Issue #1681 has been updated by fs.
Here's what I think is going on. SELinux uses extended attributes (xattrs) to store file labels. NFS, unfortunately, doesn't support xattrs. To work around this, an NFS mount on an SELinux system implicitly includes a default context that is presented for all files in the mount. The default is, I believe, system_u:object_r:nfs_t. Since this label isn't stored anywhere, it can't be modified, or if it can, there are additional restrictions (ie, you can't change the type to something other than nfs_t). The full, proper fix would be to query the filesystem holding a given file to determine if it supports xattrs. If it does not, you can assume that the presented label is a generated one, rather than a stored one, and cannot be modified. Unfortunately, I can't find any way to get the filesystem type from native ruby. Rather than shelling out again for each and every file, the simplest workaround that occurs to me, would be to simply ignore any attempts to change the label of a file if the current type is nfs_t. This may not be a comprehensive fix (for example, it wouldn't help with VFAT mounts) but it should at least fix the most common case. ---------------------------------------- Bug #1681: SELinux gets wrong seltype for NFS mounts http://projects.reductivelabs.com/issues/show/1681 Author: freiheit Status: Accepted Priority: Low Assigned to: seanmil Category: file Target version: 0.24.7 Complexity: Unknown Affected version: 0.24.6 Keywords: This is on a system with SELinux in permissive mode. puppet code looks like: file { "nfs/jeckle/mail_admin": ensure => directory } mount { "/nfs/jeckle/mail_admin": atboot => true, device => "jeckle-nfs:/vol/vol_mail_admin/mail_admin", ensure => "mounted", fstype => "nfs", options => "vers=3,tcp,intr,hard", dump => "0", pass => "0", require => [ Host[jeckle-nfs], File["/nfs/jeckle/mail_admin"]], } This is on a system that already had that in place before upgrading to 0.24.6. I believe it's possible you'd receive a different result if the file {} resource was applied before the mount was mounted, but this system already had the mount going when puppet was run. Error looks like this: err: //Node[nelson]/courierimap/ssu::mailserver/virtmounts/File[/nfs/jeckle/mail_admin]/seltype: change from nfs_t to default_t failed: Execution of '/usr/bin/chcon -h -t default_t /nfs/jeckle/mail_admin' returned 1: /usr/bin/chcon: failed to change context of /nfs/jeckle/mail_admin to system_u:object_r:default_t: Operation not supported And error keeps happening. I believe the fundamental problem is that there are actually TWO /nfs/jeckle/mail_admin files. One is the local directory which is what matchpathcon returns. The second is the mount, which overlays and hides the original directory. It's possible for the two to have different permissions, etc. As far as I know, SELinux won't work on NFS mounts or anything on the NFS mount. ---------------------------------------- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://reductivelabs.com/redmine/my/account --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en -~----------~----~----~----~------~----~------~--~---
