Issue #10236 has been updated by Steve Traylen.
Hi, I think anything that creates a file has the responsibility to then correct the security context. This is exactly what happens for instance with the puppet file type. In particular the selinux_ignore_defaults attribute to file. k5login needs to use the same mechanism basically. Steve. ---------------------------------------- Bug #10236: /root/.k5login created with wrong selinux context. https://projects.puppetlabs.com/issues/10236 Author: Steve Traylen Status: Investigating Priority: Normal Assignee: Kelsey Hightower Category: SELinux Target version: Affected Puppet version: 2.6.6 Keywords: k5login, kerberos, selinux Branch: Running puppet 2.6.6 with RHEL 6.1 using a configuration of k5login {'/root/.k5login': principals => '[email protected]'} results in /root/.k5login with the following selinux context. # ls -Z /root/.k5login -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /root/.k5login This is instead of the expected # /sbin/restorecon /root/.k5login # ls -Z /root/.k5login -rw-r--r--. root root system_u:object_r:krb5_home_t:s0 /root/.k5login The consequence of the wrong selinux context is that the file is ignored on login with an AVC error. A trivial look at the k5login type there looks to be nothing for selinux contexts. I have not tried outside of/root/ in a more normal home directory but I expect it will be the same. Trivial workaround for now. exec {'fix-k5login': command => '/sbin/restorecon /root/.k5login', refreshonly => true, subscribe => K5login['/root/.k5login'] } -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
