Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-3187

Puppet file parameter selinux_ignore_defaults doesn't work as expected

    Details

    • Type: Bug
    • Status: Accepted
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: PUP 3.4.3, PUP 3.7.0, PUP 5.5.0
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Template:
    • Team:
      Night's Watch

      Description

      Purpose

      https://docs.puppetlabs.com/references/latest/type.html#file-attribute-selinux_ignore_defaults

      selinux_ignore_defaults

      If this is set then Puppet will not ask SELinux (via matchpathcon) to supply defaults for the SELinux attributes (seluser, selrole, seltype, and selrange). In general, you should leave this set at its default and only set it to true when you need Puppet to not try to fix SELinux labels automatically.

      Valid values are true, false.

      If this parameter is true, selinux label should not be changed when file is updated by Puppet. However behavior is the same as it's false but without output about changed label.

      Our problem is following:

      • Puppet run is executed (our SELinux policies are not installed yet)
      • Puppet loads currently present policies at the begining
      • package gdc-selinux with our policies is installed but loaded policies are not updated during Puppet runtime
      • product package is installed and delivers configuration file, eg. /etc/test, it's correctly labeled as gdc_etc_t
      • Puppet will update the configuration file and "fix" the label automatically to etc_t that was loaded during Puppet execution, however the label doesn't match currently installed policy. Parameter selinux_ignore_defaults should skip this "auto-fixing" and keep label intact.

      Tested with Puppet versions: 3.4.3, 3.7.0 (latest)

      Reproducer

      selinux_ignore_defaults => false ( OK)

      • create file with custom non-default label (gdc_etc_t)

        $ touch /etc/test;ls -lhZ /etc/test
        -rw-r--r--. root root unconfined_u:object_r:etc_t:s0   /etc/test
         
        $ chcon -t gdc_etc_t /etc/test;ls -lhZ /etc/test
        -rw-r--r--. root root unconfined_u:object_r:gdc_etc_t:s0 /etc/test
        

      • edit the file by Puppet

        $ cat test.pp 
        file {
                '/etc/test':
                        selinux_ignore_defaults => false,
                        content => 'test123',
                        ensure => file;
        }
        

        $ puppet apply -v test.pp
        Notice: Compiled catalog for dev1-c3.int.na.intgdc.com in environment production in 0.11 seconds
        Info: Applying configuration version '1409921532'
        Info: FileBucket got a duplicate file {md5}d41d8cd98f00b204e9800998ecf8427e
        Info: /Stage[main]/Main/File[/etc/test]: Filebucketed /etc/test to puppet with sum d41d8cd98f00b204e9800998ecf8427e
        Notice: /Stage[main]/Main/File[/etc/test]/content: content changed '{md5}d41d8cd98f00b204e9800998ecf8427e' to '{md5}cc03e747a6afbbcbf8be7668acfebee5'
        Notice: /File[/etc/test]/seluser: seluser changed 'unconfined_u' to 'system_u'
        Notice: /File[/etc/test]/seltype: seltype changed 'gdc_etc_t' to 'etc_t'
        Notice: Finished catalog run in 0.26 seconds
        

        $ ls -lhZ /etc/test
        -rw-r--r--. root root system_u:object_r:etc_t:s0       /etc/test
        

      lstat("/etc/test", {st_mode=S_IFREG|0644, st_size=14, ...}) = 0
      lstat("/etc/test", {st_mode=S_IFREG|0644, st_size=14, ...}) = 0
      lstat("/etc/test", {st_mode=S_IFREG|0644, st_size=14, ...}) = 0
      lstat("/etc/test", {st_mode=S_IFREG|0644, st_size=14, ...}) = 0
      lstat("/etc/test", {st_mode=S_IFREG|0644, st_size=14, ...}) = 0
      open("/etc/test", O_RDONLY)             = 3
      lgetxattr("/etc/test", "security.selinux", "unconfined_u:object_r:gdc_etc_t:s0", 255) = 35
      lgetxattr("/etc/test", "security.selinux", "unconfined_u:object_r:gdc_etc_t:s0", 255) = 35
      lgetxattr("/etc/test", "security.selinux", "unconfined_u:object_r:gdc_etc_t:s0", 255) = 35
      lgetxattr("/etc/test", "security.selinux", "unconfined_u:object_r:gdc_etc_t:s0", 255) = 35
      stat("/etc/test", {st_mode=S_IFREG|0644, st_size=14, ...}) = 0
      lstat("/etc/test", {st_mode=S_IFREG|0644, st_size=14, ...}) = 0
      stat("/etc/test", {st_mode=S_IFREG|0644, st_size=14, ...}) = 0
      open("/etc/test", O_RDONLY)             = 3
      lstat("/etc/test", {st_mode=S_IFREG|0644, st_size=14, ...}) = 0
      write(3, "/etc/test\n", 10)             = 10
      stat("/etc/test20140905-7363-uecuaa-0.lock", 0x7fffec386f90) = -1 ENOENT (No such file or directory)
      stat("/etc/test20140905-7363-uecuaa-0", 0x7fffec387950) = -1 ENOENT (No such file or directory)
      open("/etc/test20140905-7363-uecuaa-0", O_RDWR|O_CREAT|O_EXCL, 0600) = 3
      stat("/etc/test", {st_mode=S_IFREG|0644, st_size=14, ...}) = 0
      lstat("/etc/test", {st_mode=S_IFREG|0644, st_size=14, ...}) = 0
      open("/etc/test20140905-7363-uecuaa-0", O_RDONLY) = 4
      rename("/etc/test20140905-7363-uecuaa-0", "/etc/test") = 0
      lstat("/etc/test", {st_mode=S_IFREG|0644, st_size=9, ...}) = 0
      lgetxattr("/etc/test", "security.selinux", "unconfined_u:object_r:etc_t:s0", 255) = 31
      lgetxattr("/etc/test", "security.selinux", "unconfined_u:object_r:etc_t:s0", 255) = 31
      lsetxattr("/etc/test", "security.selinux", "system_u:object_r:etc_t:s0", 27, 0) = 0
      lstat("/etc/test", {st_mode=S_IFREG|0644, st_size=9, ...}) = 0
      lgetxattr("/etc/test", "security.selinux", "system_u:object_r:etc_t:s0", 255) = 27
      lstat("/etc/test", {st_mode=S_IFREG|0644, st_size=9, ...}) = 0
      lgetxattr("/etc/test", "security.selinux", "system_u:object_r:etc_t:s0", 255) = 27
      lstat("/etc/test", {st_mode=S_IFREG|0644, st_size=9, ...}) = 0
      lgetxattr("/etc/test", "security.selinux", "system_u:object_r:etc_t:s0", 255) = 27
      lgetxattr("/etc/test", "security.selinux", "system_u:object_r:etc_t:s0", 255) = 27
      lsetxattr("/etc/test", "security.selinux", "system_u:object_r:etc_t:s0", 27, 0) = 0
      lgetxattr("/etc/test", "security.selinux", "system_u:object_r:etc_t:s0", 255) = 27
      lsetxattr("/etc/test", "security.selinux", "system_u:object_r:etc_t:s0", 27, 0) = 0
      stat("/etc/test20140905-7363-uecuaa-0", 0x7fffec37f870) = -1 ENOENT (No such file or directory)
      

      selinux_ignore_defaults => true ( Wrong)

      • create file with custom non-default label (gdc_etc_t)

        $ touch /etc/test;ls -lhZ /etc/test
        -rw-r--r--. root root unconfined_u:object_r:etc_t:s0   /etc/test
         
        $ chcon -t gdc_etc_t /etc/test;ls -lhZ /etc/test
        -rw-r--r--. root root unconfined_u:object_r:gdc_etc_t:s0 /etc/test
        

      • edit the file by Puppet

        $ cat test.pp 
        file {
                '/etc/test':
                        selinux_ignore_defaults => true,
                        content => 'test123',
                        ensure => file;
        }
        

        Info: Applying configuration version '1409921816'
        Info: FileBucket got a duplicate file {md5}d41d8cd98f00b204e9800998ecf8427e
        Info: /Stage[main]/Main/File[/etc/test]: Filebucketed /etc/test to puppet with sum d41d8cd98f00b204e9800998ecf8427e
        Notice: /Stage[main]/Main/File[/etc/test]/content: content changed '{md5}d41d8cd98f00b204e9800998ecf8427e' to '{md5}cc03e747a6afbbcbf8be7668acfebee5'
        Notice: Finished catalog run in 0.26 seconds
        

        $ ls -lhZ /etc/test
        -rw-r--r--. root root unconfined_u:object_r:etc_t:s0   /etc/test
        

        File label above should be still gdc_etc_t

      It does not touch any file xattrs by strace but it creates new file (/etc/test20140905-7363-uecuaa-0) with default labels and simply rename it over /etc/test so it really does ignore SELinux labels but doesn't do what it's expected to do. Otherwise I maybe don't understand the purpose of selinux_ignore_defaults parameter.

      lstat("/etc/test", {st_mode=S_IFREG|0644, st_size=9, ...}) = 0
      open("/etc/test", O_RDONLY)             = 3
      stat("/etc/test", {st_mode=S_IFREG|0644, st_size=9, ...}) = 0
      lstat("/etc/test", {st_mode=S_IFREG|0644, st_size=9, ...}) = 0
      stat("/etc/test", {st_mode=S_IFREG|0644, st_size=9, ...}) = 0
      open("/etc/test", O_RDONLY)             = 3
      lstat("/etc/test", {st_mode=S_IFREG|0644, st_size=9, ...}) = 0
      write(3, "/etc/test\n", 10)             = 10
      stat("/etc/test20140905-6451-1f8rsfk-0.lock", 0x7fffb1bf0090) = -1 ENOENT (No such file or directory)
      stat("/etc/test20140905-6451-1f8rsfk-0", 0x7fffb1bf0a50) = -1 ENOENT (No such file or directory)
      open("/etc/test20140905-6451-1f8rsfk-0", O_RDWR|O_CREAT|O_EXCL, 0600) = 3
      stat("/etc/test", {st_mode=S_IFREG|0644, st_size=9, ...}) = 0
      lstat("/etc/test", {st_mode=S_IFREG|0644, st_size=9, ...}) = 0
      open("/etc/test20140905-6451-1f8rsfk-0", O_RDONLY) = 4
      rename("/etc/test20140905-6451-1f8rsfk-0", "/etc/test") = 0
      stat("/etc/test20140905-6451-1f8rsfk-0", 0x7fffb1c03480) = -1 ENOENT (No such file or directory)

        Attachments

          Activity

            jsd-sla-details-panel

              People

              • Assignee:
                Unassigned
                Reporter:
                fpytloun Filip Pytloun
              • Votes:
                2 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated: