Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-10548

Wrong SELinux contexts on files if puppet installs new rpm with SELinux policy



    • Bug
    • Status: Accepted
    • Normal
    • Resolution: Unresolved
    • PUP 6.15.0
    • None
    • Types and Providers
    • None
    • Needs Assessment


      Puppet Version: 6.15.0
      Puppet Server Version: not applicable, we don't use it in our environment (we use "git pull && puppet apply -e <classname>" on every node)
      OS Name/Version: CentOS 7.8

      In our company, we have custom SELinux policy shipped in rpm. When we deploy new instance, our puppet recipes installs SELinux policy rpm and then create various file resources. However those resources are created with wrong SELinux labels because puppet doesn't refresh selinux contexts on file resources after new package is installed. To get proper file contexts, we must run puppet twice (first run install SELinux policy and the second run fixes file contexts)

      In our environment, we use something like this:

        package { 'gdc-selinux':
          ensure => latest;
        -> file { '/etc/gdc/gcf':
          ensure => directory;
        -> file { '/etc/gdc/gcf/gcfw.json':
          ensure => present;

      The first puppet run outputs following - pkg is installed and files created, however with wrong SELinux context:

      Notice: /Stage[main]/Type::Type_fake/Package[gdc-selinux]/ensure: created
      Notice: /Stage[main]/Type::Type_fake/File[/etc/gdc/gcf]/ensure: created
      Notice: /Stage[main]/Type::Type_fake/File[/etc/gdc/gcf/gcfw.json]/ensure: created

      The second puppet run fixes the issue:

      Notice: /Stage[main]/Type::Type_fake/File[/etc/gdc/gcf]/seltype: seltype changed 'etc_t' to 'gdc_etc_t'
      Notice: /Stage[main]/Type::Type_fake/File[/etc/gdc/gcf/gcfw.json]/seltype: seltype changed 'etc_t' to 'gdc_gcfw_conf_t'

      For your conveniency, this is also reproducer (although not with "package" resource but with custom "exec" but logic behind it is pretty similar - update SELinux policy and then deliver files)

        exec { '/usr/sbin/semanage fcontext --add --type bin_t /tmp/barani':
          logoutput => true;
        -> file { '/tmp/barani':
          ensure => present;

      # puppet apply
      Notice: /Stage[main]/Type::Type_fake/Exec[/usr/sbin/semanage fcontext --add --type bin_t /tmp/barani]/returns: executed successfully
      Notice: /Stage[main]/Type::Type_fake/File[/tmp/barani]/ensure: created

      # ls -Z /tmp/barani 
      -rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/barani

      # second puppet apply
      Notice: /Stage[main]/Type::Type_fake/File[/tmp/barani]/seltype: seltype changed 'user_tmp_t' to 'bin_t'

      Desired Behavior:
      Files are created with proper SELinux contexts during one puppet run, instead of two runs needed

      Actual Behavior:
      Check original description for reproducer or feel free to contact me if you need more info.


        Issue Links



              Unassigned Unassigned
              vonsch Adam Tkac
              1 Vote for this issue
              6 Start watching this issue



                Zendesk Support