Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-10548

Wrong SELinux contexts on files if puppet installs new rpm with SELinux policy

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Accepted
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: PUP 6.15.0
    • Fix Version/s: None
    • Component/s: Types and Providers
    • Labels:
      None
    • Template:
      PUP Bug Template
    • Agent OS:
      CentOS 7
    • Team:
      Night's Watch
    • Sprint:
      PR - Triage
    • Method Found:
      Needs Assessment
    • QA Risk Assessment:
      Needs Assessment

      Description

      Puppet Version: 6.15.0
      Puppet Server Version: not applicable, we don't use it in our environment (we use "git pull && puppet apply -e <classname>" on every node)
      OS Name/Version: CentOS 7.8

      In our company, we have custom SELinux policy shipped in rpm. When we deploy new instance, our puppet recipes installs SELinux policy rpm and then create various file resources. However those resources are created with wrong SELinux labels because puppet doesn't refresh selinux contexts on file resources after new package is installed. To get proper file contexts, we must run puppet twice (first run install SELinux policy and the second run fixes file contexts)

      In our environment, we use something like this:

        package { 'gdc-selinux':
          ensure => latest;
        }
        -> file { '/etc/gdc/gcf':
          ensure => directory;
        }
        -> file { '/etc/gdc/gcf/gcfw.json':
          ensure => present;
        }
      

       
      The first puppet run outputs following - pkg is installed and files created, however with wrong SELinux context:

      Notice: /Stage[main]/Type::Type_fake/Package[gdc-selinux]/ensure: created
      Notice: /Stage[main]/Type::Type_fake/File[/etc/gdc/gcf]/ensure: created
      Notice: /Stage[main]/Type::Type_fake/File[/etc/gdc/gcf/gcfw.json]/ensure: created
      

      The second puppet run fixes the issue:

      Notice: /Stage[main]/Type::Type_fake/File[/etc/gdc/gcf]/seltype: seltype changed 'etc_t' to 'gdc_etc_t'
      Notice: /Stage[main]/Type::Type_fake/File[/etc/gdc/gcf/gcfw.json]/seltype: seltype changed 'etc_t' to 'gdc_gcfw_conf_t'
      

      For your conveniency, this is also reproducer (although not with "package" resource but with custom "exec" but logic behind it is pretty similar - update SELinux policy and then deliver files)

        exec { '/usr/sbin/semanage fcontext --add --type bin_t /tmp/barani':
          logoutput => true;
        }
        -> file { '/tmp/barani':
          ensure => present;
        }
      

      # puppet apply
      ...
      Notice: /Stage[main]/Type::Type_fake/Exec[/usr/sbin/semanage fcontext --add --type bin_t /tmp/barani]/returns: executed successfully
      Notice: /Stage[main]/Type::Type_fake/File[/tmp/barani]/ensure: created
      

      # ls -Z /tmp/barani 
      -rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/barani
      

      # second puppet apply
      ...
      Notice: /Stage[main]/Type::Type_fake/File[/tmp/barani]/seltype: seltype changed 'user_tmp_t' to 'bin_t'
      

      Desired Behavior:
      Files are created with proper SELinux contexts during one puppet run, instead of two runs needed

      Actual Behavior:
      Check original description for reproducer or feel free to contact me if you need more info.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              vonsch Adam Tkac
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:

                  Zendesk Support