Jira (PUP-2169) Not possible to manage SELinux file contexts via puppet in a sane way
Title: Message Title Brett Lentz commented on an issue Re: Not possible to manage SELinux file contexts via puppet in a sane way That's correct. semanage doesn't change the filesystem, but it should affect new files after the regex is in place. There might be a race condition that's causing the setest-after to not get the new context. I'll look into that. However, there's a second issue that once the fcontext applies, we still need to do a 'restorecon' on the path to reset the labels on objects created before the new regex is in place. I'm uncertain if the module should run restorecon automatically in all cases, but I can look at adding it as an option. It might also help mitigate the above mentioned race condition. Add Comment Puppet / PUP-2169 Not possible to manage SELinux file contexts via puppet in a sane way There's currently no sane way to manage SELinux file contexts using puppet. The only way is to call 'semanage' via a 'exec' resource. But then the next issue comes up: Puppet seems to keep some file context rule cache, built once at startup. I wasn't able to find a way to invalidate this cache without restarting the whole puppet agent. Even when calling '... This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede)
Jira (PUP-2169) Not possible to manage SELinux file contexts via puppet in a sane way
Title: Message Title Brett Lentz commented on an issue Re: Not possible to manage SELinux file contexts via puppet in a sane way There's this module: https://github.com/blentz/puppet-selinux_types Add Comment Puppet / PUP-2169 Not possible to manage SELinux file contexts via puppet in a sane way There's currently no sane way to manage SELinux file contexts using puppet. The only way is to call 'semanage' via a 'exec' resource. But then the next issue comes up: Puppet seems to keep some file context rule cache, built once at startup. I wasn't able to find a way to invalidate this cache without restarting the whole puppet agent. Even when calling '... This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
