > and resets them all to system_u which is what they should be when checking > matchpathcon: > > The thing is, because the service is started as unconfined_u, any > databases/tables that are created are going to inherit that, and puppet is > going to be resetting them. > > For some more detail, I've written something which will set the mysqld_db_t > selinux file_context on my data directories which are in /home, and I have a > notify which will go and check and re-set the selinux file_context if there > are any changes in these directories. They're set to recurse, so to stop > Puppet changing things from unconfined_u to system_u on a regular basis, and > sending refresh notices to my Exec resources, I've set > selinux_ignore_defaults to true in my File resources. > > This strikes me as a bit of a dirty way of doing things, and I was wondering > if anyone had any better ideas of how to manage this. > > Please find below a sample of the relevant code - because I'm sure my > verbose description is probably leaving some people scratching their heads! > :) I was going to make the file_context stuff much more re-usable, but want > to get my head around the best practices first - as I'm not that experiened > with all of this stuff to be honest! > > Many thanks. Tom. > > > # List of directories we're going to use with MySQL > $mysqldirs = [ "/home/data", "/home/logs", "/home/mysqltmp", ] > > # Set SELinux contexts > define add_selinux_context ($context = "mysqld_db_t") { > file { $name: > ensure => "directory", > owner => "mysql", > group => "mysql", > seltype => "mysqld_db_t", > selinux_ignore_defaults => "true", > recurse => "true", > require => Package["mysql-server"], > notify => [ Exec["add_file_context_${context}_${name}"], > Exec["set_file_context_${context}_${name}"], ], > } > > # Set the default file_context regex for the path > exec { "add_file_context_${context}_${name}": > command => "semanage fcontext -a -t ${context} \"${name}(/.*)?\"", > unless => "semanage fcontext -l | grep '^${name}(/.*)?:${context}:'", > require => [ Package["policycoreutils-python"], File[$name], ], > refreshonly => "true", > } > > # Reset the file_context using restorecon > exec { "set_file_context_${context}_${name}": > command => "restorecon -R ${name}", > unless => "ls -d --scontext ${name} | awk -F: '{print \$3}' | grep > \"${context}\"", > require => File["$name"], > refreshonly => "true", > } > } > > add_selinux_context { $mysqldirs: > context => "mysqld_db_t", > } > > # Keep it running > service { "mysqld": > ensure => "running", > hasstatus => true, > require => [ Package["mysql-server"], File[$mysqldirs], ] > } > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.