Details
-
Bug
-
Status: Closed
-
Normal
-
Resolution: Fixed
-
None
-
Coremunity
-
Platform Core KANBAN
-
Needs Assessment
-
Enhancement
-
A file on `tmpfs` will now report that it does support SELinux labels.
-
Needs Assessment
Description
Hi!
Currently on Puppet 5.5.1, I've created the following resource:
file { '/dev/shm/ns-slapd-database-cache/':
|
ensure => 'directory',
|
owner => 'dirsrv',
|
group => 'dirsrv',
|
mode => '0770',
|
seltype => dirsrv_var_lib_t'
|
}
|
However, Puppet never configures the seltype for this directory, in the Puppet Agent debug logs we see:
Debug: /Stage[main]/Pt_freeipa::Server::Config::Limits/File[/dev/shm/ns-slapd-database-cache/]/seltype: SELinux not available for this filesystem. Ignoring parameter.
|
I've tracked this down to the following:
- https://github.com/puppetlabs/puppet/blob/5.5.1/lib/puppet/type/file/selcontext.rb#L26-L82 - this is all of the logic used to determine if selinux things should be enforced, comparing the state, and setting things
- Within that we have https://github.com/puppetlabs/puppet/blob/5.5.1/lib/puppet/type/file/selcontext.rb#L58-L60 which checks to see if the filesystem type supports selinux
- that is here: https://github.com/puppetlabs/puppet/blob/5.5.1/lib/puppet/util/selinux.rb#L186-L195 - notice that tmpfs is not in that list
- https://github.com/puppetlabs/puppet/blob/5.5.1/lib/puppet/util/selinux.rb#L234-L253 is how it determines the filesystem type for a given directory, basically, take directory, grab all of the mounts from /proc/mounts walk up the directory hierarchy until we find a matching mount, grab that type.
I'm going to open a pull request to propose adding tmpfs to https://github.com/puppetlabs/puppet/blob/5.5.1/lib/puppet/util/selinux.rb#L193 and as per the contributor guidelines, also opening this issue to track this change as well.