Details
-
Bug
-
Status: Accepted
-
Normal
-
Resolution: Unresolved
-
PUP 3.4.3, PUP 3.7.0, PUP 5.5.0
-
None
-
None
-
Night's Watch
Description
Purpose
https://docs.puppetlabs.com/references/latest/type.html#file-attribute-selinux_ignore_defaults
selinux_ignore_defaults
If this is set then Puppet will not ask SELinux (via matchpathcon) to supply defaults for the SELinux attributes (seluser, selrole, seltype, and selrange). In general, you should leave this set at its default and only set it to true when you need Puppet to not try to fix SELinux labels automatically.
Valid values are true, false.
If this parameter is true, selinux label should not be changed when file is updated by Puppet. However behavior is the same as it's false but without output about changed label.
Our problem is following:
- Puppet run is executed (our SELinux policies are not installed yet)
- Puppet loads currently present policies at the begining
- package gdc-selinux with our policies is installed but loaded policies are not updated during Puppet runtime
- product package is installed and delivers configuration file, eg. /etc/test, it's correctly labeled as gdc_etc_t
- Puppet will update the configuration file and "fix" the label automatically to etc_t that was loaded during Puppet execution, however the label doesn't match currently installed policy. Parameter selinux_ignore_defaults should skip this "auto-fixing" and keep label intact.
Tested with Puppet versions: 3.4.3, 3.7.0 (latest)
Reproducer
selinux_ignore_defaults => false (
OK)
- create file with custom non-default label (gdc_etc_t)
$ touch /etc/test;ls -lhZ /etc/test-rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/test$ chcon -t gdc_etc_t /etc/test;ls -lhZ /etc/test-rw-r--r--. root root unconfined_u:object_r:gdc_etc_t:s0 /etc/test - edit the file by Puppet
$ cat test.ppfile {'/etc/test':selinux_ignore_defaults => false,content => 'test123',ensure => file;}$ puppet apply -v test.ppNotice: Compiled catalog for dev1-c3.int.na.intgdc.com in environment production in 0.11 secondsInfo: Applying configuration version '1409921532'Info: FileBucket got a duplicate file {md5}d41d8cd98f00b204e9800998ecf8427eInfo: /Stage[main]/Main/File[/etc/test]: Filebucketed /etc/test to puppet with sum d41d8cd98f00b204e9800998ecf8427eNotice: /Stage[main]/Main/File[/etc/test]/content: content changed '{md5}d41d8cd98f00b204e9800998ecf8427e' to '{md5}cc03e747a6afbbcbf8be7668acfebee5'Notice: /File[/etc/test]/seluser: seluser changed 'unconfined_u' to 'system_u'Notice: /File[/etc/test]/seltype: seltype changed 'gdc_etc_t' to 'etc_t'Notice: Finished catalog run in 0.26 seconds$ ls -lhZ /etc/test-rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/test
lstat("/etc/test", {st_mode=S_IFREG|0644, st_size=14, ...}) = 0
|
lstat("/etc/test", {st_mode=S_IFREG|0644, st_size=14, ...}) = 0
|
lstat("/etc/test", {st_mode=S_IFREG|0644, st_size=14, ...}) = 0
|
lstat("/etc/test", {st_mode=S_IFREG|0644, st_size=14, ...}) = 0
|
lstat("/etc/test", {st_mode=S_IFREG|0644, st_size=14, ...}) = 0
|
open("/etc/test", O_RDONLY) = 3
|
lgetxattr("/etc/test", "security.selinux", "unconfined_u:object_r:gdc_etc_t:s0", 255) = 35
|
lgetxattr("/etc/test", "security.selinux", "unconfined_u:object_r:gdc_etc_t:s0", 255) = 35
|
lgetxattr("/etc/test", "security.selinux", "unconfined_u:object_r:gdc_etc_t:s0", 255) = 35
|
lgetxattr("/etc/test", "security.selinux", "unconfined_u:object_r:gdc_etc_t:s0", 255) = 35
|
stat("/etc/test", {st_mode=S_IFREG|0644, st_size=14, ...}) = 0
|
lstat("/etc/test", {st_mode=S_IFREG|0644, st_size=14, ...}) = 0
|
stat("/etc/test", {st_mode=S_IFREG|0644, st_size=14, ...}) = 0
|
open("/etc/test", O_RDONLY) = 3
|
lstat("/etc/test", {st_mode=S_IFREG|0644, st_size=14, ...}) = 0
|
write(3, "/etc/test\n", 10) = 10
|
stat("/etc/test20140905-7363-uecuaa-0.lock", 0x7fffec386f90) = -1 ENOENT (No such file or directory)
|
stat("/etc/test20140905-7363-uecuaa-0", 0x7fffec387950) = -1 ENOENT (No such file or directory)
|
open("/etc/test20140905-7363-uecuaa-0", O_RDWR|O_CREAT|O_EXCL, 0600) = 3
|
stat("/etc/test", {st_mode=S_IFREG|0644, st_size=14, ...}) = 0
|
lstat("/etc/test", {st_mode=S_IFREG|0644, st_size=14, ...}) = 0
|
open("/etc/test20140905-7363-uecuaa-0", O_RDONLY) = 4
|
rename("/etc/test20140905-7363-uecuaa-0", "/etc/test") = 0
|
lstat("/etc/test", {st_mode=S_IFREG|0644, st_size=9, ...}) = 0
|
lgetxattr("/etc/test", "security.selinux", "unconfined_u:object_r:etc_t:s0", 255) = 31
|
lgetxattr("/etc/test", "security.selinux", "unconfined_u:object_r:etc_t:s0", 255) = 31
|
lsetxattr("/etc/test", "security.selinux", "system_u:object_r:etc_t:s0", 27, 0) = 0
|
lstat("/etc/test", {st_mode=S_IFREG|0644, st_size=9, ...}) = 0
|
lgetxattr("/etc/test", "security.selinux", "system_u:object_r:etc_t:s0", 255) = 27
|
lstat("/etc/test", {st_mode=S_IFREG|0644, st_size=9, ...}) = 0
|
lgetxattr("/etc/test", "security.selinux", "system_u:object_r:etc_t:s0", 255) = 27
|
lstat("/etc/test", {st_mode=S_IFREG|0644, st_size=9, ...}) = 0
|
lgetxattr("/etc/test", "security.selinux", "system_u:object_r:etc_t:s0", 255) = 27
|
lgetxattr("/etc/test", "security.selinux", "system_u:object_r:etc_t:s0", 255) = 27
|
lsetxattr("/etc/test", "security.selinux", "system_u:object_r:etc_t:s0", 27, 0) = 0
|
lgetxattr("/etc/test", "security.selinux", "system_u:object_r:etc_t:s0", 255) = 27
|
lsetxattr("/etc/test", "security.selinux", "system_u:object_r:etc_t:s0", 27, 0) = 0
|
stat("/etc/test20140905-7363-uecuaa-0", 0x7fffec37f870) = -1 ENOENT (No such file or directory)
|
selinux_ignore_defaults => true (
Wrong)
- create file with custom non-default label (gdc_etc_t)
$ touch /etc/test;ls -lhZ /etc/test-rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/test$ chcon -t gdc_etc_t /etc/test;ls -lhZ /etc/test-rw-r--r--. root root unconfined_u:object_r:gdc_etc_t:s0 /etc/test - edit the file by Puppet
$ cat test.ppfile {'/etc/test':selinux_ignore_defaults => true,content => 'test123',ensure => file;}Info: Applying configuration version '1409921816'Info: FileBucket got a duplicate file {md5}d41d8cd98f00b204e9800998ecf8427eInfo: /Stage[main]/Main/File[/etc/test]: Filebucketed /etc/test to puppet with sum d41d8cd98f00b204e9800998ecf8427eNotice: /Stage[main]/Main/File[/etc/test]/content: content changed '{md5}d41d8cd98f00b204e9800998ecf8427e' to '{md5}cc03e747a6afbbcbf8be7668acfebee5'Notice: Finished catalog run in 0.26 seconds$ ls -lhZ /etc/test-rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/testFile label above should be still gdc_etc_t
It does not touch any file xattrs by strace but it creates new file (/etc/test20140905-7363-uecuaa-0) with default labels and simply rename it over /etc/test so it really does ignore SELinux labels but doesn't do what it's expected to do. Otherwise I maybe don't understand the purpose of selinux_ignore_defaults parameter.
lstat("/etc/test", {st_mode=S_IFREG|0644, st_size=9, ...}) = 0
|
open("/etc/test", O_RDONLY) = 3
|
stat("/etc/test", {st_mode=S_IFREG|0644, st_size=9, ...}) = 0
|
lstat("/etc/test", {st_mode=S_IFREG|0644, st_size=9, ...}) = 0
|
stat("/etc/test", {st_mode=S_IFREG|0644, st_size=9, ...}) = 0
|
open("/etc/test", O_RDONLY) = 3
|
lstat("/etc/test", {st_mode=S_IFREG|0644, st_size=9, ...}) = 0
|
write(3, "/etc/test\n", 10) = 10
|
stat("/etc/test20140905-6451-1f8rsfk-0.lock", 0x7fffb1bf0090) = -1 ENOENT (No such file or directory)
|
stat("/etc/test20140905-6451-1f8rsfk-0", 0x7fffb1bf0a50) = -1 ENOENT (No such file or directory)
|
open("/etc/test20140905-6451-1f8rsfk-0", O_RDWR|O_CREAT|O_EXCL, 0600) = 3
|
stat("/etc/test", {st_mode=S_IFREG|0644, st_size=9, ...}) = 0
|
lstat("/etc/test", {st_mode=S_IFREG|0644, st_size=9, ...}) = 0
|
open("/etc/test20140905-6451-1f8rsfk-0", O_RDONLY) = 4
|
rename("/etc/test20140905-6451-1f8rsfk-0", "/etc/test") = 0
|
stat("/etc/test20140905-6451-1f8rsfk-0", 0x7fffb1c03480) = -1 ENOENT (No such file or directory)
|
Attachments
Issue Links
- relates to
-
-
- Resolved
-
