[Puppet Users] Puppet file type - wrong selinux fcontext detected

Mon, 01 Feb 2016 08:34:30 -0800 

Hello,
recently we had trouble with default value for file type 'seltype' 
attribut. Situation:

We have path:
/srv/e/p/a/xxx

For /srv/ selinux context:
/srv/.* all files system_u:object_r:var_t:s0 

For /srv/e/p/a/xx selinux context:
/srv/e/p/a/xxx(/.*)? all files 
system_u:object_r:prod_secmon_ceres_config_t:s0
 
We are managing file.txt under the /srv/e/p/a/xxx directory, We are not 
setting the value for  seltype attribure - therefore default is used.
file { ''/srv/e/p/a/xxx/file.txt":
  ensure =>file,
  content => ...,
  ...
}

According to the doc, matchpathcon is used, when the seltype attribute is 
not specified.

matchpathcon /srv/e/p/a/xxx//test.txt 
/srv/e/p/a/xxx/test.txt system_u:object_r:prod_secmon_ceres_config_t:s0

Problem is that puppet keep setting the seltype attribute for the file.txt 
to var_t instead of prod_secmon_ceres_config_t.

I checked the puppet code, there is no seltype attribut for the whole 
environment at all.
I checked the catalog JSON file - no seltype is set.

When I run locally puppet apply just with single file resource - the 
selinux context is ok. 
Also, when I run exec with  matchpathcon /srv/e/p/a/xxx//test.txt > 
/tmp/match.log within the same puppet run, I have correct fcontext in 
match.log, but the fcontext of test.txt is still set to var_t.
Also, when I manually change the fcontext of test.txt to something else, 
puppet sets it back to var_t.
And finally restorecon set the right context prod_secmon_ceres_config_t for 
that file. 

The only help in this situation was the restart of puppet agent on the 
servers - and not all serveres in the env were affected.

Anybody else have experienced this kind of behavior ? Is there any kind of 
cache mechanism involved ?

We are running version 3.8.1 of puppet enterprise agent (and 3.6.x server, 
but i think, this is problem on the agent side).

Thank,
H.Karasek



 


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/6246481e-20cd-4872-bace-08fe0c8442a2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to