Issue #10236 has been updated by Nigel Kersten.
Steve Traylen wrote: > Hi, > I think anything that creates a file has the responsibility to then correct > the security context. Is it feasible for us to modify the file type to programmatically detect if we're in an SELinux environment, and restore the correct context without user input? Are there negative implications here? Would doing this automatically break any existing behaviors? ---------------------------------------- Bug #10236: /root/.k5login created with wrong selinux context. https://projects.puppetlabs.com/issues/10236 Author: Steve Traylen Status: Needs Decision Priority: Normal Assignee: Nigel Kersten Category: SELinux Target version: Affected Puppet version: 2.6.6 Keywords: k5login, kerberos, selinux Branch: Running puppet 2.6.6 with RHEL 6.1 using a configuration of k5login {'/root/.k5login': principals => '[email protected]'} results in /root/.k5login with the following selinux context. # ls -Z /root/.k5login -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /root/.k5login This is instead of the expected # /sbin/restorecon /root/.k5login # ls -Z /root/.k5login -rw-r--r--. root root system_u:object_r:krb5_home_t:s0 /root/.k5login The consequence of the wrong selinux context is that the file is ignored on login with an AVC error. A trivial look at the k5login type there looks to be nothing for selinux contexts. I have not tried outside of/root/ in a more normal home directory but I expect it will be the same. Trivial workaround for now. exec {'fix-k5login': command => '/sbin/restorecon /root/.k5login', refreshonly => true, subscribe => K5login['/root/.k5login'] } -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
