Issue #1552 has been updated by jamtur01. Status changed from Unreviewed to Needs more information
Where does this fit with #1155? ---------------------------------------- Feature #1552: Attach proper SELinux labels to newly created files http://reductivelabs.com/redmine/issues/show/1552 Author: lutter Status: Needs more information Priority: Normal Assigned to: Category: Target version: Complexity: Unknown Affected version: 0.24.4 Keywords: Daniel Walsh pointed out that Puppet does not label files it creates. At least for Fedora Rawhide, he provides a selinux-ruby package that gives access to SELinux from Ruby; that should be used to attach proper SELinux labels to files. >From his email: > The Fedora infrastructure team is currently using puppet to destribute > configuration files, when they get delivered to the machine they end up > with the wrong label on them. "default_t" rather then "etc_t" for example. > > This causes confined applications to start blowing up and forces people > to disable or put SELinux in permissive mode. > > I noticed yesterday that puppet is written in Ruby, so I went out and > added some ruby bindings to libselinux to allow you to ask the system > what the label on a file you are destributing should be. > > In rawhide, today/tomorrow you should see the libselinux-ruby package. > > > cat rubytest.rb > require 'selinux' > print "selinux\n" > print "Is selinux enabled? " + Selinux.is_selinux_enabled().to_s + "\n" > print "Is selinux enforce? " + Selinux.security_getenforce().to_s + "\n" > print "Setfscreatecon? " + > Selinux.setfscreatecon("system_u:object_r:etc_t:s0").to_s + "\n" > print "/etc -> " + Selinux.matchpathcon("/etc", 0)[1] + "\n" > > > Any file that is installed to an SELinux enabled system needs to ask the > system how to label the file and then set the label. > > Selinux.matchpathcon(File, Mode) is the tool used to query the system > for the label. > > Selinux.setfscreatecon(Label) tells the system any files that I create > for now on, will be created with the Label. > > Selinux.setfilecon(File, Label) Will set the file context after the fact > > Selinux.is_selinux_enabeled() returns 1 - enabled, 0 - disabled, -1 > -can-t tell. ---------------------------------------- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://reductivelabs.com/redmine/my/account --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en -~----------~----~----~----~------~----~------~--~---
