Issue #1552 has been reported by lutter.
----------------------------------------
Feature #1552: Attach proper SELinux labels to newly created files
http://reductivelabs.com/redmine/issues/show/1552
Author: lutter
Status: Unreviewed
Priority: Normal
Assigned to:
Category:
Target version:
Complexity: Unknown
Affected version: 0.24.4
Keywords:
Daniel Walsh pointed out that Puppet does not label files it creates. At least
for Fedora Rawhide, he provides a selinux-ruby package that gives access to
SELinux from Ruby; that should be used to attach proper SELinux labels to files.
>From his email:
> The Fedora infrastructure team is currently using puppet to destribute
> configuration files, when they get delivered to the machine they end up
> with the wrong label on them. "default_t" rather then "etc_t" for example.
>
> This causes confined applications to start blowing up and forces people
> to disable or put SELinux in permissive mode.
>
> I noticed yesterday that puppet is written in Ruby, so I went out and
> added some ruby bindings to libselinux to allow you to ask the system
> what the label on a file you are destributing should be.
>
> In rawhide, today/tomorrow you should see the libselinux-ruby package.
>
>
> cat rubytest.rb
> require 'selinux'
> print "selinux\n"
> print "Is selinux enabled? " + Selinux.is_selinux_enabled().to_s + "\n"
> print "Is selinux enforce? " + Selinux.security_getenforce().to_s + "\n"
> print "Setfscreatecon? " +
> Selinux.setfscreatecon("system_u:object_r:etc_t:s0").to_s + "\n"
> print "/etc -> " + Selinux.matchpathcon("/etc", 0)[1] + "\n"
>
>
> Any file that is installed to an SELinux enabled system needs to ask the
> system how to label the file and then set the label.
>
> Selinux.matchpathcon(File, Mode) is the tool used to query the system
> for the label.
>
> Selinux.setfscreatecon(Label) tells the system any files that I create
> for now on, will be created with the Label.
>
> Selinux.setfilecon(File, Label) Will set the file context after the fact
>
> Selinux.is_selinux_enabeled() returns 1 - enabled, 0 - disabled, -1
> -can-t tell.
----------------------------------------
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://reductivelabs.com/redmine/my/account
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en
-~----------~----~----~----~------~----~------~--~---
