Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
PUP 4.8.2, PUP 5.5.22, PUP 6.19.1, PUP 7.4.1, PUP 6.21.1
-
None
-
-
Coremunity
-
Platform Core KANBAN
-
Bug Fix
-
Puppet now creates files with the correct default SELinux context for that type of file. Previously, puppet could create the file with the wrong context, which would not be corrected until the next agent run.
-
Needs Assessment
Description
When creating a new file, puppet finds out the default selinux context with matchpathcon but it's not specifying the file type what can lead to use the incorrect context (selinux default context depends on file type) and breaks idempotency.
Reproducer:
|
|
[root@vmname ~]# cat test.pp
|
file {
|
'/etc/systemd/system/redis.service.d':
|
ensure => directory
|
}
|
|
|
# puppet apply test.pp
|
Notice: Compiled catalog for vmname.example.com in environment production in 0.15 seconds
|
Notice: /Stage[main]/Main/File[/etc/systemd/system/redis.service.d]/ensure: created
|
Notice: Applied catalog in 0.54 seconds
|
# ll -Zd /etc/systemd/system/redis.service.d
|
drwxr-xr-x. root root system_u:object_r:redis_unit_file_t:s0 /etc/systemd/system/redis.service.d
|
# puppet apply test.pp
|
Notice: Compiled catalog for vmname.example.com in environment production in 0.15 seconds
|
Notice: /Stage[main]/Main/File[/etc/systemd/system/redis.service.d]/seltype: seltype changed 'redis_unit_file_t' to 'systemd_unit_file_t'
|
Notice: Applied catalog in 0.51 seconds
|
[root@vmname ~]# ll -Zd /etc/systemd/system/redis.service.d
|
drwxr-xr-x. root root system_u:object_r:systemd_unit_file_t:s0 /etc/systemd/system/redis.service.d
|
|
|
|
Note that first run used wrong selinux type for the just created directory.
