[PUP-7073] Comparisons between SELinux file categories should always translate to the numeric version - Puppet Jira Server

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: PUP 4.8.1
Fix Version/s: PUP 5.0.0
Component/s: Types and Providers
Labels:
- resolved-issue-added
- selinux
Environment:

Linux systems with SELinux enabled

Acceptance Criteria:

Hide

Puppet should consider numeric and human-readable selinux ranges to be in sync with each other.

Show
Puppet should consider numeric and human-readable selinux ranges to be in sync with each other.
Epic Link:
Phase 1 SELinux fixes and improvements
Team:
Agent
Story Points:
5
Sprint:
AP 2017-01-25, AP 2017-02-08, Agent 2017-05-31

Release Notes:
Bug Fix
Release Notes Summary:

Hide
Puppet now attempts to translate selinux contexts itself, instead of relying on mcstransd. This is to work around instabilities in that service.

This means that puppet now requires an `setrans.conf` file to exist for the active selinux policy when it is managing selinux attributes.

Show
Puppet now attempts to translate selinux contexts itself, instead of relying on mcstransd. This is to work around instabilities in that service. This means that puppet now requires an `setrans.conf` file to exist for the active selinux policy when it is managing selinux attributes.

QA Risk Assessment:
Automate
QA Risk Assessment Reason:
We should have a test for this

Description

SELinux file contexts have a category that is assigned to every file on the system.

If the system is using mcstransd (which most higher security systems will be for user convenience) changes to the system at runtime can cause issues with category translation until mcstransd is restarted.

These conditions cannot be clearly enumerated and may happen at any time. When this occurs, Puppet will try to reset the context on every managed file as well as triggering service restarts based on those files.

This can cause your systems to restart every service each time Puppet runs.

Puppet should, instead, use the output of chcat -L to obtain the list of mappings from the system and translate any categories on files back to their numeric form in all cases.

To do this, simply discard any right hand side values that contain a hyphen (-) and then use the left hand corresponding value for all context comparisons.

Setting a context via either method is equivalent so that code should not need to change.

Attachments

Issue Links

links to

Redmine Bug #21827

Activity

People

Assignee:: Eric Delaney

Reporter:: Trevor Vaughan

QA Contact:: Eric Delaney

Votes:: 3 Vote for this issue

Watchers:: 9 Start watching this issue

Dates

Created:: 2017/01/06 11:20 AM

Updated:: 2017/06/28 12:21 PM

Resolved:: 2017/05/30 11:13 AM