Issue #2687 has been reported by Darrell Fuhriman.
----------------------------------------
Bug #2687: selinux incorrectly defining properties
http://projects.reductivelabs.com/issues/2687
Author: Darrell Fuhriman
Status: Unreviewed
Priority: Normal
Assigned to:
Category:
Target version:
Affected version: 0.25.0
Keywords:
Branch:
I installed the libselinux-ruby (1.33.4-5.5) from RHEL 5.4 on my CentOS 5.3
system to get selinux bindings running.
However, puppet seems to be doing something very strange with them, it seems
it's attempting to set the default context if no context is specified, but
somewhere along the line is getting confused. I spent a couple hours trying to
track it down, but I don't know the code base well enough.
For instance, if I have a regular filecopy with no sel* attributes specified,
it's trying to change the context:
<pre>
debug: /File[/etc/mail/mailertable]/selrole: Found selrole default 'object_r'
for /etc/mail/mailertable
debug: /File[/etc/mail/mailertable]: Changing seluser,seltype
debug: /File[/etc/mail/mailertable]: 2 change(s)
warning: Failed to set SELinux context false:object_r:etc_mail_t on
/etc/mail/mailertable
notice: /File[/etc/mail/mailertable]/seluser: seluser changed 'system_u' to
'false'
warning: Failed to set SELinux context system_u:object_r:false on
/etc/mail/mailertable
notice: /File[/etc/mail/mailertable]/seltype: seltype changed 'etc_mail_t' to
'false'
</pre>
For reference, the correct (default) context is: system_u:object_r:etc_mail_t
Obviously that "false" does not really belong there...
It seems to work OK if at least one of the attributes is specified:
<pre>
file
{"/usr/lib/ruby/gems/1.8/gems/passenger-$passenger_version/ext/apache2/ApplicationPoolServerExecutable":
seltype => httpd_exec_t,
require => Exec['build_passenger']
}
</pre>
yields:
<pre>
debug: /File[/etc/mail/mailertable]/selrole: Found selrole default 'object_r'
for /etc/mail/mailertable
debug:
/File[/usr/lib/ruby/gems/1.8/gems/passenger-2.2.5/ext/apache2/ApplicationPoolServerExecutable]/seluser:
Found seluser default 'system_u' for
/usr/lib/ruby/gems/1.8/gems/passenger-2.2.5/ext/apache2/ApplicationPoolServerExecutable
debug:
/File[/usr/lib/ruby/gems/1.8/gems/passenger-2.2.5/ext/apache2/ApplicationPoolServerExecutable]/selrole:
Found selrole default 'object_r' for
/usr/lib/ruby/gems/1.8/gems/passenger-2.2.5/ext/apache2/ApplicationPoolServerExecutable
debug:
/File[/usr/lib/ruby/gems/1.8/gems/passenger-2.2.5/ext/apache2/ApplicationPoolServerExecutable]/require:
requires Exec[build_passenger]
debug:
/File[/usr/lib/ruby/gems/1.8/gems/passenger-2.2.5/ext/apache2/ApplicationPoolServerExecutable]:
Changing seltype
debug:
/File[/usr/lib/ruby/gems/1.8/gems/passenger-2.2.5/ext/apache2/ApplicationPoolServerExecutable]:
1 change(s)
notice:
/File[/usr/lib/ruby/gems/1.8/gems/passenger-2.2.5/ext/apache2/ApplicationPoolServerExecutable]/seltype:
seltype changed 'lib_t' to 'httpd_exec_t'
</pre>
Curiously, having seltype defined seems to be enough to keep the same error
from cropping up on future runs (i.e. after the defined state is set).
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://reductivelabs.com/redmine/my/account
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en
-~----------~----~----~----~------~----~------~--~---
