Issue #1552 has been updated by seanmil. File 0001-Enhance-SELinux-support-including-new-property-and.patch added
The attached patch (against origin/master) builds on the recently added SELinux file property support and continues to use the command line utilities to achieve this goal. This patch does a few things: 1) Moves all of the SELinux command handling out of the file type and into a generic utility module since it would be generally useful to any part of Puppet which creates files for external use. 2) Reworks the file type properties to use the new module and adds a fourth property for the new SELinux "range" component found in some newer SELinux policies. 3) Adds defaults for the file properties based on the matchpathcon command. 4) Reset the SELinux context to the default in Puppet::Util::FileType (used in ParsedFiles) Between the defaults in the file type and the defaults in ParsedFiles that should cover most of the cases where Puppet creates files which need to receive the proper SELinux contexts. At some point it would be good to rework/enhance this to use the ruby bindings, but the command line tools are more widely available right now. I can't state with certainty that this patch completely addresses this bug report with a careful audit of all the possible file creation points in Puppet, but I believe it gets at least fairly close on the major paths. ---------------------------------------- Feature #1552: Attach proper SELinux labels to newly created files http://projects.reductivelabs.com/issues/show/1552 Author: lutter Status: Needs more information Priority: Normal Assigned to: Category: Target version: Complexity: Unknown Affected version: 0.24.4 Keywords: Daniel Walsh pointed out that Puppet does not label files it creates. At least for Fedora Rawhide, he provides a selinux-ruby package that gives access to SELinux from Ruby; that should be used to attach proper SELinux labels to files. >From his email: > The Fedora infrastructure team is currently using puppet to destribute > configuration files, when they get delivered to the machine they end up > with the wrong label on them. "default_t" rather then "etc_t" for example. > > This causes confined applications to start blowing up and forces people > to disable or put SELinux in permissive mode. > > I noticed yesterday that puppet is written in Ruby, so I went out and > added some ruby bindings to libselinux to allow you to ask the system > what the label on a file you are destributing should be. > > In rawhide, today/tomorrow you should see the libselinux-ruby package. > > > cat rubytest.rb > require 'selinux' > print "selinux\n" > print "Is selinux enabled? " + Selinux.is_selinux_enabled().to_s + "\n" > print "Is selinux enforce? " + Selinux.security_getenforce().to_s + "\n" > print "Setfscreatecon? " + > Selinux.setfscreatecon("system_u:object_r:etc_t:s0").to_s + "\n" > print "/etc -> " + Selinux.matchpathcon("/etc", 0)[1] + "\n" > > > Any file that is installed to an SELinux enabled system needs to ask the > system how to label the file and then set the label. > > Selinux.matchpathcon(File, Mode) is the tool used to query the system > for the label. > > Selinux.setfscreatecon(Label) tells the system any files that I create > for now on, will be created with the Label. > > Selinux.setfilecon(File, Label) Will set the file context after the fact > > Selinux.is_selinux_enabeled() returns 1 - enabled, 0 - disabled, -1 > -can-t tell. ---------------------------------------- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://reductivelabs.com/redmine/my/account --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en -~----------~----~----~----~------~----~------~--~---
