[PUP-9330] Unable to enfource SELinux attributes for files in /dev/shm Created: 2018/11/26  Updated: 2019/04/04  Resolved: 2018/12/17

Status: Closed
Project: Puppet
Component/s: Types and Providers
Affects Version/s: None
Fix Version/s: PUP 5.5.10, PUP 6.0.5, PUP 6.1.0

Type: Bug Priority: Normal
Reporter: Jared Ledvina Assignee: Melissa Stone
Resolution: Fixed Votes: 0
Labels: SELinux, resolved-issue-added
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template: PUP Bug Template
Team: Coremunity
Sprint: Platform Core KANBAN
Method Found: Needs Assessment
Release Notes: Enhancement
Release Notes Summary: A file on `tmpfs` will now report that it does support SELinux labels.
QA Risk Assessment: Needs Assessment




Currently on Puppet 5.5.1, I've created the following resource:

    file { '/dev/shm/ns-slapd-database-cache/':
      ensure => 'directory',
      owner  => 'dirsrv',
      group  => 'dirsrv',
      mode   => '0770',
      seltype => dirsrv_var_lib_t'

However, Puppet never configures the seltype for this directory, in the Puppet Agent debug logs we see:

Debug: /Stage[main]/Pt_freeipa::Server::Config::Limits/File[/dev/shm/ns-slapd-database-cache/]/seltype: SELinux not available for this filesystem. Ignoring parameter.

I've tracked this down to the following:

I'm going to open a pull request to propose adding tmpfs to https://github.com/puppetlabs/puppet/blob/5.5.1/lib/puppet/util/selinux.rb#L193 and as per the contributor guidelines, also opening this issue to track this change as well.

Comment by Jared Ledvina [ 2018/11/26 ]

Pull request opened: https://github.com/puppetlabs/puppet/pull/7249

Comment by Jared Ledvina [ 2018/12/12 ]

New PR opened for 5.5.X, https://github.com/puppetlabs/puppet/pull/7279

Comment by Jacob Helwig [ 2018/12/13 ]

Merged to 5.5.x in cb2b636b4a.

Comment by Melissa Stone [ 2018/12/13 ]

SELinux utilities within the puppet codebase now recognize that `tmpfs` supports extended attributes and can support SELinux labels. `selinux_label_support?` will return true for a file mounted on `tmpfs`.

Generated at Mon Sep 23 13:12:44 PDT 2019 using JIRA 7.7.1#77002-sha1:e75ca93d5574d9409c0630b81c894d9065296414.