Details
-
Bug
-
Status: Resolved
-
Normal
-
Resolution: Fixed
-
PUP 3.4.3, PUP 3.6.2, PUP 4.8.1, PUP 4.8.2, PUP 4.10.5
-
None
-
CentOS 7 with Puppet 4.8.2 (puppet-agent 1.8.3)
Fedora 25 with Puppet 4.8.2 (puppet-agent 1.8.3)
CentOS 6.5 x86_64 Puppet 3.4.3 from Puppetlabs repository
CentOS 6 with Puppet 3.8.7 from Pupptlabs Repo
Rhel 7.3 PE 2016.4.7
-
Night's Watch
-
5
-
PR - 2019-07-10, PR - 2019-07-23
-
Customer Feedback
-
Reviewed
-
35205
-
1
-
Bug Fix
-
Previously, puppet was unable to effectively manage the SELinux file context without restarting the puppet service due to an infinitely cached default context for each file. Now puppet will clear this cache after each catalog apply.
-
No Action
Description
There's currently no sane way to manage SELinux file contexts using puppet. The only way is to call 'semanage' via a 'exec' resource. But then the next issue comes up: Puppet seems to keep some file context rule cache, built once at startup. I wasn't able to find a way to invalidate this cache without restarting the whole puppet agent. Even when calling 'restorecon' from puppet, the next puppet run will reset file contexts for 'file' resources found in the catalog because of the cached file context rules.
How to reproduce:
|
setest.pp |
file { '/srv/setest-before':
|
ensure => directory,
|
}
|
-> exec { 'semanage':
|
command => '/usr/sbin/semanage fcontext -a -t home_root_t /srv/setest[^/]*',
|
creates => '/srv/setest-after',
|
}
|
-> file { '/srv/setest-after':
|
ensure => directory,
|
}
|
# semanage fcontext -l | grep -c '^/srv/setest'
|
0
|
# puppet apply setest.pp
|
Expected behavior:
/srv/setest-before created with default file context
/srv/setest-after created according to new file context rule.
Seen behavior:
Both directories are created with default file context.tUP21
