Issue #10236 has been reported by Steve Traylen.
----------------------------------------
Bug #10236: /root/.k5login created with wrong selinux context.
https://projects.puppetlabs.com/issues/10236
Author: Steve Traylen
Status: Unreviewed
Priority: Normal
Assignee:
Category: SELinux
Target version:
Affected Puppet version: 2.6.6
Keywords: k5login, kerberos, selinux
Branch:
Running puppet 2.6.6 with RHEL 6.1 using a configuration of
k5login {'/root/.k5login': principals => '[email protected]'}
results in /root/.k5login with the following selinux context.
# ls -Z /root/.k5login
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /root/.k5login
This is instead of the expected
# /sbin/restorecon /root/.k5login
# ls -Z /root/.k5login
-rw-r--r--. root root system_u:object_r:krb5_home_t:s0 /root/.k5login
The consequence of the wrong selinux context is that the file is ignored on
login with an AVC error.
A trivial look at the k5login type there looks to be nothing for selinux
contexts.
I have not tried outside of/root/ in a more normal home directory but I expect
it will be the same.
Trivial workaround for now.
exec {'fix-k5login':
command => '/sbin/restorecon /root/.k5login',
refreshonly => true,
subscribe => K5login['/root/.k5login']
}
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
