Issue #2687 has been updated by Darrell Fuhriman. Status changed from Needs more information to Closed
turns out the problem was with a bad define(), not the selinux support as such – I didn't find it until the stricter syntax checking in 0.25.1 happened. ---------------------------------------- Bug #2687: selinux incorrectly defining properties http://projects.reductivelabs.com/issues/2687 Author: Darrell Fuhriman Status: Closed Priority: Normal Assigned to: Bryan Kearney Category: SELinux Target version: Affected version: 0.25.1rc1 Keywords: Branch: I installed the libselinux-ruby (1.33.4-5.5) from RHEL 5.4 on my CentOS 5.3 system to get selinux bindings running. However, puppet seems to be doing something very strange with them, it seems it's attempting to set the default context if no context is specified, but somewhere along the line is getting confused. I spent a couple hours trying to track it down, but I don't know the code base well enough. For instance, if I have a regular filecopy with no sel* attributes specified, it's trying to change the context: <pre> debug: /File[/etc/mail/mailertable]/selrole: Found selrole default 'object_r' for /etc/mail/mailertable debug: /File[/etc/mail/mailertable]: Changing seluser,seltype debug: /File[/etc/mail/mailertable]: 2 change(s) warning: Failed to set SELinux context false:object_r:etc_mail_t on /etc/mail/mailertable notice: /File[/etc/mail/mailertable]/seluser: seluser changed 'system_u' to 'false' warning: Failed to set SELinux context system_u:object_r:false on /etc/mail/mailertable notice: /File[/etc/mail/mailertable]/seltype: seltype changed 'etc_mail_t' to 'false' </pre> For reference, the correct (default) context is: system_u:object_r:etc_mail_t Obviously that "false" does not really belong there... It seems to work OK if at least one of the attributes is specified: <pre> file {"/usr/lib/ruby/gems/1.8/gems/passenger-$passenger_version/ext/apache2/ApplicationPoolServerExecutable": seltype => httpd_exec_t, require => Exec['build_passenger'] } </pre> yields: <pre> debug: /File[/etc/mail/mailertable]/selrole: Found selrole default 'object_r' for /etc/mail/mailertable debug: /File[/usr/lib/ruby/gems/1.8/gems/passenger-2.2.5/ext/apache2/ApplicationPoolServerExecutable]/seluser: Found seluser default 'system_u' for /usr/lib/ruby/gems/1.8/gems/passenger-2.2.5/ext/apache2/ApplicationPoolServerExecutable debug: /File[/usr/lib/ruby/gems/1.8/gems/passenger-2.2.5/ext/apache2/ApplicationPoolServerExecutable]/selrole: Found selrole default 'object_r' for /usr/lib/ruby/gems/1.8/gems/passenger-2.2.5/ext/apache2/ApplicationPoolServerExecutable debug: /File[/usr/lib/ruby/gems/1.8/gems/passenger-2.2.5/ext/apache2/ApplicationPoolServerExecutable]/require: requires Exec[build_passenger] debug: /File[/usr/lib/ruby/gems/1.8/gems/passenger-2.2.5/ext/apache2/ApplicationPoolServerExecutable]: Changing seltype debug: /File[/usr/lib/ruby/gems/1.8/gems/passenger-2.2.5/ext/apache2/ApplicationPoolServerExecutable]: 1 change(s) notice: /File[/usr/lib/ruby/gems/1.8/gems/passenger-2.2.5/ext/apache2/ApplicationPoolServerExecutable]/seltype: seltype changed 'lib_t' to 'httpd_exec_t' </pre> Curiously, having seltype defined seems to be enough to keep the same error from cropping up on future runs (i.e. after the defined state is set). -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://reductivelabs.com/redmine/my/account --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en -~----------~----~----~----~------~----~------~--~---
