Issue #1852 has been updated by mfournier.
File 0002-Improvement-over-1852-fix-outputs-warning-when-de.patch added
Folks,
I've just tested both patches on a clean redhat 5.3 with puppet installed
from the EPEL repository:
<pre>
[r...@kissrv20 tmp]# rpm -qa puppet
puppet-0.24.7-4.el5
[r...@kissrv20 tmp]# rpm -V puppet
[r...@kissrv20 tmp]#
</pre>
No selinux bindings installed:
<pre>
[r...@kissrv20 tmp]# irb
irb(main):001:0> require 'selinux'
LoadError: no such file to load -- selinux
from (irb):1:in `require'
from (irb):1
</pre>
Before any patch was applied, I was able to reproduce the same problem as
described a few days ago:
<pre>
[r...@kissrv20 tmp]# selinuxenabled && echo $?
0
[r...@kissrv20 tmp]# ls -Z test
-rw-rw-r-- root adm root:object_r:tmp_t test
[r...@kissrv20 tmp]# puppet test.pp
notice: //File[/tmp/test]/seluser: defined 'seluser' as 'root'
notice: //File[/tmp/test]/selrole: defined 'selrole' as 'object_r'
notice: //File[/tmp/test]/seltype: defined 'seltype' as 'mysql_etc_t'
[r...@kissrv20 tmp]# ls -Z test
-rw-rw-r-- root adm root:object_r:tmp_t test
</pre>
With James's patch, the problem apparently remains:
<pre>
[r...@kissrv20 tmp]# cat Fixed-1852-SELinux-called-even-when-support-disab.diff
| patch -p2 -d /usr/lib/ruby/site_ruby/1.8/
patching file puppet/provider/selboolean/getsetsebool.rb
patching file puppet/provider/selmodule/semodule.rb
patching file puppet/util/selinux.rb
[r...@kissrv20 tmp]# puppet test.pp
notice: //File[/tmp/test]/seluser: defined 'seluser' as 'root'
notice: //File[/tmp/test]/selrole: defined 'selrole' as 'object_r'
notice: //File[/tmp/test]/seltype: defined 'seltype' as 'mysql_etc_t'
[r...@kissrv20 tmp]#
[r...@kissrv20 tmp]# cat Fixed-1852-SELinux-called-even-when-support-disab.diff
| patch -p2 -R -d /usr/lib/ruby/site_ruby/1.8/
patching file puppet/provider/selboolean/getsetsebool.rb
patching file puppet/provider/selmodule/semodule.rb
patching file puppet/util/selinux.rb
</pre>
Sean's patch seems to work better. I would vote for inclusion of this one:
<pre>
[r...@kissrv20 tmp]# cat
0001-Fixes-1852-Uses-Luke-s-suggestion-to-no-op-insync.patch | patch -p2 -d
/usr/lib/ruby/site_ruby/1.8/
patching file puppet/type/file/selcontext.rb
can't find file to patch at input line 33
[...]
Skipping patch.
1 out of 1 hunk ignored
[r...@kissrv20 tmp]# puppet test.pp
[r...@kissrv20 tmp]#
</pre>
I'm attaching another patch to be applied over Sean's one. It just outputs
a warning when the user passes the --debug parameter:
<pre>
[r...@kissrv20 tmp]# puppet --debug test.pp
debug: Creating default schedules
debug: Failed to load library 'ldap' for feature 'ldap'
debug: Finishing transaction 23891525059740 with 0 changes
debug: //File[/tmp/test]/seluser: SELinux bindings not found. Ignoring
parameter.
debug: //File[/tmp/test]/selrole: SELinux bindings not found. Ignoring
parameter.
debug: //File[/tmp/test]/seltype: SELinux bindings not found. Ignoring
parameter.
debug: Finishing transaction 23891525875720 with 0 changes
</pre>
If you believe it's not appropriate, just drop it. Sean's patch is
sufficient to fix this issue.
Thanks to all of you, especially to Tom for his handy implementation of
working selinux bindings ! I'll try them out ASAP and keep you informed.
----------------------------------------
Bug #1852: unexpected behaviour with selinux file options when ruby bindings
are missing
http://projects.reductivelabs.com/issues/1852
Author: mfournier
Status: Accepted
Priority: High
Assigned to:
Category: file
Target version:
Complexity: Unknown
Affected version: 0.24.7
Keywords: selinux ruby binding
It seems that if selinux ruby bindings are not available, the selinux
parameters to the file type appear to work anyway, but in fact do not. In
the following example we can see puppet trying to modify seluser and
selrole (which is not necessary in this case) and failing to modify
seltype, but without raising an error.
<pre>
[r...@kissrv20 ~]# ls -Z /tmp/test
-rw-rw-r-- root adm root:object_r:tmp_t /tmp/test
[r...@kissrv20 ~]# puppet /tmp/test.pp
notice: //File[/tmp/test]/seluser: defined 'seluser' as 'root'
notice: //File[/tmp/test]/selrole: defined 'selrole' as 'object_r'
notice: //File[/tmp/test]/seltype: defined 'seltype' as 'mysql_etc_t'
[r...@kissrv20 ~]# ls -Z /tmp/test
-rw-rw-r-- root adm root:object_r:tmp_t /tmp/test
</pre>
In short:
0.24.6, slow but works out of the box on any system with selinux.
0.24.7, works only if libselinux-ruby is installed (currently only
available on latest fedora), unexpected behaviour if not.
Maybe it would be an idea to fallback to using the slow method from 0.24.6
in case the ruby bindings aren't available ?
Or else puppet should fail or warn the user that selinux parameters are not
supported without selinux bindings installed ?
----------------------------------------
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://reductivelabs.com/redmine/my/account
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en
-~----------~----~----~----~------~----~------~--~---
