Issue #1852 has been updated by twpayne.
luke wrote: > I think the right action is to just warn that SELinux support isn't available > without the ruby bindings. Please do this. I've just been _really_ badly bitten by this. Silently failing is just about the worse thing you can do. In my case the sequence of events ways: * upgrade to puppet 0.24.7 * watch in horror as every puppetd run now rebuilds _everything_ * spend several hours debugging, finally working out that SELinux support was completely broken puppetd rebuilds everything every time it is run because it thinks that the SELinux context on every file is wrong and so it tries to set it. This fails completely because neither the detection nor the change works. However, puppetd does think that the file has changed so it triggers a refresh of every dependency. If you've set the SELinux contexts on your daemon config files then suddenly every daemon is refreshed every time. Yikes! Now I have to find out if ruby-selinux is even available for my distribution (CentOS)... Cheers, Tom ---------------------------------------- Bug #1852: unexpected behaviour with selinux file options when ruby bindings are missing http://projects.reductivelabs.com/issues/show/1852 Author: mfournier Status: Accepted Priority: Normal Assigned to: Category: file Target version: Complexity: Unknown Affected version: 0.24.7 Keywords: selinux ruby binding It seems that if selinux ruby bindings are not available, the selinux parameters to the file type appear to work anyway, but in fact do not. In the following example we can see puppet trying to modify seluser and selrole (which is not necessary in this case) and failing to modify seltype, but without raising an error. <pre> [r...@kissrv20 ~]# ls -Z /tmp/test -rw-rw-r-- root adm root:object_r:tmp_t /tmp/test [r...@kissrv20 ~]# puppet /tmp/test.pp notice: //File[/tmp/test]/seluser: defined 'seluser' as 'root' notice: //File[/tmp/test]/selrole: defined 'selrole' as 'object_r' notice: //File[/tmp/test]/seltype: defined 'seltype' as 'mysql_etc_t' [r...@kissrv20 ~]# ls -Z /tmp/test -rw-rw-r-- root adm root:object_r:tmp_t /tmp/test </pre> In short: 0.24.6, slow but works out of the box on any system with selinux. 0.24.7, works only if libselinux-ruby is installed (currently only available on latest fedora), unexpected behaviour if not. Maybe it would be an idea to fallback to using the slow method from 0.24.6 in case the ruby bindings aren't available ? Or else puppet should fail or warn the user that selinux parameters are not supported without selinux bindings installed ? ---------------------------------------- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://reductivelabs.com/redmine/my/account --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en -~----------~----~----~----~------~----~------~--~---
