Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-8477

selinux types are being set on every run

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: PUP 5.4.0
    • Fix Version/s: PUP 5.5.0
    • Component/s: None
    • Labels:
    • Template:
      PUP Bug Template
    • Sub-team:
    • Team:
      Platform Core
    • Sprint:
      Platform Core KANBAN
    • Method Found:
      Needs Assessment
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Hide
      If selinux bindings are not available in puppet, we would try to manage a setting but not be able to read in what it was currently set as. This change makes it so that if we do not have selinux bindings, we don't try to check the current setting as we do not have access to it.
      Show
      If selinux bindings are not available in puppet, we would try to manage a setting but not be able to read in what it was currently set as. This change makes it so that if we do not have selinux bindings, we don't try to check the current setting as we do not have access to it.
    • QA Risk Assessment:
      No Action

      Description

      Puppet Version: 5.4.0
      Puppet Server Version:
      OS Name/Version: RHEL 7.4

      The handling of selinux file parameters seems to have changed between 5.3.5 and 5.4.0.  Specifically, we are managing some .k5login files as type 'krb5_home_t':

        file { "${basedir}/${name}/.k5login": seltype => 'krb5_home_t' }
      

      As of when we upgraded to v5.4.0, puppet has been trying to reset the parameters every run, e.g.:

      Feb 20 15:16:50 XXXX04 puppet-agent[99767]: (/Stage[main]/P_puppet_server::
      Automation::User/K5login[/var/lib/foo/.k5login]/seluser) seluser changed  to 'user_u'
      Feb 20 15:16:50 XXXX04 puppet-agent[99767]: (/Stage[main]/P_puppet_server::
      Automation::User/K5login[/var/lib/foo/.k5login]/selrole) selrole changed  to 'object_r'
      Feb 20 15:16:50 XXXX04 puppet-agent[99767]: (/Stage[main]/P_puppet_server::
      Automation::User/K5login[/var/lib/foo/.k5login]/seltype) seltype changed  to 'krb5_home_t'
      Feb 20 15:16:50 XXXX04 puppet-agent[99767]: (/Stage[main]/P_puppet_server::
      Automation::User/K5login[/var/lib/foo/.k5login]/selrange) selrange changed  to 's0'
      

      Downgrading to 5.3.5 reverts the behavior - e.g. the values are no longer updated every run.

      Note that selinux is off on these hosts anyway.

      Desired Behavior:  don't change every run

      Actual Behavior:  tries to change every run

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              kris.bosland Kris Bosland
              Reporter:
              tskirvin Tim Skirvin
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support